It's always like that... Now it's working.
Could it be that restarting the argus daemons is not equivalent to running "/etc/init.d/argus-pepd clearcache ; /etc/init.d/argus-pdp reloadpolicy" (which I just tried) ?
Txs
De : LHC Computer Grid - Rollout [mailto:[log in to unmask]] De la part de SCHAER Frederic
Envoyé : vendredi 27 septembre 2013 18:22
À : [log in to unmask]
Objet : [PROVENANCE INTERNET] [LCG-ROLLOUT] argus configuration problems
Hi,
I hope someone can help me on this...
I'm attempting to configure a CREAM CE, with ARGUS enabled, using yaim.
I did get those up and running without argus, but with it configured the CREAM CE refuses to get any job or delegation with this error at submit time :
2013-09-27 17:59:17,745 FATAL - CN=Frederic Schaer,OU=IRFU,O=CEA,C=FR,O=GRID-FR not authorized for {http://www.gridsite.org/namespaces/delegation-2}getProxyReq
On the CREAM, the logs are :
27 Sep 2013 17:59:17,736 org.glite.ce.commonj.authz.axis2.AuthorizationHandler - request for OPERATION={http://www.gridsite.org/namespaces/delegation-2}getProxyReq; REMOTE_REQUEST_ADDRESS=192.54.206.17; USER_DN=CN=Frederic Schaer,OU=IRFU,O=CEA,C=FR,O=GRID-FR; USER_FQAN={ /vo.irfu.cea.fr/Role=NULL/Capability=NULL; }; NOT AUTHORIZED
27 Sep 2013 17:59:17,736 org.apache.axis2.engine.AxisEngine - Authorization error
org.apache.axis2.AxisFault: Authorization error
(blah blah)
I've tried many things, enabled debug logging for pepd/pdp/pap, without success.
I only can see in the pepd logs :
2013-09-27 15:59:17.701Z - DEBUG [PEPDaemonRequestHandler] - A decision of Indeterminate was reached by https://pre7231.datagrid.cea.fr:8152/authz in response t
o request _4ea7ebd25f09d74db4839473b77372a7
2013-09-27 15:59:17.701Z - DEBUG [PEPDaemonRequestHandler] - Processing obligations
2013-09-27 15:59:17.701Z - DEBUG [ObligationService] - Obligations in effect for this result: []
2013-09-27 15:59:17.701Z - INFO [protocol] - Complete hessian response
Response{ results:[Result{ decision(2): Indeterminate, resourceId: http://datagrid.cea.fr/cream-pre7230, status: Status{ statusCode: StatusCode{ code: urn:oasis
:names:tc:xacml:1.0:status:ok, subCode: null}, message: null}, obligations:[]}], request: Request{ subjects:[Subject{ category: urn:oasis:names:tc:xacml:1.0:sub
ject-category:access-subject, attributes:[Attribute{ id: http://glite.org/xacml/attribute/subject-issuer, dataType: urn:oasis:names:tc:xacml:1.0:data-type:x500N
ame, issuer: null, values:[CN=CNRS2,O=CNRS,C=FR, CN=CNRS2-Projets,O=CNRS,C=FR, CN=Frederic Schaer,OU=IRFU,O=CEA,C=FR,O=GRID-FR, CN=GRID2-FR,O=CNRS,C=FR]}, Attri
bute{ id: urn:oasis:names:tc:xacml:1.0:subject:key-info, dataType: http://www.w3.org/2001/XMLSchema#string, issuer: null, values:[-----BEGIN CERTIFICATE-----
I also increased logging to debug in the pdp, but actually nothing usefull is loggued except maybe this "syntax error" :
2013-09-27 15:59:17.661Z - DEBUG [TargetMatcherImpl] - Matching with function: http://glite.org/xacml/algorithm/fqan-match
2013-09-27 15:59:17.662Z - DEBUG [AbstractCombiningAlgorithm] - Syntax error occurred.
2013-09-27 15:59:17.662Z - DEBUG [AbstractCombiningAlgorithm] - Target match resulted in: INDETERMINATE
2013-09-27 15:59:17.662Z - DEBUG [RuleFirstApplicableAlgorithm] - Evaluation of ae03359a-dd41-4fd9-b3cc-aae355e1d95e was: INDETERMINATE
My policy contains this for the VO in question :
resource "http://datagrid.cea.fr/cream-pre7230" {
obligation "http://glite.org/xacml/obligation/local-environment-map" {}
action ".*" {
rule permit {pfqan = "/vo.irfu.cea.fr/Role=NULL/Capability=NULL" }
rule permit {pfqan = "/vo.irfu.cea.fr" }
}
}
I loaded it with "pap-admin apf"
Would someone have an Idea of what I did wrong ?
I tried unsetting the env variable "GT_PROXY_MODE=old" on the UI, without success.
So now... I don't know what else to try to get something working ?
Any idea ?
I've seen warnings about terena certificates, but AFAIK, I'm not using one.
I'm probably wrong in my policy, but... how/why ?
Any help would be greatly appreciated :]
Thanks && regards
Frederic Schaer
