RT for crt.cs.wisc.edu
RT for crt.cs.wisc.edu
vpi_dont_verify.diff
vpi_rc.patch
Comments about this user:
No comment entered about this user This user's 10 highest priority tickets:
Comments about this user:
No comment entered about this user This user's 10 highest priority tickets:
|
|
| # | Wed Apr 23 10:01:07 2008 | weigand@fnal.gov - Ticket created | [Reply] | |||||||||
VDT 1.10.0 VOMS voms-proxy-init --version voms-proxy-init Version: 1.8.3 voms-proxy-info --version voms-proxy-info Version: 1.8.3 The voms-proxy-info command performs a check for the VOMS server certificate in, I assume, the /etc/grid-security/vomsdir directory and will return a non-zero return code if not found. The voms-proxy-init command does not appear to do this. This does not seem to make sense: 1. Why would I need to have the VOMS server certificates on nodes that I am submitting jobs from? 2. Why would it occur on the voms-proxy-info and not the voms-proxy-init, even if this was a valid validation test which I don't think it should be. 3. It has no affect on submitting jobs using the proxy either. One of the uses of the voms-proxy-info command in CMS, at least, is a programmatic check to verify that the proxy is valid or valid for a certain period using the -valid, -timeleft or -exists options. The return code is used to determine this as it should be. Under the 1.7.20 version used in OSG 0.8.0, the return code was always correct. I have included at the back of this message examples of the various commands and return codes. These were all done in the sequence shown. This is a very critical problem. John Weigand --------------- voms-proxy-init -voms cms:/cms/uscms/Role=cmsuser -valid 2400:00;echo $? Cannot find file or dir: /home/condor/execute/dir_10494/userdir/glite/etc/vomses Enter GRID pass phrase: Your identity: /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 Creating temporary proxy ..................................... Done Contacting lcg-voms.cern.ch:15002 [/DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch] "cms" Done Warning: lcg-voms.cern.ch:15002: The validity of this VOMS AC in your proxy is shortened to 691200 seconds! Creating proxy .......................................................... Done Your proxy is valid until Fri Aug 1 09:42:07 2008 0 ------------------------ voms-proxy-info -all;echo $? WARNING: Unable to verify signature! Server certificate possibly not installed. Error: Cannot find certificate of AC issuer for vo cms subject : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491/CN=proxy issuer : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 identity : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 type : proxy strength : 512 bits path : /tmp/x509up_u9789 timeleft : 2399:59:25 === VO cms extension information === VO : cmssubject : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 issuer : /DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch attribute : /cms/uscms/Role=cmsuser/Capability=NULL attribute : /cms/uscms/Role=NULL/Capability=NULL attribute : /cms/Role=NULL/Capability=NULL timeleft : 191:59:24 1 -------------------- voms-proxy-info -exists;echo $? WARNING: Unable to verify signature! Server certificate possibly not installed. Error: Cannot find certificate of AC issuer for vo cms 1 ------------------------- voms-proxy-info -valid 01:00;echo $? WARNING: Unable to verify signature! Server certificate possibly not installed. Error: Cannot find certificate of AC issuer for vo cms subject : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491/CN=proxy issuer : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 identity : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 type : proxy strength : 512 bits path : /tmp/x509up_u9789 timeleft : 2399:58:33 1 ----------------------- voms-proxy-info -timeleft ;echo $? WARNING: Unable to verify signature! Server certificate possibly not installed. Error: Cannot find certificate of AC issuer for vo cms 8639859 1 |
||||||||||||
| # | Wed Apr 23 12:45:30 2008 | weigand@fnal.gov - Correspondence added | [Reply] | |||||||||||
Burt/Tony Here is the VDT ticket for the voms-proxy-info return code problem I mentioned in our meeting yesterday. http://vdt.cs.wisc.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=3493 Please review it and provide your comments on its priority to CMS for OSG 1.0 in the event I have mis-interpreted it. Any relevant comments should be made using the Subject of this email with a cc to vdt-support@opensciencegrid.org so that it gets recorded in this ticket. fyi - I have also opened a ticket in the ITB ticket system, but I am not sure that is used by anyone but me and there is no link between VDT and ITB that I know of. It may not even be visible to you... https://rt-racf.bnl.gov/rt/Search/Results.html?Query=Queue%20%3D%20'OSG-ITB' Thank John Weigand |
||||||||||||||
| # | Thu Apr 24 21:06:07 2008 | roy - Taken | ||
| # | Thu Apr 24 21:06:35 2008 | roy - Priority changed from (no value) to '3' | ||
| # | Thu Apr 24 21:06:35 2008 | roy - Fix scheduled CU added | ||
| # | Thu Apr 24 21:06:46 2008 | roy - Fix scheduled CU changed to CUR | ||
| # | Thu Apr 24 21:26:32 2008 | roy - Correspondence added | [Reply] | |||||||||
> The voms-proxy-info command performs a check for the VOMS server > certificate in, I assume, the /etc/grid-security/vomsdir directory and > will return a non-zero return code if not found. > > The voms-proxy-init command does not appear to do this. I've looked at the code, and what I've seen agrees with your description. > This does not seem to make sense: > 1. Why would I need to have the VOMS server certificates on nodes > that I > am submitting jobs from? My guess is that they've defined "voms-proxy-info" to give information and to verify the correctness of the proxy. We can ask the VOMS developers, but I first I would like to understand the problem better. voms-proxy-info can be used on computers other than the submitting computer. > One of the uses of the voms-proxy-info command in CMS, at least, is a > programmatic check to verify that the proxy is valid or valid for a > certain period using the -valid, -timeleft or -exists options. The > return code is used to determine this as it should be. Is it required that you use the return code? Can you parse the output? I'm not saying you should, but I'm trying to understand the parameters here. It sounds like you want to test if the proxy is still valid, and your definition includes "hasn't expired", but doesn't include "cryptographically valid". The more I think about it, the more I think that the definition by voms-proxy-info makes good sense. Perhaps we should talk about this by phone on Friday, so you can sway me to your way of thinking. What would be a good resolution for you? I can think of a few options. 1) voms-proxy-init changes its definition of "valid" to not include "cryptographically valid". 2) voms-proxy-init adds an option for "-skip-verify-signature", and you can specify that option. 3) You look at the output instead of the error code. I'm happy to talk you about this by phone, so we can quickly come to an understanding. If possible, let's talk in the earlier part of Friday morning. -alain ----------------------------------------------------------------- Alain Roy vdt-support@opensciencegrid.org VDT Support http://vdt.cs.wisc.edu/support.html |
||||||||||||
| # | Thu Apr 24 21:26:32 2008 | RT_System - Status changed from 'new' to 'open' | ||
| # | Fri Apr 25 07:28:15 2008 | weigand@fnal.gov - Correspondence added | [Reply] | |||||||||||
Anytime this morning is fine. I would like for Burt or Tony to provide the affect on CMS software. We can talk before they get in if you like. I have embedded some comments in your reply. John Alain Roy via RT wrote: >> The voms-proxy-info command performs a check for the VOMS server >>> certificate in, I assume, the /etc/grid-security/vomsdir directory and >> will return a non-zero return code if not found. >> >> The voms-proxy-init command does not appear to do this. >> > I've looked at the code, and what I've seen agrees with your > description. > > >> This does not seem to make sense: >>> 1. Why would I need to have the VOMS server certificates on nodes >> that I >> am submitting jobs from? >> > My guess is that they've defined "voms-proxy-info" to give information > and to verify the correctness of the proxy. We can ask the VOMS > developers, but I first I would like to understand the problem better. > > voms-proxy-info can be used on computers other than the submitting computer. > It is extremely impractical to expect that every node I submit grid jobs from have a set of VOMS server certs or identities.. >> One of the uses of the voms-proxy-info command in CMS, at least, is a >>> programmatic check to verify that the proxy is valid or valid for a >> certain period using the -valid, -timeleft or -exists options. The >> return code is used to determine this as it should be. >> > Is it required that you use the return code? Can you parse the output? > I'm not saying you should, but I'm trying to understand the parameters > > here. The "crypto..." part, if validation is needed for that, is done at the > > It sounds like you want to test if the proxy is still valid, and your > definition includes "hasn't expired", but doesn't include > "cryptographically valid". PDP. I assume I am not a "spoofer", just a normal user who want to verify: 1. I still have a proxy available 2. It will be valid for the duration of my job > The more I think about it, the more I think I disagree. here.> that the definition by voms-proxy-info makes good sense. Perhaps we > should talk about this by phone on Friday, so you can sway me to your > way of thinking. > > What would be a good resolution for you? I can think of a few options. Best> > 1) voms-proxy-init changes its definition of "valid" to not include > "cryptographically valid". > > 2) voms-proxy-init adds an option for "-skip-verify-signature", and ok> you can specify that option. > > 3) You look at the output instead of the error code. worst. Doing this is always a last resort.> > I'm happy to talk you about this by phone, so we can quickly come to > an understanding. If possible, let's talk in the earlier part of > Friday morning. > > -alain > > ----------------------------------------------------------------- > Alain Roy vdt-support@opensciencegrid.org > VDT Support http://vdt.cs.wisc.edu/support.html > > > |
||||||||||||||
| # | Fri Apr 25 07:56:31 2008 | roy - Correspondence added | [Reply] | |||||||||
On Apr 25, 2008, at 7:28 AM, weigand@fnal.gov via RT wrote: > Anytime this morning is fine. I would like for Burt or Tony to > provide > the affect on CMS software. I'll contact you when I get in, hopefully around 9:00am. -alain |
||||||||||||
| # | Sun Apr 27 14:52:38 2008 | roy - Comments added | [Reply] | |
|
I talked to John and Burt about this on Friday morning by phone. My understanding: * This affects USCMS, and they consider it a serious problem. * This affects CRAB, which passes -identity or -timeleft to discover basic information about the proxy, and doesn't care if it can be validated. * We agree that it might make sense for voms-proxy-info to fail if the certificate can't be verified, it shouldn't do so when just extracting some basic information. I've written up a bug report about it, and it's here: https://savannah.cern.ch/bugs/?36052 I have a patch to voms-proxy-info that I developed and tested that would make USCMS happy. We'll see what the VOMS developers think. -alain Message body not shown because it is too large or is not plain text. |
||||
| # | Sun May 11 11:11:05 2008 | roy - Comments added | [Reply] | |||||||
Commit comment: Patch voms-proxy-info so that it has a dont-verify-ac option, and a corresponding VOMS_PROXY_INFO_DONT_VERIFY_AC environment variable. Changed files: U vdt/branches/vdt-1.10/VOMS/nmi/glue.in U vdt/branches/vdt-1.10/VOMS/nmi/nmi-remote-task.pl A vdt/branches/vdt-1.10/VOMS/nmi/vpi_dont_verify.patch To generate a diff: svn diff -c 7706 file:///p/vdt/workspace/svn |
||||||||||
| # | Sun May 11 13:29:21 2008 | roy - Requestor burt@fnal.gov added | ||
| # | Sun May 11 13:31:56 2008 | roy - Correspondence added | [Reply] | |
|
Hi guys, You've probably seen the information in the Savannah ticket, but so it's recorded here. VDT 1.10.1 will contain a patched voms-proxy-info, with two changes. 1) You can pass -dont-verify-ac on the command-line 2) You can set VOMS_PROXY_INFO_DONT_VERIFY_AC in the environment. It doesn't matter what the value is, as long as it's set. It's equivalent to -dont-verify-ac. I'll work with Vincenzo to get this into a future VOMS release. -alain ----------------------------------------------------------------- Alain Roy vdt-support@opensciencegrid.org VDT Support http://vdt.cs.wisc.edu/support.html > [weigand@fnal.gov - Wed Apr 23 10:01:07 2008]: > > VDT 1.10.0 VOMS > > voms-proxy-init --version > voms-proxy-init > Version: 1.8.3 > > voms-proxy-info --version > voms-proxy-info > Version: 1.8.3 > > The voms-proxy-info command performs a check for the VOMS server > certificate in, I assume, the /etc/grid-security/vomsdir directory and > will return a non-zero return code if not found. > > The voms-proxy-init command does not appear to do this. > > This does not seem to make sense: > 1. Why would I need to have the VOMS server certificates on nodes that I > am submitting jobs from? > 2. Why would it occur on the voms-proxy-info and not the > voms-proxy-init, even if this was a valid validation test which I don't > think it should be. > 3. It has no affect on submitting jobs using the proxy either. > > One of the uses of the voms-proxy-info command in CMS, at least, is a > programmatic check to verify that the proxy is valid or valid for a > certain period using the -valid, -timeleft or -exists options. The > return code is used to determine this as it should be. > > Under the 1.7.20 version used in OSG 0.8.0, the return code was always > correct. > > I have included at the back of this message examples of the various > commands and return codes. These were all done in the sequence shown. > > This is a very critical problem. > > John Weigand > > > --------------- > voms-proxy-init -voms cms:/cms/uscms/Role=cmsuser -valid 2400:00;echo $? > Cannot find file or dir: > /home/condor/execute/dir_10494/userdir/glite/etc/vomses > Enter GRID pass phrase: > Your identity: /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 > Creating temporary proxy ..................................... Done > Contacting lcg-voms.cern.ch:15002 > [/DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch] "cms" Done > > Warning: lcg-voms.cern.ch:15002: The validity of this VOMS AC in your > proxy is shortened to 691200 seconds! > > Creating proxy > .......................................................... Done > Your proxy is valid until Fri Aug 1 09:42:07 2008 > 0 > > ------------------------ > voms-proxy-info -all;echo $? > WARNING: Unable to verify signature! Server certificate possibly not > installed. > Error: Cannot find certificate of AC issuer for vo cms > subject : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491/CN=proxy > issuer : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 > identity : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 > type : proxy > strength : 512 bits > path : /tmp/x509up_u9789 > timeleft : 2399:59:25 > === VO cms extension information === > VO : cms> subject : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 > issuer : /DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch > attribute : /cms/uscms/Role=cmsuser/Capability=NULL > attribute : /cms/uscms/Role=NULL/Capability=NULL > attribute : /cms/Role=NULL/Capability=NULL > timeleft : 191:59:24 > 1 > -------------------- > voms-proxy-info -exists;echo $? > WARNING: Unable to verify signature! Server certificate possibly not > installed. > Error: Cannot find certificate of AC issuer for vo cms > 1 > ------------------------- > voms-proxy-info -valid 01:00;echo $? > WARNING: Unable to verify signature! Server certificate possibly not > installed. > Error: Cannot find certificate of AC issuer for vo cms > subject : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491/CN=proxy > issuer : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 > identity : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 > type : proxy > strength : 512 bits > path : /tmp/x509up_u9789 > timeleft : 2399:58:33 > 1 > ----------------------- > voms-proxy-info -timeleft ;echo $? > WARNING: Unable to verify signature! Server certificate possibly not > installed. > Error: Cannot find certificate of AC issuer for vo cms > 8639859 > 1 > > |
||||
| # | Tue May 13 09:25:58 2008 | weigand@fnal.gov - Correspondence added | [Reply] | |||||||||||
Testing of patch for this. Not everything works as expected. Tested both using variable and the --dont-verify-ac option I am showing all in the order I tested to illustrate. Also as you get to the end you will see the variable has no affect on the valid option. Something is still very wrong in here. I have cut/paste the exact order of the tests and variable settings I am doing. If I am doing something wrong, please advise This is the installation versions vdt-version You have installed a subset of VDT version 1.10.1: Apache HTTPD 2.2.8 CA Certificates v35 (includes IGTF 1.20 CAs) Fetch CRL 2.6.6 GPT 3.2autotools2004-NMI-9.0 Java 5 SDK 1.5.0_14 Logrotate 3.7 MySQL 4.1.22 MySQL 5.0.51a MySQL Connector/J 5.0.6 Apache Tomcat 5.5.25 VOMS 1.8.3 VOMS Admin 2.0.14-1 John Weigand ================================== voms-proxy-init --voms oiv_test1:/oiv_test1 Your identity: /DC=org/DC=doegrids/OU=Services/CN=cms-xen3.fnal.gov Creating temporary proxy ................................................ Done Contacting cms-xen3.fnal.gov:15001 [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] "oiv_test1" Done Creating proxy ................................................ Done Your proxy is valid until Tue May 13 20:58:28 2008 ===================== (this works the same as the --dont-verify-ac) ===================== subject : /DC=org/DC=doegrids/OU=Services/CN=cms-xen3.fnal.gov/CN=proxy issuer : /DC=org/DC=doegrids/OU=Services/CN=cms-xen3.fnal.gov identity : /DC=org/DC=doegrids/OU=Services/CN=cms-xen3.fnal.gov type : proxy strength : 512 bits path : /tmp/x509up_u0 timeleft : 11:58:43 === VO oiv_test1 extension information === VO : oiv_test1subject : /DC=org/DC=doegrids/OU=Services/CN=cms-xen3.fnal.gov issuer : /DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov attribute : /oiv_test1 timeleft : 11:58:43 0 **GOOD*** =========================== 0 **GOOD*** =========================== 42968 0 **GOOD*** =========================== 0 *** THE ABOVE SHOULD HAVE FAILED. *** ============================ unset VOMS_PROXY_INFO_DONT_VERIFY_AC voms-proxy-info --exists --valid 20:00 --dont-verify-ac;echo $? 0 ***GOOD *** ========================== To show that the option does work.... NOW THIS HAS CONFUSED ME AS THIS USED TO NOT WORK... WITHOUT THE OPTION OR VARIABLE SET voms-proxy-info --exists --valid 20:00 ;echo $? WARNING: Unable to verify signature! Server certificate possibly not installed. Error: Cannot find certificate of AC issuer for vo oiv_test1 0 *** BAD **** I AM GETTING NO ERROR DUE TO THE AC CHECK AND THE PROXY IS ONLY VALID FOR 11 HOURS. ====================================== If I take the --valid off.....the behavior is as before the patch which makes sense. voms-proxy-info --exists ;echo $? WARNING: Unable to verify signature! Server certificate possibly not installed. Error: Cannot find certificate of AC issuer for vo oiv_test1 1 ** EXPECTED ** ==================================== voms-proxy-info --timeleft ;echo $? WARNING: Unable to verify signature! Server certificate possibly not installed. Error: Cannot find certificate of AC issuer for vo oiv_test1 42592 1 *** EXPECTED *** ========================= rm -f /tmp/x509up_u0 voms-proxy-info --exists ;echo $? Couldn't find a valid proxy. 1 *** DOES NOT APPEAR TO DO THE AC CHECK ***** env|grep DONT (I get nothing) =================== I AM TOTALLY CONFUSED. |
||||||||||||||
| # | Tue May 13 10:30:56 2008 | roy - Correspondence added | [Reply] | |||||||||
Hi John, This bug is not related to my patch--I've just tested to verify this. I've looked at the code in voms-proxy-info, and I have some idea of what the problem is, but it's not entirely clear in my head yet. It's not exactly related to the bug you previously reported in this ticket, but is a different problem. At this point, I don't think we can hold up the release for this bug in voms-proxy-info. Do you think it's a show-stopping bug? How quickly do we need to push out a fix for it? -alain On May 13, 2008, at 9:21 AM, John Weigand wrote: > Testing of patch for this. Not everything works as expected. Tested > both using variable and the --dont-verify-ac option > > I am showing all in the order I tested to illustrate. > Also as you get to the end you will see the variable has no affect > on the valid option. Something is still very wrong in here. > > I have cut/paste the exact order of the tests and variable settings > I am doing. > > If I am doing something wrong, please advise > > This is the installation versions > vdt-version > You have installed a subset of VDT version 1.10.1: > Apache HTTPD 2.2.8 > CA Certificates v35 (includes IGTF 1.20 CAs) > Fetch CRL 2.6.6 > GPT 3.2autotools2004-NMI-9.0 > Java 5 SDK 1.5.0_14 > Logrotate 3.7 > MySQL 4.1.22 > MySQL 5.0.51a > MySQL Connector/J 5.0.6 > Apache Tomcat 5.5.25 > VOMS 1.8.3 > VOMS Admin 2.0.14-1 > > > John Weigand > ================================== > voms-proxy-init --voms oiv_test1:/oiv_test1 > Your identity: /DC=org/DC=doegrids/OU=Services/CN=cms-xen3.fnal.gov > Creating temporary > proxy ................................................ Done > Contacting cms-xen3.fnal.gov:15001 [/DC=org/DC=doegrids/OU=Services/ > CN=http/cms-xen3.fnal.gov] "oiv_test1" Done > Creating proxy ................................................ Done > Your proxy is valid until Tue May 13 20:58:28 2008 > ===================== > (this works the same as the --dont-verify-ac) > ===================== > subject : /DC=org/DC=doegrids/OU=Services/CN=cms-xen3.fnal.gov/ > CN=proxy > issuer : /DC=org/DC=doegrids/OU=Services/CN=cms-xen3.fnal.gov > identity : /DC=org/DC=doegrids/OU=Services/CN=cms-xen3.fnal.gov > type : proxy > strength : 512 bits > path : /tmp/x509up_u0 > timeleft : 11:58:43 > === VO oiv_test1 extension information === > VO : oiv_test1> subject : /DC=org/DC=doegrids/OU=Services/CN=cms-xen3.fnal.gov > issuer : /DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov > attribute : /oiv_test1 > timeleft : 11:58:43 > 0 > **GOOD*** > =========================== > 0 > **GOOD*** > =========================== > 42968 > 0 > > **GOOD*** > =========================== > 0 > > *** THE ABOVE SHOULD HAVE FAILED. *** > > ============================ > > unset VOMS_PROXY_INFO_DONT_VERIFY_AC > voms-proxy-info --exists --valid 20:00 --dont-verify-ac;echo $? > 0 > > ***GOOD *** > > ========================== > > To show that the option does work.... > NOW THIS HAS CONFUSED ME AS THIS USED TO NOT WORK... WITHOUT > THE OPTION OR VARIABLE SET > voms-proxy-info --exists --valid 20:00 ;echo $? > WARNING: Unable to verify signature! Server certificate possibly not > installed. > Error: Cannot find certificate of AC issuer for vo oiv_test1 > 0 > > *** BAD **** > I AM GETTING NO ERROR DUE TO THE AC CHECK AND THE PROXY IS ONLY > VALID FOR 11 HOURS. > > ====================================== > If I take the --valid off.....the behavior is as before the patch > which makes sense. > > voms-proxy-info --exists ;echo $? > WARNING: Unable to verify signature! Server certificate possibly not > installed. > Error: Cannot find certificate of AC issuer for vo oiv_test1 > 1 > > ** EXPECTED ** > > ==================================== > > voms-proxy-info --timeleft ;echo $? > WARNING: Unable to verify signature! Server certificate possibly not > installed. > Error: Cannot find certificate of AC issuer for vo oiv_test1 > 42592 > 1 > *** EXPECTED *** > > ========================= > > rm -f /tmp/x509up_u0 > voms-proxy-info --exists ;echo $? > > Couldn't find a valid proxy. > > 1 > > *** DOES NOT APPEAR TO DO THE AC CHECK ***** > > env|grep DONT > (I get nothing) > =================== >> I AM TOTALLY CONFUSED. > > > > > > > > > > > > > > > |
||||||||||||
| # | Wed May 14 11:19:34 2008 | roy - Comments added | [Reply] | |
|
I made a fix for this. John Weigand tried it out, and my fix appears to be correct. I've submitted the fix to the VOMS developers, and attached it as a patch here. https://savannah.cern.ch/bugs/?36573 At this point, we need to patch VOMS in the VDT and release an update. It needs to happen relatively soon, because it's important for USCMS. This should be a fairly straightforward update. In theory, we only need to update the VOMS-Client package, and not the others. I don't know if it's easier to do that, or easier to update them all. I'm assigning this ticket to Tim since I'll be on vacation the next two weeks. Message body not shown because it is too large or is not plain text. |
||||
| # | Wed May 14 11:39:44 2008 | roy - Comments added | [Reply] | |
|
One more note on this: when we have this in a test cache, we should tell John Weigand about it, and he can try it out and make sure it's good. It's good at ferreting out problems, and he should get a chance to do so before we release. We should give him instruction on how to install the VOMS-Client from the cache as part of our email to him. He usually installs from OSG caches, which won't be have our test cache, of course. |
||||
| # | Thu May 15 11:34:03 2008 | cat - Stolen from roy | ||
| # | Mon May 19 09:49:24 2008 | cat - Comments added | [Reply] | |||||||
Commit comment: Added latest patch from Alain and rebuilt. Changed files: U vdt/branches/vdt-1.10.1/VOMS/nmi/glue.in U vdt/branches/vdt-1.10.1/VOMS/nmi/nmi-remote-task.pl A vdt/branches/vdt-1.10.1/VOMS/nmi/vpi_rc.patch U vdt/branches/vdt-1.10.1/defs To generate a diff: svn diff -c 7747 file:///p/vdt/workspace/svn |
||||||||||
| # | Mon May 19 11:35:47 2008 | cat - Correspondence added | [Reply] | |
|
John: On 13 May 2008, you wrote: > Testing of patch for this. Not everything works as expected. Tested both > using variable and the --dont-verify-ac option > I am showing all in the order I tested to illustrate. Also as you get to the > end you will see the variable has no affect on the valid option. Something is > still very wrong in here. And then Alain replied: > This bug is not related to my patch--I've just tested to verify this. I've > looked at the code in voms-proxy-info, and I have some idea of what the > problem is, but it's not entirely clear in my head yet. It's not exactly > related to the bug you previously reported in this ticket, but is a different > problem. Eventually, Alain created yet another patch to our VOMS build to fix this problem. I believe he and Vincenzo agree that it is safe, etc. I have added his patch to our VOMS build and so I have a new version of voms-proxy-info for you to try out. You can get the newly patched VOMS from our test cache: http://vdt.cs.wisc.edu/vdt_11099_cache Let me know if I can be of any further assistance. -- Tim |
||||
| # | Mon May 19 13:04:49 2008 | weigand@fnal.gov - Correspondence added | [Reply] | |||||||||||
Fix appears to be good. VOMS was installed from: http://vdt.cs.wisc.edu/vdt_11099_cache:VOMS The results of the testing follow. John Weigand ---------------------------------------------------------- #------------------------------------------------ Your identity: /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491# Testing voms-proxy-init using personal certificate #------------------------------------------------ Creating temporary proxy ...................................... Done Contacting cms-xen3.fnal.gov:15001 [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] "oiv_test1" Done Creating proxy ...................................... Done Your proxy is valid until Tue May 20 00:52:24 2008 +++ Setting variable +++ VOMS_PROXY_INFO_DONT_VERIFY_AC=anytjhing ------------------------------------ ---- args = --all ---- expected rtn: 0 ...running: voms-proxy-info --all subject : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491/CN=proxy issuer : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 identity : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 type : proxy strength : 512 bits path : /tmp/x509up_u9789 timeleft : 12:00:00 === VO oiv_test1 extension information === VO : oiv_test1subject : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 issuer : /DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov attribute : /oiv_test1 attribute : /oiv_test1/group-1 attribute : /oiv_test1/group-1/group-1-1 attribute : /oiv_test1/group-2 timeleft : 12:00:00 Return code: 0 ** GOOD *** ------------------------------------ ---- args = --timeleft ---- expected rtn: 0 ...running: voms-proxy-info --timeleft 43195 Return code: 0 ** GOOD *** ------------------------------------ ---- args = --exists ---- expected rtn: 0 ...running: voms-proxy-info --exists Return code: 0 ** GOOD *** ------------------------------------ ---- args = --exists --valid 20:00 ---- expected rtn: 1 ...running: voms-proxy-info --exists --valid 20:00 Return code: 1 ** GOOD *** ------------------------------------ ---- args = --exists --valid 01:00 ---- expected rtn: 0 ...running: voms-proxy-info --exists --valid 01:00 Return code: 0 ** GOOD *** ... removing proxy (/tmp/x509up_u9789) ------------------------------------ ---- args = --exists ---- expected rtn: 1 ...running: voms-proxy-info --exists Couldn't find a valid proxy. Return code: 1 ** GOOD *** ... restoring proxy ++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++ Unseting the variable and using the option +++++ unset VOMS_PROXY_INFO_DONT_VERIFY_AC ------------------------------------ ---- args = --all -dont-verify-ac ---- expected rtn: 0 ...running: voms-proxy-info --all -dont-verify-ac subject : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491/CN=proxy issuer : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 identity : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 type : proxy strength : 512 bits path : /tmp/x509up_u9789 timeleft : 11:59:30 === VO oiv_test1 extension information === VO : oiv_test1subject : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 issuer : /DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov attribute : /oiv_test1 attribute : /oiv_test1/group-1 attribute : /oiv_test1/group-1/group-1-1 attribute : /oiv_test1/group-2 timeleft : 11:59:30 Return code: 0 ** GOOD *** ------------------------------------ ---- args = --timeleft -dont-verify-ac ---- expected rtn: 0 ...running: voms-proxy-info --timeleft -dont-verify-ac 43165 Return code: 0 ** GOOD *** ------------------------------------ ---- args = --exists -dont-verify-ac ---- expected rtn: 0 ...running: voms-proxy-info --exists -dont-verify-ac Return code: 0 ** GOOD *** ------------------------------------ ---- args = --exists --valid 20:00 -dont-verify-ac ---- expected rtn: 1 ...running: voms-proxy-info --exists --valid 20:00 -dont-verify-ac Return code: 1 ** GOOD *** ------------------------------------ ---- args = --exists --valid 01:00 -dont-verify-ac ---- expected rtn: 0 ...running: voms-proxy-info --exists --valid 01:00 -dont-verify-ac Return code: 0 ** GOOD *** ... removing proxy (/tmp/x509up_u9789) ------------------------------------ ---- args = --exists -dont-verify-ac ---- expected rtn: 1 ...running: voms-proxy-info --exists -dont-verify-ac Couldn't find a valid proxy. Return code: 1 ** GOOD *** ... restoring proxy ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++ No option/no variable set +++++ To show that the option does work.... It is check for the AC which does not exist ------------------------------------ ---- args = --all ---- expected rtn: 1 ...running: voms-proxy-info --all WARNING: Unable to verify signature! Server certificate possibly not installed. Error: Cannot find certificate of AC issuer for vo oiv_test1 subject : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491/CN=proxy issuer : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 identity : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 type : proxy strength : 512 bits path : /tmp/x509up_u9789 timeleft : 11:59:00 === VO oiv_test1 extension information === VO : oiv_test1subject : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 issuer : /DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov attribute : /oiv_test1 attribute : /oiv_test1/group-1 attribute : /oiv_test1/group-1/group-1-1 attribute : /oiv_test1/group-2 timeleft : 11:59:00 Return code: 1 ** GOOD *** ------------------------------------ ---- args = --timeleft ---- expected rtn: 1 ...running: voms-proxy-info --timeleft WARNING: Unable to verify signature! Server certificate possibly not installed. Error: Cannot find certificate of AC issuer for vo oiv_test1 43135 Return code: 1 ** GOOD *** ------------------------------------ ---- args = --exists ---- expected rtn: 1 ...running: voms-proxy-info --exists WARNING: Unable to verify signature! Server certificate possibly not installed. Error: Cannot find certificate of AC issuer for vo oiv_test1 Return code: 1 ** GOOD *** ------------------------------------ ---- args = --exists --valid 20:00 ---- expected rtn: 1 ...running: voms-proxy-info --exists --valid 20:00 WARNING: Unable to verify signature! Server certificate possibly not installed. Error: Cannot find certificate of AC issuer for vo oiv_test1 Return code: 1 ** GOOD *** ------------------------------------ ---- args = --exists --valid 01:00 ---- expected rtn: 1 ...running: voms-proxy-info --exists --valid 01:00 WARNING: Unable to verify signature! Server certificate possibly not installed. Error: Cannot find certificate of AC issuer for vo oiv_test1 Return code: 1 ** GOOD *** ... removing proxy (/tmp/x509up_u9789) ------------------------------------ ---- args = --exists ---- expected rtn: 1 ...running: voms-proxy-info --exists Couldn't find a valid proxy. Return code: 1 ** GOOD *** ... restoring proxy DONE |
||||||||||||||
| # | Mon May 19 18:03:00 2008 | weigand@fnal.gov - Correspondence added | [Reply] | |||||||||
Fix appears to be good. VOMS was installed from: http://vdt.cs.wisc.edu/vdt_11099_cache:VOMS The results of the testing follow. John Weigand ---------------------------------------------------------- #------------------------------------------------ Your identity: /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491# Testing voms-proxy-init using personal certificate #------------------------------------------------ Creating temporary proxy ...................................... Done Contacting cms-xen3.fnal.gov:15001 [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] "oiv_test1" Done Creating proxy ...................................... Done Your proxy is valid until Tue May 20 00:52:24 2008 +++ Setting variable +++ VOMS_PROXY_INFO_DONT_VERIFY_AC=anytjhing ------------------------------------ ---- args = --all ---- expected rtn: 0 ...running: voms-proxy-info --all subject : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491/CN=proxy issuer : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 identity : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 type : proxy strength : 512 bits path : /tmp/x509up_u9789 timeleft : 12:00:00 === VO oiv_test1 extension information === VO : oiv_test1subject : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 issuer : /DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov attribute : /oiv_test1 attribute : /oiv_test1/group-1 attribute : /oiv_test1/group-1/group-1-1 attribute : /oiv_test1/group-2 timeleft : 12:00:00 Return code: 0 ** GOOD *** ------------------------------------ ---- args = --timeleft ---- expected rtn: 0 ...running: voms-proxy-info --timeleft 43195 Return code: 0 ** GOOD *** ------------------------------------ ---- args = --exists ---- expected rtn: 0 ...running: voms-proxy-info --exists Return code: 0 ** GOOD *** ------------------------------------ ---- args = --exists --valid 20:00 ---- expected rtn: 1 ...running: voms-proxy-info --exists --valid 20:00 Return code: 1 ** GOOD *** ------------------------------------ ---- args = --exists --valid 01:00 ---- expected rtn: 0 ...running: voms-proxy-info --exists --valid 01:00 Return code: 0 ** GOOD *** ... removing proxy (/tmp/x509up_u9789) ------------------------------------ ---- args = --exists ---- expected rtn: 1 ...running: voms-proxy-info --exists Couldn't find a valid proxy. Return code: 1 ** GOOD *** ... restoring proxy ++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++ Unseting the variable and using the option +++++ unset VOMS_PROXY_INFO_DONT_VERIFY_AC ------------------------------------ ---- args = --all -dont-verify-ac ---- expected rtn: 0 ...running: voms-proxy-info --all -dont-verify-ac subject : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491/CN=proxy issuer : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 identity : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 type : proxy strength : 512 bits path : /tmp/x509up_u9789 timeleft : 11:59:30 === VO oiv_test1 extension information === VO : oiv_test1subject : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 issuer : /DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov attribute : /oiv_test1 attribute : /oiv_test1/group-1 attribute : /oiv_test1/group-1/group-1-1 attribute : /oiv_test1/group-2 timeleft : 11:59:30 Return code: 0 ** GOOD *** ------------------------------------ ---- args = --timeleft -dont-verify-ac ---- expected rtn: 0 ...running: voms-proxy-info --timeleft -dont-verify-ac 43165 Return code: 0 ** GOOD *** ------------------------------------ ---- args = --exists -dont-verify-ac ---- expected rtn: 0 ...running: voms-proxy-info --exists -dont-verify-ac Return code: 0 ** GOOD *** ------------------------------------ ---- args = --exists --valid 20:00 -dont-verify-ac ---- expected rtn: 1 ...running: voms-proxy-info --exists --valid 20:00 -dont-verify-ac Return code: 1 ** GOOD *** ------------------------------------ ---- args = --exists --valid 01:00 -dont-verify-ac ---- expected rtn: 0 ...running: voms-proxy-info --exists --valid 01:00 -dont-verify-ac Return code: 0 ** GOOD *** ... removing proxy (/tmp/x509up_u9789) ------------------------------------ ---- args = --exists -dont-verify-ac ---- expected rtn: 1 ...running: voms-proxy-info --exists -dont-verify-ac Couldn't find a valid proxy. Return code: 1 ** GOOD *** ... restoring proxy ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++ No option/no variable set +++++ To show that the option does work.... It is check for the AC which does not exist ------------------------------------ ---- args = --all ---- expected rtn: 1 ...running: voms-proxy-info --all WARNING: Unable to verify signature! Server certificate possibly not installed. Error: Cannot find certificate of AC issuer for vo oiv_test1 subject : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491/CN=proxy issuer : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 identity : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 type : proxy strength : 512 bits path : /tmp/x509up_u9789 timeleft : 11:59:00 === VO oiv_test1 extension information === VO : oiv_test1subject : /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 issuer : /DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov attribute : /oiv_test1 attribute : /oiv_test1/group-1 attribute : /oiv_test1/group-1/group-1-1 attribute : /oiv_test1/group-2 timeleft : 11:59:00 Return code: 1 ** GOOD *** ------------------------------------ ---- args = --timeleft ---- expected rtn: 1 ...running: voms-proxy-info --timeleft WARNING: Unable to verify signature! Server certificate possibly not installed. Error: Cannot find certificate of AC issuer for vo oiv_test1 43135 Return code: 1 ** GOOD *** ------------------------------------ ---- args = --exists ---- expected rtn: 1 ...running: voms-proxy-info --exists WARNING: Unable to verify signature! Server certificate possibly not installed. Error: Cannot find certificate of AC issuer for vo oiv_test1 Return code: 1 ** GOOD *** ------------------------------------ ---- args = --exists --valid 20:00 ---- expected rtn: 1 ...running: voms-proxy-info --exists --valid 20:00 WARNING: Unable to verify signature! Server certificate possibly not installed. Error: Cannot find certificate of AC issuer for vo oiv_test1 Return code: 1 ** GOOD *** ------------------------------------ ---- args = --exists --valid 01:00 ---- expected rtn: 1 ...running: voms-proxy-info --exists --valid 01:00 WARNING: Unable to verify signature! Server certificate possibly not installed. Error: Cannot find certificate of AC issuer for vo oiv_test1 Return code: 1 ** GOOD *** ... removing proxy (/tmp/x509up_u9789) ------------------------------------ ---- args = --exists ---- expected rtn: 1 ...running: voms-proxy-info --exists Couldn't find a valid proxy. Return code: 1 ** GOOD *** ... restoring proxy DONE |
||||||||||||
| # | Wed May 21 15:36:36 2008 | cat - Status changed from 'open' to 'resolved' | ||
| # | Wed May 21 15:36:59 2008 | cat - Fixed in 1.10.1a added | ||
Time to display: 3.077649
»|« RT 3.8.2 Copyright 1996-2008 Best Practical Solutions, LLC.
