Difference between revisions of "Proxy file handling in gLExec"
Line 43: | Line 43: | ||
* Must be set before calling gLExec. | * Must be set before calling gLExec. | ||
− | === Troubleshooting hints === | + | === Troubleshooting hints: using Argus === |
When this environment variable is not available or when the given path is not readable by gLExec the following error messages will occur in the gLExec log indicating a problem with LCMAPS plug-in's input, in particular the absence of a usable X509_USER_PROXY: | When this environment variable is not available or when the given path is not readable by gLExec the following error messages will occur in the gLExec log indicating a problem with LCMAPS plug-in's input, in particular the absence of a usable X509_USER_PROXY: | ||
− | |||
− | |||
lcmaps.mod-startPluginManager(): error initializing plugin: /opt/glite/lib64/modules/lcmaps_c_pep.mod | lcmaps.mod-startPluginManager(): error initializing plugin: /opt/glite/lib64/modules/lcmaps_c_pep.mod | ||
Line 53: | Line 51: | ||
Initialization of LCMAPS failed. Please check in syslog or the logfile for LCMAPS (when able to be opened) for more details | Initialization of LCMAPS failed. Please check in syslog or the logfile for LCMAPS (when able to be opened) for more details | ||
− | On the shell the exit code of gLExec will signal a 202 | + | On the shell the exit code of gLExec will signal a 202. This indicates a system level error only resolvable by the System Administrator. This is not a true statement and a known bug in the LCMAPS plug-in C-PEP which will be resolved in the new release and changed to a 203 (authorization failed) error. For more information on the gLExec exit code, please visit: [[Exit codes of gLExec]] |
+ | |||
+ | === Troubleshooting hints: using SCAS === | ||
− | + | When this environment variable is not available or when the given path is not readable by gLExec the following error messages will occur in the gLExec log indicating a problem with LCMAPS plug-in's input, in particular the absence of a usable X509_USER_PROXY: | |
lcmaps_plugin_scas_client-plugin_run(): No client side credentials for SSL handshake to the SCAS service presented. | lcmaps_plugin_scas_client-plugin_run(): No client side credentials for SSL handshake to the SCAS service presented. | ||
Line 62: | Line 62: | ||
lcmaps_plugin_scas_client-plugin_run(): scas client plugin failed | lcmaps_plugin_scas_client-plugin_run(): scas client plugin failed | ||
− | + | On the shell the exit code of gLExec will signal a 203. This indicates an authorization failure. For more information on the gLExec exit code, please visit: [[Exit codes of gLExec]] | |
− | For more information on the gLExec exit code, please visit: [[Exit codes of gLExec]] | ||
== GLEXEC_SOURCE_PROXY == | == GLEXEC_SOURCE_PROXY == |
Revision as of 16:08, 7 February 2010
gLExec uses four environment variables for various reasons. This section is intended to explain what they do in a pragmatic way so that you should be able to work with them.
The environment variables of interest are:
- GLEXEC_CLIENT_CERT
- GLEXEC_SOURCE_PROXY
- GLEXEC_TARGET_PROXY
- X509_USER_PROXY
GLEXEC_CLIENT_CERT
gLExec needs a (proxy) certificate as input to know who to authorize and to which account you must be mapped. The mapping and authorization decision will be based primarily on this file.
The GLEXEC_CLIENT_CERT
- Contains a file path from the root to the file. Note: "/dir/subdir/../subdir2/proxy" is allowed.
- Must contain a public and private key pair in this one file.
- Must be readable by the user account calling gLExec
- Variable must be accessible by gLExec to read.
- Typically that means to export it into the current shell.
- Must be set before calling gLExec.
Troubleshooting hints
When this environment variable is not available or when the given path is not readable by gLExec the following error messages will occur in the gLExec log indicating a problem with gLExec's input, in particular the absence of a usable GLEXEC_CLIENT_CERT:
glexec[10301]: LCAS authorization request glexec[10301]: lcas.mod-lcas_run_va(): Cannot find certificate chain in pem string(failure) glexec[10301]: lcas.mod-lcas_run_va(): failed
As a result of not being able to present tokens to be authorized, the gLExec tool will exit with a 203 exit code. This indicates that the authorization of the user has failed. For more information on the gLExec exit code, please visit: Exit codes of gLExec
X509_USER_PROXY (as input)
The X509_USER_PROXY passes through gLExec to the SCAS client or Argus client LCMAPS plug-ins. In a Multi User Pilot Job (MUPJ) environment this proxy is owned by the Pilot Job Framework Production Manager a.k.a. the Pilot User..
For the interaction with an site central authorization service these credentials are used to contact the service. The credentials will be used in the policy decision at the service, but for the SCAS interaction this identity (by its VOMS credentials for instance) must be whitelisted to be able to interact with the service. The X509_USER_PROXY is used to setup the mutually authenticated secure channel to the authorization service.
The X509_USER_PROXY
- Contains a file path from the root to the file. Note: "/dir/subdir/../subdir2/proxy" is allowed.
- Must contain a public and private key pair in this one file.
- Must be readable by the user account calling gLExec
- Variable must be accessible by gLExec to read.
- Typically that means to export it into the current shell.
- Must be set before calling gLExec.
Troubleshooting hints: using Argus
When this environment variable is not available or when the given path is not readable by gLExec the following error messages will occur in the gLExec log indicating a problem with LCMAPS plug-in's input, in particular the absence of a usable X509_USER_PROXY:
lcmaps.mod-startPluginManager(): error initializing plugin: /opt/glite/lib64/modules/lcmaps_c_pep.mod lcmaps.mod-lcmaps_init() error: could not start plugin manager Initialization of LCMAPS failed. Please check in syslog or the logfile for LCMAPS (when able to be opened) for more details
On the shell the exit code of gLExec will signal a 202. This indicates a system level error only resolvable by the System Administrator. This is not a true statement and a known bug in the LCMAPS plug-in C-PEP which will be resolved in the new release and changed to a 203 (authorization failed) error. For more information on the gLExec exit code, please visit: Exit codes of gLExec
Troubleshooting hints: using SCAS
When this environment variable is not available or when the given path is not readable by gLExec the following error messages will occur in the gLExec log indicating a problem with LCMAPS plug-in's input, in particular the absence of a usable X509_USER_PROXY:
lcmaps_plugin_scas_client-plugin_run(): No client side credentials for SSL handshake to the SCAS service presented. Not in the configuration file and not in the $X509_USER_{PROXY,CERT,KEY} environment variables. lcmaps_plugin_scas_client-plugin_run(): scas client plugin failed
On the shell the exit code of gLExec will signal a 203. This indicates an authorization failure. For more information on the gLExec exit code, please visit: Exit codes of gLExec
GLEXEC_SOURCE_PROXY
gLExec has the capability of transferring the proxy file from the calling environment to the target user's environment. The resulting file will then be accessible by the target user. The GLEXEC_SOURCE_PROXY holds the path to the proxy file that needs to be transferred.
The setting is optional. If no GLEXEC_SOURCE_PROXY is present for gLExec to use, no proxy file is transferred (version: 0.6.8-3 and older).
When the GLEXEC_SOURCE_PROXY is set:
- Contains a file path from the root to the file. Note: "/dir/subdir/../subdir2/proxy" is allowed.
- Must be readable by the user account calling gLExec
- Variable must be accessible by gLExec to read.
- Typically that means to export it into the current shell.
- Must be set before calling gLExec.
Troubleshooting hints
If the GLEXEC_SOURCE_PROXY is not set, gLExec will continue without it.
If the GLEXEC_SOURCE_PROXY is set, but the file is unreadable then the following message will occur on the commandline:
[gLExec]: The stat syscall returned with an error for either $GLEXEC_CLIENT_CERT or $GLEXEC_SOURCE_PROXY.
The gLExec exit code will be set to 201, which indicates a user (resolvable) error. For more information on the gLExec exit code, please visit: Exit codes of gLExec