Skip Menu | Logged in as guest | Logout
 
Ticket metadata
The Basics
Id: 3240
Status: resolved
Priority: 3/0
Queue: vdt-internal
Custom Fields
Fixed in: 1.8.1h
Fix scheduled: CUR
People
Owner: Scot Kronenfeld
Requestors: Alain Roy
Cc:
AdminCc:
Reminders
New reminder:
Dates
Created: Fri Jan 18 10:41:52 2008
Starts: Not set
Started: Tue Jan 22 14:35:09 2008
Last Contact: Not set
Due: Not set
Closed: Tue Jan 22 14:35:09 2008
Updated: Tue Jan 22 14:35:17 2008 by kronenfe
Links
Depends on: (Create)
Depended on by: (Create)
Parents: (Create)
Children: (Create)
Refers to: (Create)
Referred to by: (Create)

History Brief headersFull headers
# Fri Jan 18 10:41:53 2008 roy - Ticket created [Reply
Subject: Upgrade GUMS to 1.2.15
Download (untitled) / with headers
text/plain 4.7k
Jay Packard has requested that we update GUMS to a new version as soon
as possible. This will be in VDT 1.8.1.

> Date: January 17, 2008 5:25:43 PM CST
> To: Alain Roy <roy@cs.wisc.edu>
> Cc: Tim Cartwright <cat@cs.wisc.edu>, Scot Kronenfeld
> <kronenfe@cs.wisc.edu>, Gabriele Garzoglio <garzogli@fnal.gov>
> Subject: GUMS 1.2.15 with 4 critical fixes
>
> Alain,
>
> We have released GUMS 1.2.15 with 4 critical bug fixes:
> 1) Account mapper reversal in 1.1 to 1.2 transformation
>
> Problem: If there exists a CompositeAccountMapper element within a
> groupMapping in a 1.1 gums.config, the transformation to a 1.2 version
> reverses the order of the account mappers within, which order matters
> as to which is tried first. This probably doesn't affect most sites
> since the CompositeAccountMapper is not used in the OSG template nor
> is it a commonly used feature. At BNL, it was used, and in certain
> situations it meant users were being mapped to group accounts instead
> of their local accounts, whereas the group account was supposed to be
> a fallback if there wasn't a local account (for some reason no one
> complained).
>
> Fix: Order is now maintained.
>
> 2) Duplicates in grid-map-file
>
> Problem: Where there are multiple account mappers defined in a group
> to account mapper, there are duplicate entries in the grid-map-file
> such as:
>
> "/DC=org/DC=doegrids/OU=People/CN=Jay Packard 335585" jpackard
> "/DC=org/DC=doegrids/OU=People/CN=Jay Packard 335585" usatlas1
>
> Again, this probably doesn't affect most sites since the OSG template
> doesn't use multiple account mappers. But when there are multiple
> account mappers, this could cause a problem if one client such as a
> gatekeeper chooses the first entry and another client such as dCache
> uses the last. At BNL, we are only using grid-map-files for dCache,
> so it didn't cause any problems.
>
> Fix: Only the first account mapper chosen will make an entry in the
> grid-map-file. A specific DN will only show up once.
>
> 3) Only first account mapper tried when mapping user (existed in GUMS
> 1.1)
>
> Problem: If a group to account mapping defines more than one account
> mapping, only the first one will be chosen whether the result is null
> or not. Again, this probably doesn't affect most sites since the OSG
> template doesn't use multiple account mappers.
>
> Fix: If the first account mapping returns null, the next is tried and
> so forth until a non-null result is found, or null if none return an
> account.
>
> 4) Omissions in vo-grid-map-file (discovered by FNAL)
>
> Problem: When a VOMS user group does not allow generic grid
> certificates, DNs will not show up in the vo-grid-map-file for that
> user group.
>
> Fix: A VOMS user group can now disallow generic grid certificates, and
> appropriate DNs will show up in the vo-grid-map-file.
>
> Meanwhile we are going to reassess our unit tests (we already know
> there are some to be added) to make sure we're testing all scenarios.
> I was considering waiting until we had done this to release this
> version, but the type we need take time. But I know this version is
> better than the previous, and since the fixes are critical in this
> version, I thought I would be best to release this now. Besides the
> unit tests, we have also tested it on our production GUMS.
>
> The interface has not changed in any way so you should just be able to
> drop these in from our repository. Since these are critical fixes,
> how would you like to alert the OSG community? Should I or should
> you? How do you normally do it?
>
> Jay


> From: Alain Roy <roy@cs.wisc.edu>
> Date: January 17, 2008 9:34:57 PM CST
> To: Jay Packard <packardj@rcf.rhic.bnl.gov>
> Cc: Tim Cartwright <cat@cs.wisc.edu>, Scot Kronenfeld
> <kronenfe@cs.wisc.edu>, Gabriele Garzoglio <garzogli@fnal.gov>
> Subject: Re: GUMS 1.2.15 with 4 critical fixes
>
> I'm confused--they are critical, but they don't affect most sites?
>
> I'm happy to release it in the VDT within a week. Is that soon enough?
>
> When we make a release, we send email to the GOC, which sends it out
> to people across OSG. We also tell the VDT mailing list,
> vdt-discuss. If these aren't sufficient, we can figure out what else
> you need.
>
> -alain

> From: Jay Packard <jpackard@bnl.gov>
> Date: January 17, 2008 11:54:38 PM CST
> To: Alain Roy <roy@cs.wisc.edu>
> Cc: Jay Packard <packardj@rcf.rhic.bnl.gov>, Tim Cartwright
> <cat@cs.wisc.edu>, Scot Kronenfeld <kronenfe@cs.wisc.edu>, Gabriele
> Garzoglio <garzogli@fnal.gov>
> Subject: Re: GUMS 1.2.15 with 4 critical fixes
>
> If a site creates multiple account mappers within a
> groupToAccountMapping, they may have serious problems. So you could
> say the fixes are conditionally critical.
>
> Within a week should be fine, thanks.
>
> Jay
# Tue Jan 22 10:04:05 2008 kronenfe - Taken
# Tue Jan 22 14:35:09 2008 kronenfe - Status changed from 'new' to 'resolved'
# Tue Jan 22 14:35:17 2008 kronenfe - Fixed in 1.8.1h added