 |
 |
(Full message this time) Hi All, Having spent most of today banging my head against this could someone who has a CreamCE using Argus for Authentication send me a copy of the Argus policies they are using and tell me where on the CreamCE the Argus resource and action are configured. I've got glexec on the creamce correctly authenticating me against the Argus server but the CreamCE seems to be blocking me. So when, as tomcat, on the CreamCE I run: -sh-3.2$ /usr/sbin/glexec /usr/bin/id I get: uid=157258(cms258) gid=157000(gplcms) groups=157000(gplcms) and I see the correct "Permit" in the logs on the Argus server: ==> /opt/argus/pdp/logs/audit.log <== 1312466634798|http://heplnv143.pp.rl.ac.uk/pepd|_61c5c03269ba2395679ad4dfb20f7529|root-default-0fde5539-bb32-49fd-82ff-2a88ce59066f|1|Permit|_9cd7f059f623519a646b5233d96877af| ==> /opt/argus/pepd/logs/audit.log <== 1312466634821|_61c5c03269ba2395679ad4dfb20f7529|http://localhost:8152/authz|_9cd7f059f623519a646b5233d96877af|Permit| However, if (with the same cert) on a UI I run: glite-ce-allowed-submission heplnx206.pp.rl.ac.uk:8443 I get: 2011-08-04 14:53:52,839 WARN - No configuration file suitable for loading. Using built-in configuration 2011-08-04 14:53:52,945 ERROR - MethodName=[invoke] ErrorCode=[0] Description=[User CN=chris brew,L=RAL,OU=CLRC,O=eScience,C=UK not authorized for operation getServiceInfo] FaultCause=[User CN=chris brew,L=RAL,OU=CLRC,O=eScience,C=UK not authorized for operation getServiceInfo] Timestamp=[Thu 04 Aug 2011 14:53:@ And the Argus audit logs have "Not Applicable" The glexec call seems to be configured from /etc/lcmaps/lcmaps-glexec.db, some things also seem to be configured in /etc/grid-security/gsi-pep-callout.conf. Thanks, Chris.