Hi David,
If the user mind to use WMS, everything will work perfectly, i.e. WMS will add
VOMS attributes after the plain grid-proxy is received from MyProxy.
For lcg-RB, proxy-renewal is not capable of this, but within the SEE-GRID
project Valentin Vidic developed voms-renewd for lcg-RB which solves this
problem. If you are interested, please let me know.
Best regards, Antun
-----
Antun Balaz
Research Assistant
E-mail: [log in to unmask]
Web: http://scl.phy.bg.ac.yu/
Phone: +381 11 3713152
Fax: +381 11 3162190
Scientific Computing Laboratory
Institute of Physics, Belgrade, Serbia
-----
---------- Original Message -----------
From: David Bouvet <[log in to unmask]>
To: [log in to unmask]
Sent: Wed, 25 Jul 2007 10:22:13 +0200
Subject: Re: [LCG-ROLLOUT] Expiration time of a proxy before the end of job.
> Hi Antun,
>
> MyProxy is not able to renew VOMS attributes, but only the basic
> part of the proxy. So the user will still have the problem, if he
> needs a VOMS role or group.
>
> Is the new version of MyProxy server (which can deal with VOMS
> attributes) released ?
>
> Cheers,
> David.
>
> Antun Balaz wrote:
> > Hi to all,
> >
> > This is certainly not a way to go! In order to increase the allowed lifetime
> > of a VOMS proxy for EGEE VOs, the permission must be asked from Joint Security
> > Policy Group (JSPG), since this is clearly related with the security issues
> > (voms-proxies can be subjects of abuse; the longer their lifetime, the longer
> > possible abuse).
> >
> > In fact, there is no need for increasing the maximal allowed lifetime of the
> > proxy. MyProxy is designed to deal with this problem. So, a user should choose
> > MyProxy server, store his/her credentials to it so that they can be used by
> > RB/WMS used to renew user's proxy, and specify the MyProxyServer in JDL, like
> > this:
> >
> > MyProxyServer = myproxy.domain.org;
> >
> > In order for this to work, the credential should be stored using a command
> > like this:
> >
> > myproxy-init -s myproxy.domain.org -d -n -c 240
> >
> > This will store credentials on the myproxy.domain.org that will be valid for
> > the next 240 hours, i.e. 10 days.
> >
> > What should be ensured is that MyProxyServer is configured to allow RB/WMS
> > used by the user to renew certificates. If this is the case, there should be
> > no problems.
> >
> > Best regards, Antun
> >
> > -----
> > Antun Balaz
> > Research Assistant
> > E-mail: [log in to unmask]
> > Web: http://scl.phy.bg.ac.yu/
> >
> > Phone: +381 11 3713152
> > Fax: +381 11 3162190
> >
> > Scientific Computing Laboratory
> > Institute of Physics, Belgrade, Serbia
> > -----
> >
> > ---------- Original Message -----------
> > From: Vincenzo Ciaschini <[log in to unmask]>
> > To: [log in to unmask]
> > Sent: Tue, 24 Jul 2007 18:04:45 +0200
> > Subject: Re: [LCG-ROLLOUT] Expiration time of a proxy before the end of job.
> >
> >
> >> Christoph Wissing wrote:
> >>
> >>> Hi Sérgio,
> >>>
> >>> the VOMS extention of the proxy is limited by the VOMS server, 48h in your
> >>>
> > case what is the default.
> >
> >>> If you have access to the VOMS server you can it change here:
> >>> /opt/glite/etc/voms/hone/voms.conf
> >>> the important line is the one "--timeout=NNNNN", where NNNNN is the
> >>>
> > maximum VOMS lifetime of the VOMS.
> >
> >>> Note that the VOMS service needs to be restarted, if I remember correctly.
> >>>
> >> No, there is no need to restart the server. A simple kill -HUP
> >> <higher voms pid> is sufficient to make it reread the configuration
> >> and apply all changes except port number changes.
> >>
> >> Ciao,
> >> Vincenzo
> >>
> > ------- End of Original Message -------
> >
> >
> >
>
> --
> *David BOUVET*
> /EGEE Project team/
> IN2P3/CNRS Computing Centre - Lyon (FRANCE)
> http://grid.in2p3.fr
> Tel. : +33 4 72 69 41 62 | Fax. : +33 4 72 69 41 70 | e-mail :
> [log in to unmask]
------- End of Original Message -------
|
