Project

General

Profile

Bug #5793

proxies for lbne not being created correctly

Added by Joe Boyd over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Urgent
Assignee:
Parag Mhashilkar
Category:
-
Target version:
Start date:
04/01/2014
Due date:
% Done:

100%

Estimated time:
First Occurred:
Occurs In:
Stakeholders:
Duration:

Description

It doesn't look like jobsub is handling the fact that LBNE has it's own VO. This will be the case for D0 and CDF also.

From the jobsub log file you can see it's trying to use the fermilab VOMS server for an lbne proxy:

[01/Apr/2014:13:02:17] EXCEPTION OCCURED IN AUTHORIZATION
[01/Apr/2014:13:02:17] Traceback (most recent call last):
File "/opt/jobsub/server/webapp/auth.py", line 197, in authorize
krb5cc_to_vomsproxy(real_cache_fname, x509_cache_fname, acctgroup, acctrole)
File "/opt/jobsub/server/webapp/auth.py", line 82, in krb5cc_to_vomsproxy
cmd_out, cmd_err = subprocessSupport.iexe_cmd(cmd, child_env=cmd_env)
File "/opt/jobsub/server/webapp/subprocessSupport.py", line 82, in iexe_cmd
raise CalledProcessError(exitStatus, cmd, output="\nEXITCODE:%s\nSTDOUT:%s\nSTDERR:%s" % (exitStatus, stdoutdata, stderrdata))
CalledProcessError: Command '/usr/bin/voms-proxy-init -noregen -ignorewarn -valid 168:0 -bits 1024 -voms fermilab:/fermilab/lbne/Role=Analysis' returned non-zero exit status 1:
EXITCODE:1
STDOUT:Your identity: /DC=gov/DC=fnal/O=Fermilab/OU=Robots/CN=fifegrid/CN=batch/CN=Joe B. Boyd/CN=UID:boyd
Contacting voms2.fnal.gov:15001 [/DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=Services/CN=voms2.fnal.gov] "fermilab" Failed

Trying next server for fermilab.
Contacting voms1.fnal.gov:15001 [/DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=Services/CN=voms1.fnal.gov] "fermilab" Failed

STDERR:
Error: fermilab: Unable to satisfy B/fermilab/lbne:Analysis Request!

Error: fermilab: Unable to satisfy B/fermilab/lbne:Analysis Request!

None of the contacted servers for fermilab were capable
of returning a valid AC for the user.

LBNE has their own VOMS server. The job gets submitted anyway. Shouldn't it fail??? It has an x509 cred without the voms part. You can see the mu2e one is ok:

************************************************
[rexbatch@fifebatch1 ~]$ condor_q -constraint 'owner == "boyd"'

-- Submitter: fifebatch1.fnal.gov : <131.225.67.102:9615?sock=9845_17ca> : fifebatch1.fnal.gov
ID OWNER SUBMITTED RUN_TIME ST PRI SIZE CMD
3767.0 boyd 4/1 13:02 0+00:00:17 H 0 0.0 grid_probe.sh
3768.0 boyd 4/1 13:12 0+00:00:00 I 0 0.0 grid_probe.sh
[rexbatch@fifebatch1 ~]$ condor_q -constraint 'owner == "boyd"' -format "%s\n" x509userproxy
/fife/local/data/rexbatch/proxies/lbne/x509cc_boyd
/fife/local/data/rexbatch/proxies/mu2e/x509cc_boyd
[rexbatch@fifebatch1 ~]$ voms-proxy-info -all -file /fife/local/data/rexbatch/proxies/lbne/x509cc_boyd
subject : /DC=gov/DC=fnal/O=Fermilab/OU=Robots/CN=fifegrid/CN=batch/CN=Joe B. Boyd/CN=UID:boyd
issuer : /DC=gov/DC=fnal/O=Fermilab/OU=Certificate Authorities/CN=Kerberized CA HSM
identity : /DC=gov/DC=fnal/O=Fermilab/OU=Certificate Authorities/CN=Kerberized CA HSM
type : unknown
strength : 1024 bits
path : /fife/local/data/rexbatch/proxies/lbne/x509cc_boyd
timeleft : 71:48:45
key usage : Digital Signature, Key Encipherment
[rexbatch@fifebatch1 ~]$ voms-proxy-info -all -file /fife/local/data/rexbatch/proxies/mu2e/x509cc_boyd
subject : /DC=gov/DC=fnal/O=Fermilab/OU=Robots/CN=fifegrid/CN=batch/CN=Joe B. Boyd/CN=UID:boyd/CN=proxy
issuer : /DC=gov/DC=fnal/O=Fermilab/OU=Robots/CN=fifegrid/CN=batch/CN=Joe B. Boyd/CN=UID:boyd
identity : /DC=gov/DC=fnal/O=Fermilab/OU=Robots/CN=fifegrid/CN=batch/CN=Joe B. Boyd/CN=UID:boyd
type : proxy
strength : 1024 bits
path : /fife/local/data/rexbatch/proxies/mu2e/x509cc_boyd
timeleft : 71:48:39
key usage : Digital Signature, Key Encipherment === VO fermilab extension information ===
VO : fermilab
subject : /DC=gov/DC=fnal/O=Fermilab/OU=Robots/CN=fifegrid/CN=batch/CN=Joe B. Boyd/CN=UID:boyd
issuer : /DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=Services/CN=voms1.fnal.gov
attribute : /fermilab/mu2e/Role=Analysis/Capability=NULL
attribute : /fermilab/gm2/Role=NULL/Capability=NULL
attribute : /fermilab/grid/Role=NULL/Capability=NULL
attribute : /fermilab/lar1/Role=NULL/Capability=NULL
attribute : /fermilab/minerva/Role=NULL/Capability=NULL
attribute : /fermilab/minos/Role=NULL/Capability=NULL
attribute : /fermilab/mu2e/Role=NULL/Capability=NULL
attribute : /fermilab/Role=NULL/Capability=NULL
attribute : /fermilab/nova/Role=NULL/Capability=NULL
attribute : /fermilab/uboone/Role=NULL/Capability=NULL
timeleft : 23:59:07
uri : voms1.fnal.gov:15001

Related issues

Is duplicate of JobSub - Feature #5812: Support authentication configuration against Non fermilab VOMSClosed2014-04-02

History

#1 Updated by Parag Mhashilkar over 5 years ago

  • Assignee set to Parag Mhashilkar
  • Target version set to v0.2.1

Duplicate of #5812 which will be part of v0.2.1 Closing this one.

#2 Updated by Parag Mhashilkar over 5 years ago

  • Status changed from New to Resolved

#3 Updated by Dennis Box over 5 years ago

  • Status changed from Resolved to Closed

tested, the test suite handles this by setting GROUP to some accounting group with a different voms. Need to document the voms setting in jobsub.ini

#4 Updated by Parag Mhashilkar over 5 years ago

  • % Done changed from 0 to 100


Also available in: Atom PDF