buggLite Middleware - Bugs: bug #37563, Globus proxy chain length limit...

 
 
Show feedback again

You are not allowed to post comments on this tracker with your current authentication level.

bug #37563: Globus proxy chain length limit too low

Submitted by:  Maarten Litmaath <maart>
Submitted on:  2008-06-06 14:18  
 
Status: Ready for ReviewOpen/Closed: Closed
Category: VDTSeverity: 5 - Major
Baseline Release (where bug has been observed): gLite 3.1Release (where bug fix will be available: EMI 1, EMI 2, EMI 3, All): 
OS: allArchitecture: all
Bug detection area: ProductionAssigned to: EGEE JRA1 Test Team <egeetest>
Privacy: PublicPriority: Medium
Associated Test: None
GGUS reference URL: 
Component tag(s): 
Subsystem tag(s): 
Build environment: None

2009-04-06 15:24, comment #4:

***
This bug has been automatically closed as it has been inactive in the
'Ready for Review' state for too long. If the issue is still relevant,
please reopen the bug with a comment explaining the situation.
***

Savannah WatchDog <savannahwatchdog>
Project Member
2008-06-06 16:39, comment #3:

A VDT ticket has been opened:

http://vdt.cs.wisc.edu/rt/Ticket/Di...

We have asked for the Globus patch to be backported to VDT 1.6.

The relation to the power cut seems to have been a red herring.

Maarten Litmaath <maart>
Project Administrator
2008-06-06 14:24, comment #2:

Was there any influence from the powercut or was that just luck?

Steve Traylen <straylen>
2008-06-06 14:23, comment #1:

I have a feeling that there's at least one other bug on something similar, although possibly on the total size of the proxy rather than the number of items.

Stephen Burke <sburke>
Project Member
2008-06-06 14:18, original submission:

LHCb found that jobs submitted via their DIRAC system e.g. by their
French users can easily abort due to the length of the proxy chain.

The DIRAC system uses MyProxy to renew user proxies as needed.
Such a renewed proxy always has 3 delegations ("/CN=proxy") added
to the certificate subject (that is how MyProxy works).

Next it dresses the plain grid proxy with the VOMS extensions that
are needed for the user's jobs, which adds another delegation.

On job submission to the grid the resulting proxy gets delegated to
the RB or WMS, which in turn delegates it to the CE.

By this time there have been 3 + 1 + 1 + 1 = 6 delegations added to
the certificate subject, so the user part of the chain has a length
of 7.

The Globus OpenSSL code provided by VDT 1.6 and earlier restricts
the total chain length to a maximum of 9.

In the LHCb scenario that leaves a maximum of 2 subjects related
to the CA that signed the certificate. Unfortunately there are
CAs that add 3 subjects, e.g. the French CA.

Furthermore, even if the CA only adds 2 subjects, the proxy chain
is at the limit, making further delegations (e.g. to SRM or FTS)
impossible.

It seems fairly urgent that this restriction be removed.
The Globus trunk has been fixed in June last year:

http://bugzilla.globus.org/globus/s...

This means that VDT 1.10 most probably contains the fix.
Alternatively we could have the same patch applied to VDT 1.6.

Maarten Litmaath <maart>
Project Administrator

 

No files currently attached

 

Depends on the following items: None found

Digest:
   patch dependencies.

 

Carbon-Copy List
  • -unavailable- added by savannahwatchdog (Posted a comment)
  • -unavailable- added by dqing (Updated the item)
  • -unavailable- added by sgaravat
  • -unavailable- added by straylen (Posted a comment)
  • -unavailable- added by sburke (Posted a comment)
  • -unavailable- added by sburke
  • -unavailable- added by maart (Submitted the item)
  • -unavailable- added by maart
  • -unavailable- added by maart
  • -unavailable- added by maart
  •  

     

     

    Follow 14 latest changes.

    Date Changed By Updated Field Previous Value => Replaced By
    2009-04-06 15:24savannahwatchdogOpen/ClosedOpen=>Closed
      Closed on2009-04-06 15:24=>2009-04-06 15:24
    2008-08-06 13:37dqingStatusReady for Test=>Ready for Review
    2008-08-06 13:37dqingStatusIntegration Candidate=>Ready for Test
      Assigned to-Automatic update due to transitions settings-=>egeetest
    2008-08-06 13:37dqingStatusIn progress=>Integration Candidate
    2008-08-06 13:37dqingStatusAccepted=>In progress
    2008-07-18 11:55sgaravatCarbon-Copy-=>Added -unavailable-
    2008-06-06 16:39maartStatusNone=>Accepted
      Assigned toNone=>okeeble
    2008-06-06 14:23sburkeCarbon-Copy-=>Added sburke
    2008-06-06 14:18maartCarbon-Copy-=>Added -unavailable-
      Carbon-Copy-=>Added -unavailable-
      Carbon-Copy-=>Added -unavailable-
    Show feedback again

    Back to the top


    Powered by Savane SVN (toward 3.1)