Bug 6186 - Authorized upstream registrants in core vs mds_index bug
: Authorized upstream registrants in core vs mds_index bug
Status: RESOLVED FIXED
: Java WS Security
Authorization
: 4.0.4
: All All
: P2 normal
: ---
Assigned To:
:
: Teragrid
:
:
  Show dependency treegraph
 
Reported: 2008-06-25 17:09 by
Modified: 2008-12-19 16:18 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2008-06-25 17:09:18
On the TeraGrid we need to authorize downstream MDS4 services to register
upstream.

If in the upstream etc/globus_wsrf_mds_index/server-config.wsdd under
DefaultIndexService we configure a securityDescriptor file, and in that file we
configure <authz value="gridmap"/> pointing to a gridmap-file of authorized
downstream MDS4 services, the downstreams CAN'T register.

If however we point to the same gridmap-file from
globus_wsrf_core/global_security_descriptor.xml the downstreams are able to
register.

This seems like a bug since it should be possible to authorize
DefaultIndexService registrations within the MDS4 service without resorting to
the container wide globus_wsrf_core/global_security_descriptor.xml.
------- Comment #1 From 2008-10-31 14:44:39 -------
This problem originally affected "add resource properties". We've now seen this
same
problem with "query resource properties".   The Index Service's securityConfig
isn't
authorizing as expected, but the global security descriptor is.
------- Comment #2 From 2008-11-05 10:59:11 -------
I think this is essentially the same bug as 5666, but I'm not marking it as a
duplicate because there's additional information here.

JP -- if you could attach a copy of the index service security descriptor file,
that would probably be helpful.
------- Comment #3 From 2008-11-05 11:19:45 -------
All 3 users in the secure-index.grid-mapfile below were not able to query this
service until their DNs were
added to the grid-mapfile pointed to by
globus_wsrf_core/global_security_descriptor.xml.

From etc/globus_wsrf_mds_index/server-config.wsdd:
    <service name="SecureIndexServiceEntry" provider="Handler"
        use="literal" style="document">
        <parameter name="providers"
                   value="GetRPProvider
                          GetMRPProvider
                          QueryRPProvider
                          SetTerminationTimeProvider"/>
        <parameter name="handlerClass"
value="org.globus.axis.providers.RPCProvider"/>
        <parameter name="scope" value="Application"/>
        <parameter name="allowedMethods" value="*"/>
        <parameter name="className"
            value="org.globus.mds.index.impl.IndexEntryService"/>
        <!-- TERAGRID CONFIG BEGIN -->
        <parameter name="loadOnStartup" value="true"/>
        <!-- TERAGRID CONFIG END -->
        <wsdlFile>share/schema/mds/index/index_entry_service.wsdl</wsdlFile>
    </service>

    <service name="SecureIndexService" provider="Handler"
        use="literal" style="document">
        <parameter name="providers"
                  
value="org.globus.wsrf.impl.servicegroup.ServiceGroupRegistrationProvider
                         
org.globus.mds.usefulrp.rpprovider.ResourcePropertyProviderCollection
                          GetRPProvider
                          GetMRPProvider
                          QueryRPProvider
                          DestroyProvider
                          SetTerminationTimeProvider
                          SubscribeProvider
                          GetCurrentMessageProvider"/>

        <parameter name="handlerClass"
value="org.globus.axis.providers.RPCProvider"/>
        <parameter name="scope" value="Application"/>
        <parameter name="allowedMethods" value="*"/>
        <!-- TERAGRID CONFIG BEGIN -->
        <parameter name="rpProviderConfigFile"
        value="etc/globus_wsrf_mds_usefulrp/secure-rp-provider-config.xml"/>
        <parameter name="securityDescriptor"
           
value="etc/globus_wsrf_mds_index/secure-index-security-config.xml"/>
        <!-- TERAGRID CONFIG END -->
        <parameter name="className"
            value="org.globus.mds.index.impl.DefaultIndexService"/>
        <wsdlFile>share/schema/mds/index/index_service.wsdl</wsdlFile>
    </service>

From etc/globus_wsrf_mds_index/secure-index-security-config.xml
<securityConfig xmlns="http://www.globus.org">
  <auth-method>
    <GSISecureMessage/>
    <GSISecureConversation/>
    <GSITransport/>
  </auth-method>
  <authz value="gridmap"/>
  <gridmap
value="/soft/globus-mds-widewsrf-4.0.5-r1/etc/globus_wsrf_mds_index/secure-index.grid-mapfile"/>
</securityConfig>

Selected contents of etc/globus_wsrf_mds_index/secure-index.grid-mapfile:
"/DC=org/DC=doegrids/OU=People/CN=Charles Bacon 332900" nobody
"/DC=org/DC=doegrids/OU=People/CN=Eric Blau 216112" nobody
"/DC=org/DC=doegrids/OU=People/CN=John-Paul Navarro 907682" nobody
------- Comment #4 From 2008-11-06 15:25:51 -------
Can you please provide logs with following enabled in
container-log4j.properties

log4j.category.org.globus.security.gridmap=DEBUG
log4j.category.org.globus.wsrf.impl.security.descriptor=DEBUG
log4j.category.org.globus.wsrf.impl.security.authorization=DEBUG
------- Comment #5 From 2008-11-10 14:25:21 -------
This is duplicate of http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6054.
The bug fix made it into GT 4.0.8 only, but an advisory was published as
mentioned in that bug. 

I'll leave the bug open until I hear that the advisory solved the issue.
------- Comment #6 From 2008-12-04 13:01:17 -------
Was this issue tested with the advisory applied? Any updates? Thanks!
------- Comment #7 From 2008-12-19 16:18:58 -------
Confirming that our testing shows this bug is fixed in GT 4.0.8. Thanks!