Is this why, when configuring GridShib in GRAM, we modify the config
of ManagedJobFactoryService (managed-job-factory-security-config.xml)
but not the GRAM job resources config
(managed-job-security-config.xml)?
Tom
On Mon, Apr 21, 2008 at 3:50 PM, Stuart Martin <[EMAIL PROTECTED]> wrote:
> I should have explained this a bit better. There are 2 levels of
> authorization here. 1) access to the services in a container 2) access to
> the WSRF job resources being processed by the managedExecutionJobService in
> the container. For #1, I want to allow many users to use the services.
> That makes sense, this is the typical setup/use of the gridmap file. But
> for #2, (typically) users do not want other users to be able to affect their
> jobs. To handle #2, a new temp gridmap file is created per job that
> contains only the DN of the user that submitted the job. GRAM does not
> provide anything more sophisticated than that at the moment.
>
> -Stu
>
>
>
> On Apr 21, 2008, at Apr 21, 2:15 PM, Silviu Popescu wrote:
>
>
> > Hi Stuart,
> >
> > Thanks for the quick response.
> > I'm not sure yet if I'll need this functionality, I was just curious if it
> is possible. Actually, in gridmap file I have more DNs mapped to same local
> user and I thought job access is possible to all DNs .
> >
> > Regards,
> > Silviu
> >
> > Stuart Martin <[EMAIL PROTECTED]> wrote: Hi Silviu,
> >
> > Currently only the DN of the user that submitted the job request is
> > allowed to access that job "resource". GRAM creates a one entry
> > gridmapfile for each job submitted and that temp gridmapfile is used
> > to authorize users, thus limiting access the job to just the submitter.
> >
> > Can you describe the functionality you would like to have? Would you
> > like to pass in a list of DNs on the createManagedJob operation that
> > you would want to have access to a specific job? Or does this fall
> > into the VO management methods like VOMS and GridShib that are
> > designed to provide to group affiliation and authorization?
> >
> > Thanks,
> > -Stu
> >
> > On Apr 21, 2008, at Apr 21, 3:51 AM, Silviu Popescu wrote:
> >
> > > Hi,
> > >
> > > What do I have to do to allow all users to query the status of a
> > > submitted job ?
> > >
> > > I submitted a job with user [EMAIL PROTECTED]
> > > [EMAIL PROTECTED] globusrun-ws -submit -b -o job.epr -c /bin/sleep 200
> > > Submitting job...Done.
> > > Job ID: uuid:3b41a688-0f7f-11dd-9f38-000f2034b443
> > > Termination time: 04/22/2008 08:45 GMT
> > > [EMAIL PROTECTED] globusrun-ws -status -j job.epr
> > > Current job state: Active
> > > [EMAIL PROTECTED] scp job.epr silviup-laptop:/home/user/job.epr
> > >
> > > [EMAIL PROTECTED] globusrun-ws -status -j job.epr -F c14
> > > globusrun-ws: Error querying job state
> > > globus_soap_message_module: SOAP Fault
> > > Fault code: soapenv:Server.userException
> > > Fault string:
> > > org
> > > .globus
> > > .wsrf.impl.security.authorization.exceptions.AuthorizationException:
> > > "/O=Grid/OU=GlobusTest/OU=simpleCA-portal.tech.pub.ro/CN=User" is
> > > not authorized to use operation:
> {http://www.globus.org/namespaces/2004/10/gram/job/exec
> > > }getMultipleResourceProperties on this service
> > >
> > > When I submit from silviup-laptop the query works fine.
> > > [EMAIL PROTECTED] globusrun-ws -submit -o job.epr -F c14 -b -
> > > c /bin/sleep 200
> > > Submitting job...Done.
> > > Job ID: uuid:13a06b6e-0f7f-11dd-ab7b-0018f39fc34f
> > > Termination time: 04/22/2008 08:43 GMT
> > > [EMAIL PROTECTED] globusrun-ws -status -j job.epr -F c14
> > > Current job state: Active
> > >
> > > Thanks,
> > > Silviu
> >
> >
> >
>
>
