On Thu, 07 Aug 2008 11:52:42 +0900 (JST) IIJIMA Akihiro <[EMAIL PROTECTED]> wrote:
> From: "Rachana Ananthakrishnan" <[EMAIL PROTECTED]> > Subject: RE: [gt-user] GRAM4 + VOMS on GT420 > Date: Wed, 6 Aug 2008 13:00:48 -0500 > > Tim fixed the class cast exception in the branch. > > Thanks. > > > I haven't had a chance to test things(probably won't till tomorrow), > > please please to test ... > > > but you should be able to update your branch checkout and try. > > yes, I tried. > > ############################# > > > > > 1. Set your CVSROOT to: > > > > :pserver:[EMAIL PROTECTED]:/home/globdev/CVS/globus-packages > > > > 2. cvs co -r voms_pre_incubator workspace/vm/plugins/authz/voms > > check out , and "ant deploy" fine. > > > > http://dev.globus.org/wiki/VOMS#GT4.1:_Configuring_the_authorization_chain > > edit etc/globus_wsrf_gram/managed-job-factory-security-config.xml > (becouse of I want to use VOMS + GRAM4) > > Add like this. > > $ diff -u etc/globus_wsrf_gram/managed-job-factory-security-config.xml-ORIG > etc/globus_wsrf_gram/managed-job-factory-security-config.xml > --- etc/globus_wsrf_gram/managed-job-factory-security-config.xml-ORIG > 2008-08-07 11:39:14.000000000 +0900 > +++ etc/globus_wsrf_gram/managed-job-factory-security-config.xml > 2008-08-07 11:04:58.000000000 +0900 > @@ -1,4 +1,8 @@ > -<serviceSecurityConfig > xmlns="http://www.globus.org/security/descriptor/service";> > +<serviceSecurityConfig > + xmlns="http://www.globus.org/security/descriptor/service"; > + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > + xsi:schemaLocation="http://www.globus.org/security/descriptor > name_value_type.xsd" > + xmlns:param="http://www.globus.org/security/descriptor";> > <methodAuthentication> > <method name="createManagedJob"> > <auth-method> > @@ -9,9 +13,31 @@ > </method> > </methodAuthentication> > <authzChain> > - <pdps> > - <interceptor name="gridmap"/> > - </pdps> > - </authzChain> > + <pips> > + <interceptor name="vomsPip:org.globus.voms.PIP"> > + <parameter> > + <param:nameValueParam> > + <param:parameter > + name="vomsTrustStore" > + value="/etc/grid-security/vomsdir/*"/> > + </param:nameValueParam> > + </parameter> > + </interceptor> > + </pips> > + <pdps> > + <interceptor name="vomsPdp:org.globus.voms.PDP"> > + <parameter> > + <param:nameValueParam> > + <param:parameter > + name="vomsAttrAuthzFile" > + value="/etc/grid-security/vomsAttr/voms-attr-authz"/> > + <param:parameter > + name="vomsAttrMapFile" > + value="/etc/grid-security/vomsAttr/voms-attr-mappings"/> > + </param:nameValueParam> > + </parameter> > + </interceptor> > + </pdps> > +</authzChain> > <reject-limited-proxy value="true"/> > </serviceSecurityConfig> > > ############################# > > And run WS, > container succesful start!! > > ############################# > > I make proxy-cert with VOMS AC, (type "voms-proxy-init -voms ???") > > $ voms-proxy-info -all > === VO testvo.geogrid.org extension information === > VO : testvo.geogrid.org > attribute : /testvo.geogrid.org/Role=NULL/Capability=NULL > > write "/etc/grid-security/vomsAttr/voms-attr-authz" > "/testvo.geogrid.org/Role=NULL/Capability=NULL" > > write "/etc/grid-security/vomsAttr/voms-attr-mappings" > "/testvo.geogrid.org/Role=NULL/Capability=NULL" test > > and make user "test" by "adduser test" > > ############################# > > Put into WS GRAM job from self (GT420 server machine) > > $ globusrun-ws -submit -streaming -job-command /usr/bin/id > Delegating user credentials...Done. > Submitting job...Failed. > Cleaning up any delegated credentials...Done. > globusrun-ws: Error submitting job > globus_soap_message_module: SOAP Fault > Fault code: soapenv:Server.userException > Fault string: org.globus.security.authorization.AuthorizationDeniedException: > [JWSSEC-161] "/C=JP/O=AIST/OU=???/CN=akihiro" is not authorized to invoke > "{http://www.globus.org/namespaces/2008/03/gram/job}createManagedJob"; > operation on this service > > > container.log said. > > 2008-08-07T11:45:45.073+09:00 INFO impl.VomsPDP > [ServiceThread-61,isPermittedImpl:219] Attribute passed: > /testvo.geogrid.org/Role=NULL/Capability=NULL > 2008-08-07T11:45:45.075+09:00 INFO impl.VomsPDP > [ServiceThread-61,checkAttrMapFile:481] MAPPED attribute > '/testvo.geogrid.org/Role=NULL/Capability=NULL' to account 'test' > 2008-08-07T11:45:45.076+09:00 ERROR impl.VomsPDP > [ServiceThread-61,isPermitted:91] java.lang.Exception: > > > Unnn, > > read again http://dev.globus.org/wiki/VOMS, > Oh, must edit sudoer. > > I edit sudoer, > and try again put in WS-GRAM, but same error. What did the container.log say at this point? Without the container log it is hard to tell if this is because of a VOMS problem or because the grid-mapfile is being consulted and DENY comes (you should be able to disable gridmap altogether if my memory serves me correctly). Tim > > #################### > > I think, > Dont look proxy-cert subjectDN, > Just look VOMS-AC. > > Hot to conf?? > > -- > SOUM Corporation > Akihiro IIJIMA <[EMAIL PROTECTED]> >
