From: "Rachana Ananthakrishnan" <[EMAIL PROTECTED]> Subject: RE: [gt-user] GRAM4 + VOMS on GT420 Date: Wed, 6 Aug 2008 13:00:48 -0500 > Tim fixed the class cast exception in the branch.
Thanks. > I haven't had a chance to test things(probably won't till tomorrow), please please to test ... > but you should be able to update your branch checkout and try. yes, I tried. ############################# > > > 1. Set your CVSROOT to: > > > :pserver:[EMAIL PROTECTED]:/home/globdev/CVS/globus-packages > > > 2. cvs co -r voms_pre_incubator workspace/vm/plugins/authz/voms check out , and "ant deploy" fine. > > http://dev.globus.org/wiki/VOMS#GT4.1:_Configuring_the_authorization_chain edit etc/globus_wsrf_gram/managed-job-factory-security-config.xml (becouse of I want to use VOMS + GRAM4) Add like this. $ diff -u etc/globus_wsrf_gram/managed-job-factory-security-config.xml-ORIG etc/globus_wsrf_gram/managed-job-factory-security-config.xml --- etc/globus_wsrf_gram/managed-job-factory-security-config.xml-ORIG 2008-08-07 11:39:14.000000000 +0900 +++ etc/globus_wsrf_gram/managed-job-factory-security-config.xml 2008-08-07 11:04:58.000000000 +0900 @@ -1,4 +1,8 @@ -<serviceSecurityConfig xmlns="http://www.globus.org/security/descriptor/service";> +<serviceSecurityConfig + xmlns="http://www.globus.org/security/descriptor/service"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation="http://www.globus.org/security/descriptor name_value_type.xsd" + xmlns:param="http://www.globus.org/security/descriptor";> <methodAuthentication> <method name="createManagedJob"> <auth-method> @@ -9,9 +13,31 @@ </method> </methodAuthentication> <authzChain> - <pdps> - <interceptor name="gridmap"/> - </pdps> - </authzChain> + <pips> + <interceptor name="vomsPip:org.globus.voms.PIP"> + <parameter> + <param:nameValueParam> + <param:parameter + name="vomsTrustStore" + value="/etc/grid-security/vomsdir/*"/> + </param:nameValueParam> + </parameter> + </interceptor> + </pips> + <pdps> + <interceptor name="vomsPdp:org.globus.voms.PDP"> + <parameter> + <param:nameValueParam> + <param:parameter + name="vomsAttrAuthzFile" + value="/etc/grid-security/vomsAttr/voms-attr-authz"/> + <param:parameter + name="vomsAttrMapFile" + value="/etc/grid-security/vomsAttr/voms-attr-mappings"/> + </param:nameValueParam> + </parameter> + </interceptor> + </pdps> +</authzChain> <reject-limited-proxy value="true"/> </serviceSecurityConfig> ############################# And run WS, container succesful start!! ############################# I make proxy-cert with VOMS AC, (type "voms-proxy-init -voms ???") $ voms-proxy-info -all === VO testvo.geogrid.org extension information === VO : testvo.geogrid.org attribute : /testvo.geogrid.org/Role=NULL/Capability=NULL write "/etc/grid-security/vomsAttr/voms-attr-authz" "/testvo.geogrid.org/Role=NULL/Capability=NULL" write "/etc/grid-security/vomsAttr/voms-attr-mappings" "/testvo.geogrid.org/Role=NULL/Capability=NULL" test and make user "test" by "adduser test" ############################# Put into WS GRAM job from self (GT420 server machine) $ globusrun-ws -submit -streaming -job-command /usr/bin/id Delegating user credentials...Done. Submitting job...Failed. Cleaning up any delegated credentials...Done. globusrun-ws: Error submitting job globus_soap_message_module: SOAP Fault Fault code: soapenv:Server.userException Fault string: org.globus.security.authorization.AuthorizationDeniedException: [JWSSEC-161] "/C=JP/O=AIST/OU=???/CN=akihiro" is not authorized to invoke "{http://www.globus.org/namespaces/2008/03/gram/job}createManagedJob"; operation on this service container.log said. 2008-08-07T11:45:45.073+09:00 INFO impl.VomsPDP [ServiceThread-61,isPermittedImpl:219] Attribute passed: /testvo.geogrid.org/Role=NULL/Capability=NULL 2008-08-07T11:45:45.075+09:00 INFO impl.VomsPDP [ServiceThread-61,checkAttrMapFile:481] MAPPED attribute '/testvo.geogrid.org/Role=NULL/Capability=NULL' to account 'test' 2008-08-07T11:45:45.076+09:00 ERROR impl.VomsPDP [ServiceThread-61,isPermitted:91] java.lang.Exception: Unnn, read again http://dev.globus.org/wiki/VOMS, Oh, must edit sudoer. I edit sudoer, and try again put in WS-GRAM, but same error. #################### I think, Dont look proxy-cert subjectDN, Just look VOMS-AC. Hot to conf?? -- SOUM Corporation Akihiro IIJIMA <[EMAIL PROTECTED]>
