Re: [gt-user] GRAM4 + VOMS on GT420

Mon, 11 Aug 2008 00:17:33 -0700 

> > read again http://dev.globus.org/wiki/VOMS,
> > Oh, must edit sudoer.
> > 
> > I edit sudoer,
> > and try again put in WS-GRAM, but same error.
> 
> What did the container.log say at this point?  

same error and same container.log.

$ globusrun-ws -submit -streaming -job-command /tmp/gttest.sh
Delegating user credentials...Done.
Submitting job...Failed.
Cleaning up any delegated credentials...Done.
globusrun-ws: Error submitting job
globus_soap_message_module: SOAP Fault
Fault code: soapenv:Server.userException
Fault string: org.globus.security.authorization.AuthorizationDeniedException: 
[JWSSEC-161] "/C=JP/O=AIST/OU=GEOGrid_test/CN=akihiro/[EMAIL PROTECTED]" is not 
authorized to invoke 
"{http://www.globus.org/namespaces/2008/03/gram/job}createManagedJob"; operation 
on this service

>>> in container.log
2008-08-11T15:29:21.579+09:00 INFO  impl.VomsPDP 
[ServiceThread-61,isPermittedImpl:219] Attribute passed: 
/testvo.geogrid.org/Role=NULL/Capability=NULL
2008-08-11T15:29:21.590+09:00 INFO  impl.VomsPDP 
[ServiceThread-61,checkAttrMapFile:481] MAPPED attribute 
'/testvo.geogrid.org/Role=NULL/Capability=NULL' to account 'test'
2008-08-11T15:29:21.591+09:00 ERROR impl.VomsPDP 
[ServiceThread-61,isPermitted:91] java.lang.Exception: 


++++++

> Without the container log it is hard to tell if this is because of a
> VOMS problem or because the grid-mapfile is being consulted and DENY
> comes (you should be able to disable gridmap altogether if my memory
> serves me correctly).

http://dev.globus.org/wiki/VOMS  mention 2 point
  security-config.xml and sudoer.

1) I delete "gridmap" at 
  etc/globus_wsrf_gram/managed-job-factory-security-config.xml

> > edit etc/globus_wsrf_gram/managed-job-factory-security-config.xml
> > (becouse of I want to use VOMS + GRAM4)
> > 
> > $ diff -u etc/globus_wsrf_gram/managed-job-factory-security-config.xml-ORIG 
> >  etc/globus_wsrf_gram/managed-job-factory-security-config.xml
> >  <authzChain>
> > -    <pdps>
> > -        <interceptor name="gridmap"/>
> > -    </pdps>
> > - </authzChain>

2) And I delete "gridmap" at sudoer like this.

globus  ALL=(ALL) NOPASSWD: 
/usr/local/gt-4.2.0/libexec/globus-job-manager-script.pl * 

+++++

BTW.

1) I found "gridmap" at
      etc/globus_wsrf_gram/managed-job-security-config.xml
(near etc/globus_wsrf_gram/managed-job-factory-security-config.xml)

    <authzChain>
        <pdps>
            <interceptor name="gridmap"/>
        </pdps>
    </authzChain>

Should I change this?
... how to change??
  delete 3line
    or
  delete 3line and add <pips>,<pdps> like 
managed-job-factory-security-config.xml ?

2) I found "gridmap" at
  etc/globus_wsrf_core/global_security_descriptor.xm

        <defaultAuthzParam>
                <interceptor name="gridmap">
                    <parameter>
                        <param:nameValueParam>
                            <param:parameter name="gridmap-file" 
                                            
value="/etc/grid-security/grid-mapfile"/>
                        </param:nameValueParam>
                    </parameter>
                </interceptor>
        </defaultAuthzParam>

Should I change this?

--
AIST ApGrid Support Team
SOUM Corporation
Akihiro IIJIMA <[EMAIL PROTECTED]>

Reply via email to