Difference between revisions of "EMI-1 gLExec release test report"
(11 intermediate revisions by 2 users not shown) | |||
Line 56: | Line 56: | ||
This is the first release of gLExec, LCAS, LCMAPS, and the LCMAPS-plugins-C-PEP in EMI. There is nothing to upgrade from. | This is the first release of gLExec, LCAS, LCMAPS, and the LCMAPS-plugins-C-PEP in EMI. There is nothing to upgrade from. | ||
+ | |||
+ | === YAIM installation === | ||
+ | |||
+ | To configure gLExec on the worker node with YAIM, use the following command: | ||
+ | |||
+ | /opt/glite/yaim/bin/yaim -c -s siteinfo/site-info.def -n GLEXEC_wn | ||
+ | |||
+ | An example site-info configuration can be found here: | ||
+ | http://www.nikhef.nl/grid/ndpf/files/site-info.tar.gz | ||
+ | |||
+ | Documentation on specific variables can be found here: | ||
+ | https://twiki.cern.ch/twiki/bin/view/LCG/Site-info_configuration_variables#GLEXEC_wn | ||
+ | |||
+ | Note: due to a bug in /opt/glite/yaim/defaults/glite-glexec_wn.post | ||
+ | in version 2.0.3-1.sl5 the following settings need to be done in | ||
+ | site-info.def: | ||
+ | |||
+ | CONFIG_GRIDMAPDIR=no | ||
+ | |||
+ | to disable gridmapdir creation when SCAS or ARGUS is used. | ||
+ | |||
+ | SCAS_PORT for the port of the SCAS server | ||
+ | |||
+ | GLEXEC_WN_PEPC_RESOURCEID for the ARGUS resource ID. | ||
+ | |||
+ | GLEXEC_WN_PEPC_ACTIONID for the ARGUS action ID. | ||
== System tests == | == System tests == | ||
Line 106: | Line 132: | ||
The '''/etc/lcmaps/lcmaps-testing.db''' would then look like: | The '''/etc/lcmaps/lcmaps-testing.db''' would then look like: | ||
− | + | <pre> | |
+ | # LCMAPS policy file/plugin definition | ||
− | + | # default path for the modules | |
− | + | path = /usr/lib64/modules/ | |
− | + | # Plugin definitions: | |
− | + | good = "lcmaps_dummy_good.mod" | |
− | + | " --dummy-username nobody" | |
− | + | " --dummy-group nobody" | |
− | + | " --dummy-sec-group nobody" | |
− | + | posix_enf = "lcmaps_posix_enf.mod" | |
− | + | " -maxuid 1" | |
− | + | " -maxpgid 1" | |
− | + | " -maxsgid 32" | |
− | + | verifyproxy = "lcmaps_verify_proxy.mod" | |
− | + | " -certdir /etc/grid-security/certificates" | |
− | + | # Policies: | |
− | + | test_policy: | |
− | + | verifyproxy -> good | |
− | + | good -> posix_enf | |
+ | </pre> | ||
− | === Basic functionality tests === | + | === Basic functionality tests (manual) === |
Have proxy certificate on the test system, here located at $HOME/mkproxy-x509-voms. Using the following gLExec script to activate gLExec with your own user certificate: | Have proxy certificate on the test system, here located at $HOME/mkproxy-x509-voms. Using the following gLExec script to activate gLExec with your own user certificate: | ||
Line 164: | Line 192: | ||
=== Test setup (automated) === | === Test setup (automated) === | ||
− | |||
Download the [https://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/mwsec/trunk/glexec/test/glexec-lcas-lcmaps-compound-test.sh?view=markup gLExec (and LCAS/LCMAPS) compound test script]. The [https://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/mwsec/trunk/glexec/test/glexec-lcas-lcmaps-compound-test.sh?revision=15284&view=markup SVN revision number 15284 of the compound test script] was used. | Download the [https://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/mwsec/trunk/glexec/test/glexec-lcas-lcmaps-compound-test.sh?view=markup gLExec (and LCAS/LCMAPS) compound test script]. The [https://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/mwsec/trunk/glexec/test/glexec-lcas-lcmaps-compound-test.sh?revision=15284&view=markup SVN revision number 15284 of the compound test script] was used. | ||
Line 177: | Line 204: | ||
################# | ################# | ||
CONTINUEONERROR=no | CONTINUEONERROR=no | ||
− | + | ||
TEST_ACCOUNT="okoeroo" | TEST_ACCOUNT="okoeroo" | ||
− | + | ||
GLEXEC_EXEC="/usr/sbin/glexec" | GLEXEC_EXEC="/usr/sbin/glexec" | ||
GLEXEC_OWNERSHIP_SETUID="root.root" | GLEXEC_OWNERSHIP_SETUID="root.root" | ||
Line 185: | Line 212: | ||
GLEXEC_OWNERSHIP_NON_SETUID="root.root" | GLEXEC_OWNERSHIP_NON_SETUID="root.root" | ||
GLEXEC_FILE_PERM_NON_SETUID="0555" | GLEXEC_FILE_PERM_NON_SETUID="0555" | ||
− | + | ||
CONF_OWNERSHIP_SETUID="glexec.glexec" | CONF_OWNERSHIP_SETUID="glexec.glexec" | ||
CONF_FILE_PERM_SETUID="0440" | CONF_FILE_PERM_SETUID="0440" | ||
CONF_OWNERSHIP_NON_SETUID="root.root" | CONF_OWNERSHIP_NON_SETUID="root.root" | ||
CONF_FILE_PERM_NON_SETUID="0444" | CONF_FILE_PERM_NON_SETUID="0444" | ||
− | + | ||
test_glexec_conf="/etc/glexec.conf" | test_glexec_conf="/etc/glexec.conf" | ||
test_lcas_db="/etc/lcas/lcas-testing.db" | test_lcas_db="/etc/lcas/lcas-testing.db" | ||
Line 197: | Line 224: | ||
test_lcas_userban_file="/etc/lcas/userban.db" | test_lcas_userban_file="/etc/lcas/userban.db" | ||
test_lcas_debug_level="0" | test_lcas_debug_level="0" | ||
− | + | ||
test_lcmaps_db="/etc/lcmaps/lcmaps-testing.db" | test_lcmaps_db="/etc/lcmaps/lcmaps-testing.db" | ||
test_lcmaps_db_path="/usr/lib64/modules/" | test_lcmaps_db_path="/usr/lib64/modules/" | ||
test_lcmaps_log_file="/var/log/glexec/lcas_lcmaps.log" | test_lcmaps_log_file="/var/log/glexec/lcas_lcmaps.log" | ||
test_lcmaps_debug_level="0" | test_lcmaps_debug_level="0" | ||
− | + | ||
priv_sep_file="/tmp/glexec_priv_sep_test.sh" | priv_sep_file="/tmp/glexec_priv_sep_test.sh" | ||
CAPATH="/etc/grid-security/certificates" | CAPATH="/etc/grid-security/certificates" | ||
− | SCAS_ENDPOINT="https:// | + | SCAS_ENDPOINT="https://eir.nikhef.nl:8443" |
PEPD_ENDPOINT="https://argus.testbed:8154/authz" | PEPD_ENDPOINT="https://argus.testbed:8154/authz" | ||
GLEXEC_TEST_GRID_MAPFILE="/tmp/glexec-test-grid-mapfile" | GLEXEC_TEST_GRID_MAPFILE="/tmp/glexec-test-grid-mapfile" | ||
− | + | ||
LOCALACCOUNT_TEST_MAP_USER="$TEST_ACCOUNT" | LOCALACCOUNT_TEST_MAP_USER="$TEST_ACCOUNT" | ||
#LOCALACCOUNT_TEST_MAP_USER="pool001" | #LOCALACCOUNT_TEST_MAP_USER="pool001" | ||
POOLACCOUNT_TEST_MAP_USER=".pool" | POOLACCOUNT_TEST_MAP_USER=".pool" | ||
− | + | ||
− | |||
### Test selection ### | ### Test selection ### | ||
USE_SCAS="yes" | USE_SCAS="yes" | ||
USE_SCAS="" | USE_SCAS="" | ||
− | + | ||
− | |||
################# | ################# | ||
# Setup proxies # | # Setup proxies # | ||
Line 227: | Line 252: | ||
TARGET_PROXY="/tmp/target_proxy" | TARGET_PROXY="/tmp/target_proxy" | ||
− | Execute the script as '''root'''. | + | === Basic functionality tests (automated) === |
+ | |||
+ | Execute the script as '''root''' after properly configuring the script. See previous section for details: | ||
sh glexec-lcas-lcmaps-compound-test.sh | sh glexec-lcas-lcmaps-compound-test.sh | ||
Line 233: | Line 260: | ||
http://www.nikhef.nl/grid/ndpf/files/EMI_1_SAC_documentation/certification_output/glexec-lcas-lcmaps-compound-test.28-april-2011.out | http://www.nikhef.nl/grid/ndpf/files/EMI_1_SAC_documentation/certification_output/glexec-lcas-lcmaps-compound-test.28-april-2011.out | ||
+ | === Regression tests === | ||
+ | |||
+ | Savannah bug [https://savannah.cern.ch/bugs/?53192 53192]: '''scas-client: segfaults with malformed lcmaps-glexec.db''' (implemented): | ||
+ | |||
+ | The SCAS-client plugin will not trigger a segmentation fault and pull gLExec with it when the SCAS host is not a FQDN. | ||
+ | |||
+ | Savannah bug [https://savannah.cern.ch/bugs/?77130 77130 ]: '''[lcmaps-plugins-scas] crashes on invalid -capath''' (implemented): | ||
+ | |||
+ | Verified by moving the CA path and reconfiguring the SCAS plugin to use an non-existing directory as -capath value. | ||
+ | |||
+ | Savannah bug [https://savannah.cern.ch/bugs/?80927 80927]: '''bug #80927: [LCMAPS] Mapping fails if VOMS AC contains a generic attribute''' (implemented): | ||
+ | |||
+ | Added VOMS generic attributes to the VO registration in the VOMS service. | ||
+ | |||
+ | Savannah bug [https://savannah.cern.ch/bugs/?80822 80882]: '''LCMAPS-plugins-c-pep cannot read proxy from NFS partition''' (not implemented): | ||
+ | |||
+ | Tested but turns out that the tests were not done properly with a false-positive as a result. The package version 1.1.4 fixes this problem. The 1.1.3 works as advertised on all other use cases. | ||
+ | |||
+ | Savannah bug [https://savannah.cern.ch/bugs/?80815 80815]: '''GLExec support for tracking group ids''' (implemented): | ||
+ | |||
+ | The gLExec and LCMAPS suite now has a plugin called the [[LCMAPS_Tracking_GroupID_plugin]] and supports the tracking groupid feature of Condor, Sun Grid Engine and other batch systems. | ||
+ | |||
+ | Savannah bug [https://savannah.cern.ch/bugs/?80548 80548]: '''GLExec possible segfault when reading proxy''' (implemented): | ||
+ | |||
+ | When reading a proxy file, the '\0' is added at the end, before we're sure if we didn't have an I/O error. | ||
+ | |||
+ | Savannah bug [https://savannah.cern.ch/bugs/?80547 80547]: ''GLExec segfaults if argc == 0'''' (implemented): | ||
+ | |||
+ | When gLExec is called using e.g. execve with NULL as argument list (i.e. resulting internally in argc==0) it segfaults. | ||
+ | |||
+ | Savannah bug [https://savannah.cern.ch/bugs/?79988 79988]: '''gLExec crashes when no explicit linger option is set in the glexec.conf''' (implemented): | ||
+ | |||
+ | When the glexec.conf does not contain either linger=yes or linger=no, gLExec crashes. Since the default is equivalent to specifying linger=yes, it's easy to work around. | ||
+ | |||
+ | Savannah bug [https://savannah.cern.ch/bugs/?57746 57746]: '''Error "could not get X509 cred from gss credential!" when using gridftp but normal job submission works''' (implemented): | ||
+ | |||
+ | The proxy handling from the lcas-lcmaps-gt4-interface to the LCAS and LCMAPS interface has been fixed to cope with this. | ||
− | + | Savannah bug [https://savannah.cern.ch/bugs/?60825 60825]: '''Strange characters in LCAS plugin string''' (implemented): | |
+ | |||
+ | A fix was made in the LCAS framework and the problem doesn't occur anymore. | ||
+ | |||
+ | Savannah bug [https://savannah.cern.ch/bugs/?64535 64535]: '''no lcmaps/lcas logs for gridftp''' (implemented): | ||
+ | |||
+ | The logs appear in both the log files, when the proper LCAS_LOG_FILE or LCMAPS_LOG_FILE are exported. Also Syslog will be used by default and works. | ||
+ | |||
+ | Savannah bug [https://savannah.cern.ch/bugs/?80647 80647]: '''LCAS authorizes me but reports that I am not''' (implemented): | ||
+ | |||
+ | This is fixed. The LCAS framework authorization decision isn't ignored anymore for the lcas-lcmaps-gt4-interface. | ||
+ | |||
+ | Savannah bug [https://savannah.cern.ch/bugs/?80900 80900]: '''LCAS fails to find the VOMS credentials on a GridFTPd''' (implemented): | ||
+ | |||
+ | The proxy handling from the lcas-lcmaps-gt4-interface to LCAS is now fixed to the older (and faster) method and grabs the right credentials for a decision and passing to the VOMS api.</pre> |
Latest revision as of 13:00, 17 May 2011
This test plan is following the EMI SA2 template.
gLExec Test Plan
Service Description
gLExec is a program that acts as a light-weight 'gatekeeper'. gLExec takes Grid credentials as input. gLExec takes the local site policy into account to authenticate and authorize the credentials. gLExec will switch to a new execution sandbox and execute the given command as the switched identity. gLExec is also capable of functioning as a light-weight control point which offers a binary yes/no result called the logging-only mode.
More information on gLExec.
Yum Installation
To install gLExec configure the YUM-based EPEL repository and the YUM repository which hold our the EMI packages. In addition a CA distribution, like that of the [htts://www.igtf.net IGTF] or your own homebrew local CAs need to be installed. The IGTF distribution can also be done through a YUM-based repository, including the FetchCRL3 utility to refresh the CA CRLs.
GLExec depends directly on:
- LCAS
- LCMAPS
- (g)libc
GLExec therefore inherits dependencies on:
- VOMS, in particular the voms-api
- Globus libraries
- OpenSSL
GLExec requires LCMAPS plugins to be installed and optionally also LCAS plugins. Expected (inherited) dependencies are:
- GridSite
- Arguc PEP C
Install gLExec by performing: yum install emi-glexec_wn This will install the meta package emi-glexec_wn-1.0.0-1.sl5 which will pull in the following packages:
- glexec
- glexec-wrapper-scripts
- mkgltempdir
- lcas
- lcas-plugins-basic
- lcas-plugins-check-executable
- lcas-plugins-voms
- lcmaps
- lcmaps-plugins-basic
- lcmaps-plugins-c-pep
- lcmaps-plugins-scas-client
- lcmaps-plugins-tracking-groupid
- lcmaps-plugins-verify-proxy
- lcmaps-plugins-voms
- saml2-xacml2-c-lib
And our required dependencies:
- argus-pep-api-c
- edg-mkgridmap
- emi-version
- emi.sac.GLEXEC_wn
- glite-yaim-core
- gridsite-shared
- voms
- yaim-glexec-wn
This is the first release of gLExec, LCAS, LCMAPS, and the LCMAPS-plugins-C-PEP in EMI. There is nothing to upgrade from.
YAIM installation
To configure gLExec on the worker node with YAIM, use the following command:
/opt/glite/yaim/bin/yaim -c -s siteinfo/site-info.def -n GLEXEC_wn
An example site-info configuration can be found here:
http://www.nikhef.nl/grid/ndpf/files/site-info.tar.gz
Documentation on specific variables can be found here:
https://twiki.cern.ch/twiki/bin/view/LCG/Site-info_configuration_variables#GLEXEC_wn
Note: due to a bug in /opt/glite/yaim/defaults/glite-glexec_wn.post in version 2.0.3-1.sl5 the following settings need to be done in site-info.def:
CONFIG_GRIDMAPDIR=no
to disable gridmapdir creation when SCAS or ARGUS is used.
SCAS_PORT for the port of the SCAS server
GLEXEC_WN_PEPC_RESOURCEID for the ARGUS resource ID.
GLEXEC_WN_PEPC_ACTIONID for the ARGUS action ID.
System tests
Test setup
First we install and setup the system for testing. This means to prepare the system taking a clean CentOS 5 or Scientific Linux 5 machine as a baseline.
yum install emi-glexec_wn yum install ca_policy_igtf-classic ca_policy_igtf-mics ca_policy_igtf-slcs fetch-crl3 ntpdate ntp.xs4all.nl fetch-crl3
The base installation is now done. Moving forward to more system specific steps:
chmod 4111 /usr/sbin/glexec useradd glexec
Populate a useable VOMSDIR with .lsc files:
scp -r okoeroo@span:vomsdir/vomsdir/* /etc/grid-security/vomsdir/
Test setup (manual test)
gLExec preparation
The installation default of the /etc/glexec.conf file will work fine, but you'll need to whitelist yourself to authorize your account to use gLExec.
Whitelist yourself in the /etc/glexec.conf:
user_white_list = okoeroo
LCAS preparation
Configure gLExec to use LCAS and to use the specified lcas.db. Here is a glexec.conf snippet:
use_lcas = yes lcas_db_file = /etc/lcas/lcas-testing.db lcas_log_file = /var/log/glexec/lcas_lcmaps.log lcas_debug_level = 5
The /etc/lcas/lcas-testing.db would then look like:
# LCAS policy file/plugin definition pluginname=/usr/lib64/modules/lcas_userban.mod,pluginargs=/etc/lcas/userban.db
Touch the file /etc/lcas/userban.db, otherwise the LCAS UserBan module will fail on the inability to read the userban.db file.
LCMAPS preparation
lcmaps_db_file = /etc/lcmaps/lcmaps-testing.db lcmaps_get_account_policy = test_policy lcmaps_log_file = /var/log/glexec/lcas_lcmaps.log lcmaps_debug_level = 5
The /etc/lcmaps/lcmaps-testing.db would then look like:
# LCMAPS policy file/plugin definition # default path for the modules path = /usr/lib64/modules/ # Plugin definitions: good = "lcmaps_dummy_good.mod" " --dummy-username nobody" " --dummy-group nobody" " --dummy-sec-group nobody" posix_enf = "lcmaps_posix_enf.mod" " -maxuid 1" " -maxpgid 1" " -maxsgid 32" verifyproxy = "lcmaps_verify_proxy.mod" " -certdir /etc/grid-security/certificates" # Policies: test_policy: verifyproxy -> good good -> posix_enf
Basic functionality tests (manual)
Have proxy certificate on the test system, here located at $HOME/mkproxy-x509-voms. Using the following gLExec script to activate gLExec with your own user certificate:
#!/bin/sh GLEXEC_BIN="/usr/sbin/glexec" if [ ! -f ${GLEXEC_BIN} ]; then GLEXEC_BIN="${GLEXEC_LOCATION}/sbin/glexec" if [ ! -f ${GLEXEC_BIN} ]; then echo "No glexec found" exit 1 fi fi if [ "${X509_USER_PROXY}" = "" ]; then export X509_USER_PROXY=$HOME/mkproxy-x509-voms fi export GLEXEC_CLIENT_CERT=${X509_USER_PROXY} export GLEXEC_SOURCE_PROXY=${X509_USER_PROXY} #echo "------------" cmd="${GLEXEC_BIN} /usr/bin/id -a" $cmd echo $? exit 0
Run the test script and the following result is expected:
[okoeroo@localhost ~]$ ./test-glexec.sh uid=99(nobody) gid=99(nobody) groups=99(nobody) 0
Test setup (automated)
Download the gLExec (and LCAS/LCMAPS) compound test script. The SVN revision number 15284 of the compound test script was used.
WARNING: The script will rewrite the glexec.conf file multiple times to test all possible permutations of the configuration file. Also the LCAS and LCMAPS configuration files will be rewritten (in lcas-testing.db and lcmaps-testing.db files) to work.
Edit the script to configure it. Here is what was used for this certification:
################# # Setup options # ################# CONTINUEONERROR=no TEST_ACCOUNT="okoeroo" GLEXEC_EXEC="/usr/sbin/glexec" GLEXEC_OWNERSHIP_SETUID="root.root" GLEXEC_FILE_PERM_SETUID="6555" GLEXEC_OWNERSHIP_NON_SETUID="root.root" GLEXEC_FILE_PERM_NON_SETUID="0555" CONF_OWNERSHIP_SETUID="glexec.glexec" CONF_FILE_PERM_SETUID="0440" CONF_OWNERSHIP_NON_SETUID="root.root" CONF_FILE_PERM_NON_SETUID="0444" test_glexec_conf="/etc/glexec.conf" test_lcas_db="/etc/lcas/lcas-testing.db" test_lcas_db_path="/usr/lib64/modules/" test_lcas_log_file="/var/log/glexec/lcas_lcmaps.log" test_lcas_userban_file="/etc/lcas/userban.db" test_lcas_debug_level="0" test_lcmaps_db="/etc/lcmaps/lcmaps-testing.db" test_lcmaps_db_path="/usr/lib64/modules/" test_lcmaps_log_file="/var/log/glexec/lcas_lcmaps.log" test_lcmaps_debug_level="0" priv_sep_file="/tmp/glexec_priv_sep_test.sh" CAPATH="/etc/grid-security/certificates" SCAS_ENDPOINT="https://eir.nikhef.nl:8443" PEPD_ENDPOINT="https://argus.testbed:8154/authz" GLEXEC_TEST_GRID_MAPFILE="/tmp/glexec-test-grid-mapfile" LOCALACCOUNT_TEST_MAP_USER="$TEST_ACCOUNT" #LOCALACCOUNT_TEST_MAP_USER="pool001" POOLACCOUNT_TEST_MAP_USER=".pool" ### Test selection ### USE_SCAS="yes" USE_SCAS="" ################# # Setup proxies # ################# CLIENT_CERT="/home/okoeroo/mkproxy-x509-voms" USER_PROXY="$CLIENT_CERT" SOURCE_PROXY="$CLIENT_CERT" TARGET_PROXY="/tmp/target_proxy"
Basic functionality tests (automated)
Execute the script as root after properly configuring the script. See previous section for details:
sh glexec-lcas-lcmaps-compound-test.sh
Output:
http://www.nikhef.nl/grid/ndpf/files/EMI_1_SAC_documentation/certification_output/glexec-lcas-lcmaps-compound-test.28-april-2011.out
Regression tests
Savannah bug 53192: scas-client: segfaults with malformed lcmaps-glexec.db (implemented):
The SCAS-client plugin will not trigger a segmentation fault and pull gLExec with it when the SCAS host is not a FQDN.
Savannah bug 77130 : [lcmaps-plugins-scas] crashes on invalid -capath (implemented):
Verified by moving the CA path and reconfiguring the SCAS plugin to use an non-existing directory as -capath value.
Savannah bug 80927: bug #80927: [LCMAPS] Mapping fails if VOMS AC contains a generic attribute (implemented):
Added VOMS generic attributes to the VO registration in the VOMS service.
Savannah bug 80882: LCMAPS-plugins-c-pep cannot read proxy from NFS partition (not implemented):
Tested but turns out that the tests were not done properly with a false-positive as a result. The package version 1.1.4 fixes this problem. The 1.1.3 works as advertised on all other use cases.
Savannah bug 80815: GLExec support for tracking group ids (implemented):
The gLExec and LCMAPS suite now has a plugin called the LCMAPS_Tracking_GroupID_plugin and supports the tracking groupid feature of Condor, Sun Grid Engine and other batch systems.
Savannah bug 80548: GLExec possible segfault when reading proxy (implemented):
When reading a proxy file, the '\0' is added at the end, before we're sure if we didn't have an I/O error.
Savannah bug 80547: GLExec segfaults if argc == 0'' (implemented):
When gLExec is called using e.g. execve with NULL as argument list (i.e. resulting internally in argc==0) it segfaults.
Savannah bug 79988: gLExec crashes when no explicit linger option is set in the glexec.conf (implemented):
When the glexec.conf does not contain either linger=yes or linger=no, gLExec crashes. Since the default is equivalent to specifying linger=yes, it's easy to work around.
Savannah bug 57746: Error "could not get X509 cred from gss credential!" when using gridftp but normal job submission works (implemented):
The proxy handling from the lcas-lcmaps-gt4-interface to the LCAS and LCMAPS interface has been fixed to cope with this.
Savannah bug 60825: Strange characters in LCAS plugin string (implemented):
A fix was made in the LCAS framework and the problem doesn't occur anymore.
Savannah bug 64535: no lcmaps/lcas logs for gridftp (implemented):
The logs appear in both the log files, when the proper LCAS_LOG_FILE or LCMAPS_LOG_FILE are exported. Also Syslog will be used by default and works.
Savannah bug 80647: LCAS authorizes me but reports that I am not (implemented):
This is fixed. The LCAS framework authorization decision isn't ignored anymore for the lcas-lcmaps-gt4-interface.
Savannah bug 80900: LCAS fails to find the VOMS credentials on a GridFTPd (implemented):
The proxy handling from the lcas-lcmaps-gt4-interface to LCAS is now fixed to the older (and faster) method and grabs the right credentials for a decision and passing to the VOMS api.