Project

General

Profile

Bug #2028

Proxy Plugins

Added by Douglas Strain over 8 years ago. Updated almost 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Douglas Strain
Category:
-
Target version:
Start date:
10/18/2011
Due date:
% Done:

0%

Estimated time:
First Occurred:
Occurs In:
Stakeholders:
Duration:

Description

The following plugins need to be rewritten as they do not work with multiple trust methods/authentication:

'ProxyUserRR':ProxyUserRR,
'ProxyUserCardinality':ProxyUserCardinality,
'ProxyUserMapWRecycling':ProxyUserMapWRecycling

History

#1 Updated by Douglas Strain about 8 years ago

This has been fixed in master (v3) branch but needs to be tested.

#2 Updated by John Weigand about 8 years ago

Doug,

Can you identify
1. how many proxies you need to use
2. where they are

I can then configure a gums server to
authorize them... probably cms-xen12

Unless we want to create a whole bunch of new
ones, I think we can use existing service certificates
which most nodes have. I have the following available:
1. I have 2 that I had created for glidein proxy testing
2. About 9 http certs from each of my nodes that can be used.

A couple questions related to how I set them up in GUMS...
1. Do they need to map to different users in order to verify
they are being used correctly? If so, then the entry point
will need to add these "test" accunts. No problem. Just
need to know.
2. Will glexec be involved?

I am assuming these just need to be tested against a single
entry point (ie. CE). Does that CE need a greater than 1 WN cluster?
That is, do we need to see them being used concurrently?

John Weigand

#3 Updated by John Weigand about 8 years ago

From Doug:

I now have the certs ready. When you get a chance, can you authorize them for a gums server and allow them on a CE under your control?
That would be fantastic and allow me to test the proxy plugins. I think they can all map to the same user on the CE.

As long as they are authorized for your CE and I can voms-proxy-init to generate a proxy for the CE, I don't think the VO you use matters either.

/DC=org/DC=doegrids/OU=Services/CN=glideinwms0/cms-xen25.fnal.gov
/DC=org/DC=doegrids/OU=Services/CN=glideinwms1/cms-xen25.fnal.gov
/DC=org/DC=doegrids/OU=Services/CN=glideinwms2/cms-xen25.fnal.gov
/DC=org/DC=doegrids/OU=Services/CN=glideinwms3/cms-xen25.fnal.gov
/DC=org/DC=doegrids/OU=Services/CN=glideinwms4/cms-xen25.fnal.gov
/DC=org/DC=doegrids/OU=Services/CN=glideinwms5/cms-xen25.fnal.gov
/DC=org/DC=doegrids/OU=Services/CN=glideinwms6/cms-xen25.fnal.gov
/DC=org/DC=doegrids/OU=Services/CN=glideinwms7/cms-xen25.fnal.gov
/DC=org/DC=doegrids/OU=Services/CN=glideinwms8/cms-xen25.fnal.gov
/DC=org/DC=doegrids/OU=Services/CN=glideinwms9/cms-xen25.fnal.gov
/DC=org/DC=doegrids/OU=Services/CN=glideinwms10/cms-xen25.fnal.gov
/DC=org/DC=doegrids/OU=Services/CN=glideinwms11/cms-xen25.fnal.gov
/DC=org/DC=doegrids/OU=Services/CN=glideinwms12/cms-xen25.fnal.gov
/DC=org/DC=doegrids/OU=Services/CN=glideinwms13/cms-xen25.fnal.gov
/DC=org/DC=doegrids/OU=Services/CN=glideinwms14/cms-xen25.fnal.gov
/DC=org/DC=doegrids/OU=Services/CN=glideinwms15/cms-xen25.fnal.gov
/DC=org/DC=doegrids/OU=Services/CN=glideinwms16/cms-xen25.fnal.gov
/DC=org/DC=doegrids/OU=Services/CN=glideinwms17/cms-xen25.fnal.gov
/DC=org/DC=doegrids/OU=Services/CN=glideinwms18/cms-xen25.fnal.gov
/DC=org/DC=doegrids/OU=Services/CN=glideinwms19/cms-xen25.fnal.gov

The issuer for all these is "DC=org, DC=DOEGrids, OU=Certificate Authorities, CN=DOEGrids CA 1".

Let me know if you have any questions or need any additional information.

Doug Strain

#4 Updated by John Weigand about 8 years ago

Doug,

All my gums servers and CE nodes should be set up
to use those certificates. They will map to unix
account wmsxen25.

You mention using a voms-proxy-init.
Did you really me grid-proxy-init?
If not and you need to test voms proxies, I will
need to set up one of the voms nodes to allow for that.

Let me know if you have any authorization problems.

John Weigand

#5 Updated by Douglas Strain about 8 years ago

I have tested all the various proxy plugins, and they now seem to work for the test cases I've tried. I uncovered quite a few bugs and issues though, so I would not be surprised if more issues were uncovered once this gets wider testing, but I guess that's part of having a development branch. I think this is in good enough shape to proceed.

#6 Updated by Douglas Strain about 8 years ago

  • Status changed from New to Closed


Also available in: Atom PDF