6186 2008-06-25 17:09 Authorized upstream registrants in core vs mds_index bug 2008-12-19 16:18:58 1 1 1 Unclassified Java WS Security Authorization 4.0.4 All All RESOLVED FIXED Teragrid P2 normal --- 1 navarro@mcs.anl.gov ranantha@mcs.anl.gov blau@mcs.anl.gov laura@isi.edu mdarcy@isi.edu navarro@mcs.anl.gov neillm@mcs.anl.gov navarro@mcs.anl.gov 2008-06-25 17:09:18 On the TeraGrid we need to authorize downstream MDS4 services to register upstream. If in the upstream etc/globus_wsrf_mds_index/server-config.wsdd under DefaultIndexService we configure a securityDescriptor file, and in that file we configure <authz value="gridmap"/> pointing to a gridmap-file of authorized downstream MDS4 services, the downstreams CAN'T register. If however we point to the same gridmap-file from globus_wsrf_core/global_security_descriptor.xml the downstreams are able to register. This seems like a bug since it should be possible to authorize DefaultIndexService registrations within the MDS4 service without resorting to the container wide globus_wsrf_core/global_security_descriptor.xml. navarro@mcs.anl.gov 2008-10-31 14:44:39 This problem originally affected "add resource properties". We've now seen this same problem with "query resource properties". The Index Service's securityConfig isn't authorizing as expected, but the global security descriptor is. laura@isi.edu 2008-11-05 10:59:11 I think this is essentially the same bug as 5666, but I'm not marking it as a duplicate because there's additional information here. JP -- if you could attach a copy of the index service security descriptor file, that would probably be helpful. navarro@mcs.anl.gov 2008-11-05 11:19:45 All 3 users in the secure-index.grid-mapfile below were not able to query this service until their DNs were added to the grid-mapfile pointed to by globus_wsrf_core/global_security_descriptor.xml. From etc/globus_wsrf_mds_index/server-config.wsdd: <service name="SecureIndexServiceEntry" provider="Handler" use="literal" style="document"> <parameter name="providers" value="GetRPProvider GetMRPProvider QueryRPProvider SetTerminationTimeProvider"/> <parameter name="handlerClass" value="org.globus.axis.providers.RPCProvider"/> <parameter name="scope" value="Application"/> <parameter name="allowedMethods" value="*"/> <parameter name="className" value="org.globus.mds.index.impl.IndexEntryService"/> <!-- TERAGRID CONFIG BEGIN --> <parameter name="loadOnStartup" value="true"/> <!-- TERAGRID CONFIG END --> <wsdlFile>share/schema/mds/index/index_entry_service.wsdl</wsdlFile> </service> <service name="SecureIndexService" provider="Handler" use="literal" style="document"> <parameter name="providers" value="org.globus.wsrf.impl.servicegroup.ServiceGroupRegistrationProvider org.globus.mds.usefulrp.rpprovider.ResourcePropertyProviderCollection GetRPProvider GetMRPProvider QueryRPProvider DestroyProvider SetTerminationTimeProvider SubscribeProvider GetCurrentMessageProvider"/> <parameter name="handlerClass" value="org.globus.axis.providers.RPCProvider"/> <parameter name="scope" value="Application"/> <parameter name="allowedMethods" value="*"/> <!-- TERAGRID CONFIG BEGIN --> <parameter name="rpProviderConfigFile" value="etc/globus_wsrf_mds_usefulrp/secure-rp-provider-config.xml"/> <parameter name="securityDescriptor" value="etc/globus_wsrf_mds_index/secure-index-security-config.xml"/> <!-- TERAGRID CONFIG END --> <parameter name="className" value="org.globus.mds.index.impl.DefaultIndexService"/> <wsdlFile>share/schema/mds/index/index_service.wsdl</wsdlFile> </service> From etc/globus_wsrf_mds_index/secure-index-security-config.xml <securityConfig xmlns="http://www.globus.org"> <auth-method> <GSISecureMessage/> <GSISecureConversation/> <GSITransport/> </auth-method> <authz value="gridmap"/> <gridmap value="/soft/globus-mds-widewsrf-4.0.5-r1/etc/globus_wsrf_mds_index/secure-index.grid-mapfile"/> </securityConfig> Selected contents of etc/globus_wsrf_mds_index/secure-index.grid-mapfile: "/DC=org/DC=doegrids/OU=People/CN=Charles Bacon 332900" nobody "/DC=org/DC=doegrids/OU=People/CN=Eric Blau 216112" nobody "/DC=org/DC=doegrids/OU=People/CN=John-Paul Navarro 907682" nobody ranantha@mcs.anl.gov 2008-11-06 15:25:51 Can you please provide logs with following enabled in container-log4j.properties log4j.category.org.globus.security.gridmap=DEBUG log4j.category.org.globus.wsrf.impl.security.descriptor=DEBUG log4j.category.org.globus.wsrf.impl.security.authorization=DEBUG ranantha@mcs.anl.gov 2008-11-10 14:25:21 This is duplicate of http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6054. The bug fix made it into GT 4.0.8 only, but an advisory was published as mentioned in that bug. I'll leave the bug open until I hear that the advisory solved the issue. ranantha@mcs.anl.gov 2008-12-04 13:01:17 Was this issue tested with the advisory applied? Any updates? Thanks! navarro@mcs.anl.gov 2008-12-19 16:18:58 Confirming that our testing shows this bug is fixed in GT 4.0.8. Thanks!