 |
 |
Hi, In theory you can recover just the bare proxy from the MyProxy server and then use voms-proxy-init to voms it ... but for some of the older GT2 components the resulting proxy is to big (there's an unsolved GGUS thicket about this - https://gus.fzk.de/pages/ticket_details.php?ticket=13499). So (from the ticket) I can upload a proxy to the myproxy server: myproxy-init -l chrisbrew -r 'chris brew' Use a current certificate and a passphrase to recover it: myproxy-get-delegation -l chrisbrew And then the following command will add a VOMS extenstion to the certificate: voms-proxy-init --voms babar: --key $X509_USER_PROXY -cert $X509_USER_PROXY Like so: voms-proxy-info -all subject : /C=UK/O=eScience/OU=CLRC/L=RAL/CN=chris brew/CN=proxy/CN=proxy/CN=proxy/CN=proxy issuer : /C=UK/O=eScience/OU=CLRC/L=RAL/CN=chris brew/CN=proxy/CN=proxy/CN=proxy identity : /C=UK/O=eScience/OU=CLRC/L=RAL/CN=chris brew/CN=proxy/CN=proxy/CN=proxy type : unknown strength : 512 bits path : /tmp/x509up_u24431 timeleft : 23:59:21 VO : babar subject : /C=UK/O=eScience/OU=CLRC/L=RAL/CN=chris brew issuer : [log in to unmask] attribute : /babar/Role=NULL/Capability=NULL timeleft : 23:59:53 I seem to remember that for data access (at least to dCache and DPM, though ot to the classic SE) it worked but job submission with the lcg-CE still relied on the GT2 gridftp server which doesn't. As more things start to use GT4 I belive this should work. Yours, Chris Brew. > -----Original Message----- > From: LHC Computer Grid - Rollout > [mailto:[log in to unmask]] On Behalf Of Gonçalo Borges > Sent: 25 July 2007 11:28 > To: [log in to unmask] > Subject: Re: [LCG-ROLLOUT] Expiration time of a proxy before > the end of job. > > Hi Kostas, > > At present time, we have local users (which do need the Grid to do > anything), total Grid users and mixed users (which only use > the Grid for > data transfers and process it in our local FARM). Normally, > users only > use new stuff if they REALLY need it (this is an universal truth!!!). > For this last guys, it's hard to convince them to use FTS and I guess > they will just renew proxies on a daily basis... > > But in theory, I think you are totally right... > Cheers > Goncalo > > Kostas Koumantaros wrote: > > Hi *, > > > > I don't understand why we are trying to reinvent the wheel !! > > there is almost at least one service designed for each task. > > e.g for Long Transfers there is FTS. > > I don't see the point why the user insists to use lcg-cp > > it sounds to me that we are asking a fiat panda to transfer > the load > > of a 10 Tone Truck. > > > > I agree that we should keep it as simple as possible but we need to > > keep it safe also. > > > > > > Cheers, > > > > K. > > > > > > > > On 25 Ιουλ 2007, at 12:47 ΜΜ, Gonçalo Borges wrote: > > > >> Hi *, > >> > >> But consider the case when a user wants to continuously > transfer data > >> from castorsrm (for example) to a local dcache storage just using > >> lcg-cp (not FTS) from the UI (for example, some of our local users > >> just want to use the grid for data transfers and the process it in > >> the local farm). Is this way there is no possibility to > renew proxies > >> and the VOMs limit would be a real limitation. In there a > workaround > >> for this case? > >> > >> Cheers > >> Goncalo > >> > >> > >> Antun Balaz wrote: > >>> Hi David, > >>> > >>> If the user mind to use WMS, everything will work perfectly, i.e. > >>> WMS will add > >>> VOMS attributes after the plain grid-proxy is received > from MyProxy. > >>> > >>> For lcg-RB, proxy-renewal is not capable of this, but within the > >>> SEE-GRID > >>> project Valentin Vidic developed voms-renewd for lcg-RB > which solves > >>> this > >>> problem. If you are interested, please let me know. > >>> > >>> Best regards, Antun > >>> > >>> ----- > >>> Antun Balaz > >>> Research Assistant > >>> E-mail: [log in to unmask] > >>> Web: http://scl.phy.bg.ac.yu/ > >>> > >>> Phone: +381 11 3713152 > >>> Fax: +381 11 3162190 > >>> > >>> Scientific Computing Laboratory > >>> Institute of Physics, Belgrade, Serbia > >>> ----- > >>> > >>> ---------- Original Message ----------- > >>> From: David Bouvet <[log in to unmask]> > >>> To: [log in to unmask] > >>> Sent: Wed, 25 Jul 2007 10:22:13 +0200 > >>> Subject: Re: [LCG-ROLLOUT] Expiration time of a proxy > before the end > >>> of job. > >>> > >>> > >>>> Hi Antun, > >>>> > >>>> MyProxy is not able to renew VOMS attributes, but only the basic > >>>> part of the proxy. So the user will still have the > problem, if he > >>>> needs a VOMS role or group. > >>>> > >>>> Is the new version of MyProxy server (which can deal with VOMS > >>>> attributes) released ? > >>>> > >>>> Cheers, > >>>> David. > >>>> > >>>> Antun Balaz wrote: > >>>> > >>>>> Hi to all, > >>>>> > >>>>> This is certainly not a way to go! In order to increase the > >>>>> allowed lifetime > >>>>> of a VOMS proxy for EGEE VOs, the permission must be asked from > >>>>> Joint Security > >>>>> Policy Group (JSPG), since this is clearly related with the > >>>>> security issues > >>>>> (voms-proxies can be subjects of abuse; the longer > their lifetime, > >>>>> the longer > >>>>> possible abuse). > >>>>> > >>>>> In fact, there is no need for increasing the maximal allowed > >>>>> lifetime of the > >>>>> proxy. MyProxy is designed to deal with this problem. > So, a user > >>>>> should choose > >>>>> MyProxy server, store his/her credentials to it so that > they can > >>>>> be used by > >>>>> RB/WMS used to renew user's proxy, and specify the > MyProxyServer > >>>>> in JDL, like > >>>>> this: > >>>>> > >>>>> MyProxyServer = myproxy.domain.org; > >>>>> > >>>>> In order for this to work, the credential should be > stored using a > >>>>> command > >>>>> like this: > >>>>> > >>>>> myproxy-init -s myproxy.domain.org -d -n -c 240 > >>>>> > >>>>> This will store credentials on the myproxy.domain.org > that will be > >>>>> valid for > >>>>> the next 240 hours, i.e. 10 days. > >>>>> > >>>>> What should be ensured is that MyProxyServer is configured to > >>>>> allow RB/WMS > >>>>> used by the user to renew certificates. If this is the > case, there > >>>>> should be > >>>>> no problems. > >>>>> > >>>>> Best regards, Antun > >>>>> > >>>>> ----- > >>>>> Antun Balaz > >>>>> Research Assistant > >>>>> E-mail: [log in to unmask] > >>>>> Web: http://scl.phy.bg.ac.yu/ > >>>>> > >>>>> Phone: +381 11 3713152 > >>>>> Fax: +381 11 3162190 > >>>>> > >>>>> Scientific Computing Laboratory > >>>>> Institute of Physics, Belgrade, Serbia > >>>>> ----- > >>>>> > >>>>> ---------- Original Message ----------- > >>>>> From: Vincenzo Ciaschini <[log in to unmask]> > >>>>> To: [log in to unmask] > >>>>> Sent: Tue, 24 Jul 2007 18:04:45 +0200 > >>>>> Subject: Re: [LCG-ROLLOUT] Expiration time of a proxy > before the > >>>>> end of job. > >>>>> > >>>>> > >>>>>> Christoph Wissing wrote: > >>>>>> > >>>>>>> Hi Sérgio, > >>>>>>> > >>>>>>> the VOMS extention of the proxy is limited by the > VOMS server, > >>>>>>> 48h in your > >>>>>>> > >>>>> case what is the default. > >>>>> > >>>>>>> If you have access to the VOMS server you can it change here: > >>>>>>> /opt/glite/etc/voms/hone/voms.conf > >>>>>>> the important line is the one "--timeout=NNNNN", > where NNNNN is the > >>>>>>> > >>>>> maximum VOMS lifetime of the VOMS. > >>>>> > >>>>>>> Note that the VOMS service needs to be restarted, if > I remember > >>>>>>> correctly. > >>>>>>> > >>>>>> No, there is no need to restart the server. A simple kill -HUP > >>>>>> <higher voms pid> is sufficient to make it reread the > >>>>>> configuration and apply all changes except port number changes. > >>>>>> > >>>>>> Ciao, > >>>>>> Vincenzo > >>>>>> > >>>>> ------- End of Original Message ------- > >>>>> > >>>>> > >>>>> > >>>>> > >>>> --*David BOUVET* > >>>> /EGEE Project team/ > >>>> IN2P3/CNRS Computing Centre - Lyon (FRANCE) > >>>> http://grid.in2p3.fr > >>>> Tel. : +33 4 72 69 41 62 | Fax. : +33 4 72 69 41 70 | e-mail : > >>>> [log in to unmask] > >>>> > >>> ------- End of Original Message ------- > >>> > > > > Koumantaros Kostas, MSc > > Software Engineer / Grid Technologies > > > > ------------------------------------------------- > > **Greek Research and Technology Network (GRNET)** > > Mesogion Avenue 56, 4th Floor, Room 4.1.6 > > GR-11527, Ampelokipi, Athens, Greece > > ------------------------------------------------- > > > > Tel.:+30 210 7474246 > > Mob.: +30 697 7606622 > > Fax.: +30 210 7474490 > > Skype: kkoumantaros > > Email:[log in to unmask] > > WWW: http://www.grnet.gr >