You are here: Foswiki>Main Web>TestMM081014 (15 Oct 2008, MarcoMambelli)Edit Attach

Voms Proxy

Introduction

VOMS proxys are controlled with voms-proxy-init and tested with voms-proxy-info. An extended proxy can be created with many extended attributes (it normally comes with many of them). The order of the attributes changed in different versions of voms-proxy-init. People should not count on a specific order (according to VOMS developers).

Test1: changing order

The first extended attribute is the first one on the command line (-voms ... option). The second and following ones appear later. 

-bash-3.2$ voms-proxy-init -valid 96:0 -voms atlas:/atlas/usatlas/Role=production -voms atlas:/atlas/Role=production
Enter GRID pass phrase:
Your identity: /DC=org/DC=doegrids/OU=People/CN=Marco Mambelli 325802
Creating temporary proxy .................................................... Done
Contacting  voms.cern.ch:15001 [/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch] "atlas" Done
Creating proxy ................................................ Done
Your proxy is valid until Sat Oct 18 17:44:06 2008
-bash-3.2$ voms-proxy-info -all
subject   : /DC=org/DC=doegrids/OU=People/CN=Marco Mambelli 325802/CN=proxy
issuer    : /DC=org/DC=doegrids/OU=People/CN=Marco Mambelli 325802
identity  : /DC=org/DC=doegrids/OU=People/CN=Marco Mambelli 325802
type      : proxy
strength  : 512 bits
path      : /tmp/x509up_u20003
timeleft  : 95:59:49
=== VO atlas extension information ===
VO        : atlas
subject   : /DC=org/DC=doegrids/OU=People/CN=Marco Mambelli 325802
issuer    : /DC=ch/DC=cern/OU=computers/CN=voms.cern.ch
attribute : /atlas/usatlas/Role=production/Capability=NULL
attribute : /atlas/lcg1/Role=NULL/Capability=NULL
attribute : /atlas/Role=NULL/Capability=NULL
attribute : /atlas/usatlas/Role=NULL/Capability=NULL
attribute : /atlas/Role=production/Capability=NULL
timeleft  : 95:55:19

-bash-3.2$ voms-proxy-init -valid 96:0 -voms atlas:/atlas/Role=production -voms atlas:/atlas/usatlas/Role=production 
Enter GRID pass phrase:
Your identity: /DC=org/DC=doegrids/OU=People/CN=Marco Mambelli 325802
Creating temporary proxy ................................. Done
Contacting  lcg-voms.cern.ch:15001 [/DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch] "atlas" Done
Creating proxy ....................................... Done
Your proxy is valid until Sat Oct 18 17:45:09 2008
-bash-3.2$ voms-proxy-info -all
subject   : /DC=org/DC=doegrids/OU=People/CN=Marco Mambelli 325802/CN=proxy
issuer    : /DC=org/DC=doegrids/OU=People/CN=Marco Mambelli 325802
identity  : /DC=org/DC=doegrids/OU=People/CN=Marco Mambelli 325802
type      : proxy
strength  : 512 bits
path      : /tmp/x509up_u20003
timeleft  : 95:59:57
=== VO atlas extension information ===
VO        : atlas
subject   : /DC=org/DC=doegrids/OU=People/CN=Marco Mambelli 325802
issuer    : /DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch
attribute : /atlas/Role=production/Capability=NULL
attribute : /atlas/lcg1/Role=NULL/Capability=NULL
attribute : /atlas/Role=NULL/Capability=NULL
attribute : /atlas/usatlas/Role=NULL/Capability=NULL
attribute : /atlas/usatlas/Role=production/Capability=NULL
timeleft  : 95:55:28

Inverting the order of the extended attributes on the command line inverts also the order in the extended proxy.

The behavior seems consistent:
  • first attribute requested on the command line
  • default (implicit) attributes
  • other attributes requested on the command line in the order they were requested
anyway there is no specification or guarantee

Test 2: LFC client

In the past it was known that clients/servers were only considering the first extended attribute. Let's see how the LFC is behaving.

It is possible to create nested directories. One of te extended attributes is taken as group. Other can be added with lfc-setacl -m (there are problems)

Test 3: LFC client

Here a vrite test being first only /atlas/Role=production and then being only /atlas/usatlas/Role=production. There is group write. I can nest the directory with different owners. 

-bash-3.2$ voms-proxy-init -valid 96:0 -voms atlas:/atlas/Role=production 
Enter GRID pass phrase:
Your identity: /DC=org/DC=doegrids/OU=People/CN=Marco Mambelli 325802
Creating temporary proxy ....................................... Done
Contacting  voms.cern.ch:15001 [/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch] "atlas" Done
Creating proxy ............................................................................. Done
Your proxy is valid until Sat Oct 18 18:42:37 2008
-bash-3.2$ lfc-mkdir /grid/atlas/testmarco/t2atonly
-bash-3.2$ voms-proxy-init -valid 96:0 -voms atlas:/atlas/usatlas/Role=production 
Enter GRID pass phrase:
Your identity: /DC=org/DC=doegrids/OU=People/CN=Marco Mambelli 325802
Creating temporary proxy ........................................................ Done
Contacting  voms.cern.ch:15001 [/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch] "atlas" Done
Creating proxy .......................................................... Done
Your proxy is valid until Sat Oct 18 18:43:29 2008
-bash-3.2$ lfc-mkdir /grid/atlas/testmarco/t2atonly/uaonly
-bash-3.2$ lcf-ls /grid/atlas/testmarco/t2atonly/uaonly
-bash: lcf-ls: command not found
-bash-3.2$ lfc-ls /grid/atlas/testmarco/t2atonly/uaonly
-bash-3.2$ lfc-ls /grid/atlas/testmarco/t2atonly/
uaonly
-bash-3.2$ lfc-ls /grid/atlas/testmarco/t2atonly/ -l
uaonly
-l: invalid path
-bash-3.2$ lfc-ls -l /grid/atlas/testmarco/t2atonly/
drwxrwxr-x   0 127      116                       0 Oct 14 18:39 uaonly
-bash-3.2$ lfc-ls -l /grid/atlas/testmarco/
drwxrwxr-x   1 127      116                       0 Oct 14 18:02 sl1
drwxr-xr-x   2 127      113                       0 Oct 14 18:24 sl1b
drwxrwxr-x   1 127      101                       0 Oct 14 18:39 t2atonly

More

Secondary groups

* Particular authorization problem o The LFC doesn’t support secondary groups yet o Two different VOMS roles are mapped to two different gids o The same user might not be able to access his/her own file, depending on his/her VOMS credentials * Possible solutions: o 1) Use ACLs + lfc-setacl o 2) Do not give same virtual gid to different VOMS roles :

it will not be supported when migrating to secondary group support…

* Main LFC/DPM documentation page o https://twiki.cern.ch/twiki/bin/view/LCG/DataManagementTop * LFC Admin Guide o https://twiki.cern.ch/twiki/bin/view/LCG/LfcAdminGuide * Troubleshooting page o https://twiki.cern.ch/twiki/bin/view/LCG/LfcTroubleshooting

-- MarcoMambelli - 14 Oct 2008
Edit  | Attach | Print version | History: r1 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r1 - 15 Oct 2008, MarcoMambelli
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback