Project

General

Profile

Lcmaps-voms and lcmaps-gums

Anthony Tiradani asked me to document this behavior, I sent him the following email on 6/19/18

Hi Tony,

Here is an example of how jobsub currently uses llrun-gums to map a DN and fqan to a uid:

[root@fermicloud042 ~]# llrun -s -l debug=2,mode=nogsi_ga,policy=authorize_only,db=/etc/lcmaps/lcmaps.db -d "/DC=org/DC=cilogon/C=US/O=Fermi National Accelerator Laboratory/OU=People/CN=Dennis Box/CN=UID:dbox" -f "/fermilab/nova/Role=Production" voms=1
[llrun]: WARNING: Empty pemstring for proxy.
[llrun]: WARNING: X509_USER_PROXY is not set.
[llrun]: LCMAPS succeeded.
[llrun]: uid=47552(novapro)
[llrun]: primary gids: 1
[llrun]: pgid[0]=9553(undefined)
[llrun]: secondary gids: 1
[llrun]: sgid[0]=47552(nova)
[llrun]: poolindex=undefined

An example of a query of a DN that does not have nova membership, therefore no Production role:

[root@fermicloud042 ~]# llrun -s -l debug=2,mode=nogsi_ga,policy=authorize_only,db=/etc/lcmaps/lcmaps.db -d "/DC=org/DC=cilogon/C=US/O=Fermi National Accelerator Laboratory/OU=People/CN=Dave Dykstra/CN=UID:dwd" -f "/fermilab/nova/Role=Production" voms=1
[llrun]: WARNING: Empty pemstring for proxy.
[llrun]: WARNING: X509_USER_PROXY is not set.
lcmaps[3863793] LOG_WARNING: 2018-06-19.19:55:59Z: Username_handler: Cannot fulfill obligation, fulfill on "Permit" does not match decision "Deny".
lcmaps[3863793]     LOG_ERR: 2018-06-19.19:55:59Z: lcmaps_plugin_scas_client-xacmlqueryscas(): XACML: Obligation failed. The returned obligation(s) couldn't be processed. Endpoint "https://gums-crit.fnal.gov:8443/gums/services/GUMSXACMLAuthorizationServicePort" 
lcmaps[3863793] LOG_WARNING: 2018-06-19.19:55:59Z: Username_handler: Cannot fulfill obligation, fulfill on "Permit" does not match decision "Deny".
lcmaps[3863793]     LOG_ERR: 2018-06-19.19:55:59Z: lcmaps_plugin_scas_client-xacmlqueryscas(): XACML: Obligation failed. The returned obligation(s) couldn't be processed. Endpoint "https://gums-crit.fnal.gov:8443/gums/services/GUMSXACMLAuthorizationServicePort" 
lcmaps[3863793]     LOG_ERR: 2018-06-19.19:55:59Z: LCMAPS failed to do mapping and return account information
[llrun]: ERROR: lcmaps_return_account_without_gsi() failed.
[llrun]: ERROR: LCMAPS failed.
[root@fermicloud042 ~]# echo $?
1

I have llrun-voms set up on fermicloud378, you are in the root .k5login on this machine and are welcome to log on and test (and find my misconfigurations).  /etc/grid-security/grid-mapfile and /etc/grid-security/voms-mapfile on fermicloud378 were generated from Ferry but the information is a month old and may be out of date.

Lines 161-170 of /etc/lcmaps/lcmaps.db on fermicloud378 are the authorize_only section, where I have two map orderings that I can change by commenting and uncommenting lines.  They currently read:

# map order 1, gridmapfile before vomsmapfile
banvomsfile -> gridmapfile | bad
gridmapfile -> good | vomsmapfile
vomsmapfile -> good | defaultmapfile

#map order 2, vomsmapfile before  gridmapfile
#banvomsfile -> vomsmapfile | bad
#vomsmapfile -> good | gridmapfile
#gridmapfile -> good | defaultmapfile

Using map order 1, llrun gives me the following output.  (The correct answer is uid = novapro)

[root@fermicloud378 ~]# llrun -s -l debug=2,mode=nogsi_ga,policy=authorize_only,db=/etc/lcmaps/lcmaps.db -d "/DC=org/DC=cilogon/C=US/O=Fermi National Accelerator Laboratory/OU=People/CN=Dennis Box/CN=UID:dbox" -f "/fermilab/nova/Role=Production" voms=1
[llrun]: WARNING: Empty pemstring for proxy.
[llrun]: WARNING: X509_USER_PROXY is not set.
[llrun]: LCMAPS succeeded.
[llrun]: uid=8531(dbox)
[llrun]: primary gids: 1
[llrun]: pgid[0]=3200(cdf)
[llrun]: secondary gids: 16
[llrun]: sgid[0]=3200(cdf)
[llrun]: sgid[1]=3302(condor)
[llrun]: sgid[2]=5111(e875)
[llrun]: sgid[3]=9100(mars)
[llrun]: sgid[4]=9108(lbnemars)
[llrun]: sgid[5]=9111(marslbne)
[llrun]: sgid[6]=9112(marsmu2e)
[llrun]: sgid[7]=9113(marsgm2)
[llrun]: sgid[8]=9142(larrand)
[llrun]: sgid[9]=9553(nova)
[llrun]: sgid[10]=9555(e938)
[llrun]: sgid[11]=9874(argoneut)
[llrun]: sgid[12]=9914(mu2e)
[llrun]: sgid[13]=9937(microboone)
[llrun]: sgid[14]=9950(gm2)
[llrun]: sgid[15]=9960(lbne)
[llrun]: poolindex=undefined
[root@fermicloud378 ~]#

Checking Dave Dykstras DN (where I expect a nonzero return and therefore no uid assigned - as hes not a member of nova VO)

[root@fermicloud378 ~]#  llrun -s -l debug=2,mode=nogsi_ga,policy=authorize_only,db=/etc/lcmaps/lcmaps.db -d "/DC=org/DC=cilogon/C=US/O=Fermi National Accelerator Laboratory/OU=People/CN=Dave Dykstra/CN=UID:dwd" -f "/fermilab/nova/Role=Production" voms=1
[llrun]: WARNING: Empty pemstring for proxy.
[llrun]: WARNING: X509_USER_PROXY is not set.
[llrun]: LCMAPS succeeded.
[llrun]: uid=3382(dwd)
[llrun]: primary gids: 1
[llrun]: pgid[0]=9996(docs)
[llrun]: secondary gids: 1
[llrun]: sgid[0]=9996(docs)
[llrun]: poolindex=undefined
[root@fermicloud378 ~]# echo $?
0
[root@fermicloud378 ~]#

If I change lcmaps.db to use map order 2 I get the following correct response for dbox's DN:

[root@fermicloud378 ~]# llrun -s -l debug=2,mode=nogsi_ga,policy=authorize_only,db=/etc/lcmaps/lcmaps.db -d "/DC=org/DC=cilogon/C=US/O=Fermi National Accelerator Laboratory/OU=People/CN=Dennis Box/CN=UID:dbox" -f "/fermilab/nova/Role=Production" voms=1
[llrun]: WARNING: Empty pemstring for proxy.
[llrun]: WARNING: X509_USER_PROXY is not set.
[llrun]: LCMAPS succeeded.
[llrun]: uid=1004(novapro)
[llrun]: primary gids: 1
[llrun]: pgid[0]=1004(novapro)
[llrun]: secondary gids: 1
[llrun]: sgid[0]=1004(novapro)
[llrun]: poolindex=undefined
[root@fermicloud378 ~]#

Unfortunately Dave Dykestra now has the nova Production role as well:

[root@fermicloud378 ~]#  llrun -s -l debug=2,mode=nogsi_ga,policy=authorize_only,db=/etc/lcmaps/lcmaps.db -d "/DC=org/DC=cilogon/C=US/O=Fermi National Accelerator Laboratory/OU=People/CN=Dave Dykstra/CN=UID:dwd" -f "/fermilab/nova/Role=Production" voms=1
[llrun]: WARNING: Empty pemstring for proxy.
[llrun]: WARNING: X509_USER_PROXY is not set.
[llrun]: LCMAPS succeeded.
[llrun]: uid=1004(novapro)
[llrun]: primary gids: 1
[llrun]: pgid[0]=1004(novapro)
[llrun]: secondary gids: 1
[llrun]: sgid[0]=1004(novapro)
[llrun]: poolindex=undefined
[root@fermicloud378 ~]#

The VO membership information is not currently stored in the mapfiles on fermicloud378.  I know how to query both ferry and the voms server for this information, and I do a voms-proxy-init later on in jobsubs authorization process if its needed, but I don't really want to query the voms server every time a user does something as a member of a group.  I have elected to query ferry for this information and cache it as a workaround.

If you see a problem with the  mapfiles on fermicloud378, and know of a way to make the llrun query above work, I would like to know and  use it.

Best Regards,

Dennis