It’s always like that… Now it’s working.

 

Could it be that restarting the argus daemons is not equivalent to running “/etc/init.d/argus-pepd clearcache ; /etc/init.d/argus-pdp reloadpolicy” (which I just tried) ?

 

Txs

 

 

Hi,

 

I hope someone can help me on this…

I’m attempting to configure a CREAM CE, with ARGUS enabled, using yaim.

 

I did get those up and running without argus, but with it configured the CREAM CE refuses to get any job or delegation with this error at submit time :

2013-09-27 17:59:17,745 FATAL - CN=Frederic Schaer,OU=IRFU,O=CEA,C=FR,O=GRID-FR not authorized for {http://www.gridsite.org/namespaces/delegation-2}getProxyReq

 

On the CREAM, the logs are :

 

27 Sep 2013 17:59:17,736 org.glite.ce.commonj.authz.axis2.AuthorizationHandler - request for OPERATION={http://www.gridsite.org/namespaces/delegation-2}getProxyReq; REMOTE_REQUEST_ADDRESS=192.54.206.17; USER_DN=CN=Frederic Schaer,OU=IRFU,O=CEA,C=FR,O=GRID-FR; USER_FQAN={ /vo.irfu.cea.fr/Role=NULL/Capability=NULL; };  NOT AUTHORIZED

27 Sep 2013 17:59:17,736 org.apache.axis2.engine.AxisEngine - Authorization error

org.apache.axis2.AxisFault: Authorization error

(blah blah)

 

I’ve tried many things, enabled debug logging for pepd/pdp/pap, without success.

I only can see in the pepd logs :

 

2013-09-27 15:59:17.701Z - DEBUG [PEPDaemonRequestHandler] - A decision of Indeterminate was reached by https://pre7231.datagrid.cea.fr:8152/authz in response t

o request _4ea7ebd25f09d74db4839473b77372a7

2013-09-27 15:59:17.701Z - DEBUG [PEPDaemonRequestHandler] - Processing obligations

2013-09-27 15:59:17.701Z - DEBUG [ObligationService] - Obligations in effect for this result: []

2013-09-27 15:59:17.701Z - INFO [protocol] - Complete hessian response

Response{ results:[Result{ decision(2): Indeterminate, resourceId: http://datagrid.cea.fr/cream-pre7230, status: Status{ statusCode: StatusCode{ code: urn:oasis

:names:tc:xacml:1.0:status:ok, subCode: null}, message: null}, obligations:[]}], request: Request{ subjects:[Subject{ category: urn:oasis:names:tc:xacml:1.0:sub

ject-category:access-subject, attributes:[Attribute{ id: http://glite.org/xacml/attribute/subject-issuer, dataType: urn:oasis:names:tc:xacml:1.0:data-type:x500N

ame, issuer: null, values:[CN=CNRS2,O=CNRS,C=FR, CN=CNRS2-Projets,O=CNRS,C=FR, CN=Frederic Schaer,OU=IRFU,O=CEA,C=FR,O=GRID-FR, CN=GRID2-FR,O=CNRS,C=FR]}, Attri

bute{ id: urn:oasis:names:tc:xacml:1.0:subject:key-info, dataType: http://www.w3.org/2001/XMLSchema#string, issuer: null, values:[-----BEGIN CERTIFICATE-----

 

I also increased logging to debug in the pdp, but actually nothing usefull is loggued except maybe this “syntax error” :

 

2013-09-27 15:59:17.661Z - DEBUG [TargetMatcherImpl] - Matching with function: http://glite.org/xacml/algorithm/fqan-match

2013-09-27 15:59:17.662Z - DEBUG [AbstractCombiningAlgorithm] - Syntax error occurred.

2013-09-27 15:59:17.662Z - DEBUG [AbstractCombiningAlgorithm] - Target match resulted in: INDETERMINATE

2013-09-27 15:59:17.662Z - DEBUG [RuleFirstApplicableAlgorithm] - Evaluation of ae03359a-dd41-4fd9-b3cc-aae355e1d95e was: INDETERMINATE

 

 

My policy contains this for the VO in question :

 

resource "http://datagrid.cea.fr/cream-pre7230" {

    obligation "http://glite.org/xacml/obligation/local-environment-map" {}

    action ".*" {

    

     rule permit {pfqan = "/vo.irfu.cea.fr/Role=NULL/Capability=NULL" }

     rule permit {pfqan = "/vo.irfu.cea.fr" }

    }

}

 

I loaded it with “pap-admin apf”

 

Would someone have an Idea of what I did wrong ?

I tried unsetting the env variable “GT_PROXY_MODE=old” on the UI, without success.

 

So now… I don’t know what else to try to get something working ?

Any idea ?

I’ve seen warnings about terena certificates, but AFAIK, I’m not using one.

I’m probably wrong in my policy, but… how/why ?

 

Any help would be greatly appreciated :]

 

Thanks && regards

Frederic Schaer