Difference between revisions of "EMI Argus-EES test plan"

From PDP/Grid Wiki
Jump to navigationJump to search
 
 
(23 intermediate revisions by 2 users not shown)
Line 11: Line 11:
 
=== Yum Installation ===
 
=== Yum Installation ===
  
To install the EES configure the YUM-based EPEL repository and the YUM repository which hold our the EMI packages. The IGTF distribution can also be done through a YUM-based repository, including the [[FetchCRL3]] utility to refresh the CA CRLs.
+
To install the EES configure the YUM-based EPEL and EMI repositories. The IGTF distribution can also be done through a YUM-based repository, including the [[FetchCRL3]] utility to refresh the CA CRLs. Note that the need for the IGTF distribution depends on the set of configured EES plugins.
  
 
The EES depends directly on:
 
The EES depends directly on:
Line 17: Line 17:
 
* (g)libc
 
* (g)libc
  
EES configurations specify plugins which operate on the incoming request. The EES ships with a '''transformer''' plug-in, which is used to unpack XACML obligations from an XACML request from the PDP.
+
EES configurations specify plugins which operate on the incoming request. The EES ships with a '''transformer''' plug-in, which is used to unpack the XACML obligations from the PDP response. This is needed since they are merged into the PEPd request and subsequently sent to the EES by the EES obligation handler (living inside the PEPd).
  
 
Install the '''EES''' service by performing: yum install ees
 
Install the '''EES''' service by performing: yum install ees
 +
 
This will install the package '''ees''' which will pull in the following packages:
 
This will install the package '''ees''' which will pull in the following packages:
 
* ees
 
* ees
* saml2-xacml2-c-lib
+
* xacml (called saml2-xacml2-c-lib for EMI-1)
  
 
Install the '''EES''' obligation handler by performing: yum install ees-pepd-oh
 
Install the '''EES''' obligation handler by performing: yum install ees-pepd-oh
 +
 
This will install the package '''ees-pepd-oh''' which will pull in the following packages:
 
This will install the package '''ees-pepd-oh''' which will pull in the following packages:
 
* argus-pep-server
 
* argus-pep-server
 
* java
 
* java
  
This is the first release of the EES service and the EES obligation handler in EMI. There is nothing to upgrade from.
+
This is the first release of the EES service and the EES obligation handler in EMI. There is nothing to upgrade from.
  
 
== System tests ==
 
== System tests ==
Line 37: Line 39:
 
First we install and setup the system for testing. This means to prepare the system taking a clean CentOS 5 or Scientific Linux 5 machine as a baseline.  
 
First we install and setup the system for testing. This means to prepare the system taking a clean CentOS 5 or Scientific Linux 5 machine as a baseline.  
 
  yum install ees
 
  yum install ees
 +
 +
If there is no ees useraccount yet, create it
 +
useradd -r ees
 +
 +
Start the ees service
 +
/etc/init.d/ees start
  
 
The basic installation is now done.
 
The basic installation is now done.
 
We can now test the basic functionality of the EES by using the following script.
 
We can now test the basic functionality of the EES by using the following script.
 +
Note that it uses nc which can be installed using: yum install nc
  
 
<pre>
 
<pre>
Line 73: Line 82:
 
}
 
}
  
echo -n "Basic sanity test\t"
+
echo -en "Basic sanity test\t"
 
test_main "$MSG" "200 OK"
 
test_main "$MSG" "200 OK"
echo -n "Basic failure test\t"
+
echo -en "Basic failure test\t"
 
test_main "<TEST>" "500 Internal"
 
test_main "<TEST>" "500 Internal"
 +
</pre>
 +
 +
Expected result:
 +
<pre>
 +
(testuser@ees.testmachine:~) ./ees_test.sh
 +
Basic sanity test      OK
 +
Basic failure test      OK
 
</pre>
 
</pre>
  
Line 83: Line 99:
 
==== EES preparation ====
 
==== EES preparation ====
  
The installation default of the '''/etc/glexec.conf''' file will work fine, but you'll need to whitelist yourself to authorize your account to use gLExec.
+
The default '''/etc/ees.conf''' configuration file will contain the EES transformer plugin which is able to decode obligations from incoming XACML requests. Here is a '''ees.conf''' snippet which loads the transformer plug-in:
  
Whitelist yourself in the /etc/glexec.conf:
+
  # plug-ins
user_white_list              = okoeroo
+
    transformer        = "ees_plugin_transformer.mod"
 +
    good              = "ees_dummy_good.mod"
 +
  # policies
 +
  transformer:
 +
    transformer -> good
 +
 
 +
To test integration in the Argus PEPd, configure the EES OH in the pepd.ini configuration file.
  
 
==== PEPd preparation ====
 
==== PEPd preparation ====
 +
Install the OH plug-in .jar file by running on the PEPd (argus-pep-server) service node:
 +
yum install ees-pepd-oh
 +
This will install it into /var/lib/argus/pepd/lib/ or equivalent PEPd library directory.
 +
Configure the PEPd to use the EES OH and specify the url of a running EES instance. Here is a '''pepd.ini''' snippet:
 +
  [SERVICE]
 +
  ...
 +
  obligationHandlers = EES_OH
 +
  ...
 +
  [EES_OH]
 +
  ENDPOINT = http://ees_instance:6217/
 +
  parserClass = org.glite.authz.pep.obligation.eesmap.EESObligationHandlerConfigurationParser
  
Configure gLExec to use LCAS and to use the specified '''lcas.db'''. Here is a '''glexec.conf''' snippet:
+
Restart the pepd:
  use_lcas                    = yes
+
  /etc/init.d/argus-pepd restart
lcas_db_file                = /etc/lcas/lcas-testing.db
 
lcas_log_file                = /var/log/glexec/lcas_lcmaps.log
 
lcas_debug_level            = 5
 
 
The '''/etc/lcas/lcas-testing.db''' would then look like:
 
# LCAS policy file/plugin definition
 
pluginname=/usr/lib64/modules/lcas_userban.mod,pluginargs=/etc/lcas/userban.db
 
  
Touch the file '''/etc/lcas/userban.db''', otherwise the LCAS UserBan module will fail on the inability to read the userban.db file.
+
which should result in output in the pepd process log
 +
2011-04-10 12:43:21.420Z - INFO [IniOHConfigurationParserHelper] - Loading Obligation Handler EES_OH
 +
2011-04-10 12:43:21.421Z - INFO [EESObligationHandlerConfigurationParser] - EES Obligations sent to endpoint: http://ees_instance:6217/
 +
2011-04-10 12:43:21.421Z - INFO [EESObligationHandlerConfigurationParser] - Starting new EES OH
 +
2011-04-10 12:43:21.428Z - INFO [EESObligationHandler] - Loading EES OH!
 +
2011-04-10 12:43:21.428Z - INFO [IniOHConfigurationParserHelper] - Added obligation handler: EES_OH
  
==== LCMAPS preparation ====
+
=== Basic functionality tests (manual) ===
 +
Configure [[gLExec]] to use the '''lcmaps-plugins-c-pep''' plug-in and the dummy plug-in from the '''lcmaps-plugins-basic''' plug-ins. Configure the C-PEP plug-in to connect to your running PEPd instance and configure the '''LCMAPS good''' plug-in to map to the 'nobody:nobody' account:
 +
<pre>
 +
# where to look for modules
 +
path = /usr/lib64/modules
  
lcmaps_db_file              = /etc/lcmaps/lcmaps-testing.db
+
# module definitions
lcmaps_get_account_policy    = test_policy
+
good = "lcmaps_dummy_good.mod"
lcmaps_log_file              = /var/log/glexec/lcas_lcmaps.log
+
      " --dummy-username nobody"
lcmaps_debug_level          = 5
+
      " --dummy-group nobody"
+
      " --dummy-sec-group nobody"
The '''/etc/lcmaps/lcmaps-testing.db''' would then look like:
 
# LCMAPS policy file/plugin definition
 
  
# default path for the modules
+
pepc = "lcmaps_c_pep.mod"
path = /usr/lib64/modules/
+
      "--pep-daemon-endpoint-url https://argus.testbed:8154/authz"
 +
      " -resourceid http://authz-interop.org/xacml/resource/resource-type/wn"
 +
      " -actionid http://glite.org/xacml/action/execute"
 +
      " -capath /etc/grid-security/certificates/"
 +
      " -pep-certificate-mode implicit"
  
# Plugin definitions:
+
glexec_get_account:
good             = "lcmaps_dummy_good.mod"
+
pepc -> good
                    " --dummy-username nobody"
+
</pre>
                    " --dummy-group nobody"
+
The expected result is a account mapping by gLExec to the user 'nobody:nobody' account.
                    " --dummy-sec-group nobody"
+
This can be verified by running the following command and verifying activity by the PEPd and the EES by tailing their log files.  
 
+
  (user@testmachine:~) /usr/sbin/glexec /usr/bin/id -a
posix_enf        = "lcmaps_posix_enf.mod"
 
                    " -maxuid 1"
 
                    " -maxpgid 1"
 
                    " -maxsgid 32"
 
 
 
verifyproxy = "lcmaps_verify_proxy.mod"
 
              " -certdir /etc/grid-security/certificates"
 
 
 
  # Policies:
 
test_policy:
 
verifyproxy -> good
 
good -> posix_enf
 
 
 
=== Basic functionality tests (manual) ===
 
 
 
Have proxy certificate on the test system, here located at $HOME/mkproxy-x509-voms. Using the following gLExec script to activate gLExec with your own user certificate:
 
#!/bin/sh
 
 
GLEXEC_BIN="/usr/sbin/glexec"
 
if [ ! -f ${GLEXEC_BIN} ]; then
 
    GLEXEC_BIN="${GLEXEC_LOCATION}/sbin/glexec"
 
    if [ ! -f ${GLEXEC_BIN} ]; then
 
        echo "No glexec found"
 
        exit 1
 
    fi
 
fi
 
 
if [ "${X509_USER_PROXY}" = "" ]; then
 
    export X509_USER_PROXY=$HOME/mkproxy-x509-voms
 
fi
 
 
export GLEXEC_CLIENT_CERT=${X509_USER_PROXY}
 
export GLEXEC_SOURCE_PROXY=${X509_USER_PROXY}
 
 
#echo "------------"
 
cmd="${GLEXEC_BIN} /usr/bin/id -a"
 
 
$cmd
 
echo $?
 
exit 0
 
 
 
Run the test script and the following result is expected:
 
[okoeroo@localhost ~]$ ./test-glexec.sh
 
 
  uid=99(nobody) gid=99(nobody) groups=99(nobody)
 
  uid=99(nobody) gid=99(nobody) groups=99(nobody)
  0
+
The gLExec/LCMAPS syslog output will be something like
 
+
  Apr 10 15:21:11 genome3 glexec[11844]: lcmaps_plugin_c_pep-plugin_run(): found dn: /O=dutchgrid/O=users/O=nikhef/CN=My First Grid Certificate
=== Test setup (automated) ===
+
Apr 10 15:21:24 genome3 glexec[11844]: 2011-04-10.13:21:11Z-11844 : lcmaps_plugin_c_pep-plugin_run(): C-PEP plugin succeeded
 
 
Download the [https://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/mwsec/trunk/glexec/test/glexec-lcas-lcmaps-compound-test.sh?view=markup gLExec (and LCAS/LCMAPS) compound test script]. The [https://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/mwsec/trunk/glexec/test/glexec-lcas-lcmaps-compound-test.sh?revision=15284&view=markup SVN revision number 15284 of the compound test script] was used.
 
 
 
 
 
WARNING: The script will rewrite the '''glexec.conf''' file multiple times to test all possible permutations of the configuration file. Also the LCAS and LCMAPS configuration files will be rewritten (in '''lcas-testing.db''' and '''lcmaps-testing.db''' files) to work.
 
 
 
  
Edit the script to configure it. Here is what was used for this certification:
+
For the PEPd '''/var/log/argus/pepd/process.log''' should provide detailed information on the incoming authorization requests if the loglevel has been sufficiently raised in '''/etc/argus/pepd/logging.xml''' (loglevel 'ALL' is useful here). It will contain a reference to the EES similar to:
#################
+
  2011-04-10 13:20:33.521Z - DEBUG [EESObligationHandler] - Starting transfer to EES
# Setup options #
 
#################
 
CONTINUEONERROR=no
 
 
TEST_ACCOUNT="okoeroo"
 
 
GLEXEC_EXEC="/usr/sbin/glexec"
 
GLEXEC_OWNERSHIP_SETUID="root.root"
 
GLEXEC_FILE_PERM_SETUID="6555"
 
GLEXEC_OWNERSHIP_NON_SETUID="root.root"
 
GLEXEC_FILE_PERM_NON_SETUID="0555"
 
 
CONF_OWNERSHIP_SETUID="glexec.glexec"
 
CONF_FILE_PERM_SETUID="0440"
 
CONF_OWNERSHIP_NON_SETUID="root.root"
 
CONF_FILE_PERM_NON_SETUID="0444"
 
 
test_glexec_conf="/etc/glexec.conf"
 
test_lcas_db="/etc/lcas/lcas-testing.db"
 
test_lcas_db_path="/usr/lib64/modules/"
 
test_lcas_log_file="/var/log/glexec/lcas_lcmaps.log"
 
test_lcas_userban_file="/etc/lcas/userban.db"
 
test_lcas_debug_level="0"
 
 
test_lcmaps_db="/etc/lcmaps/lcmaps-testing.db"
 
test_lcmaps_db_path="/usr/lib64/modules/"
 
test_lcmaps_log_file="/var/log/glexec/lcas_lcmaps.log"
 
test_lcmaps_debug_level="0"
 
 
priv_sep_file="/tmp/glexec_priv_sep_test.sh"
 
CAPATH="/etc/grid-security/certificates"
 
SCAS_ENDPOINT="https://eir.nikhef.nl:8443"
 
  PEPD_ENDPOINT="https://argus.testbed:8154/authz"
 
GLEXEC_TEST_GRID_MAPFILE="/tmp/glexec-test-grid-mapfile"
 
 
LOCALACCOUNT_TEST_MAP_USER="$TEST_ACCOUNT"
 
#LOCALACCOUNT_TEST_MAP_USER="pool001"
 
POOLACCOUNT_TEST_MAP_USER=".pool"
 
 
### Test selection ###
 
USE_SCAS="yes"
 
USE_SCAS=""
 
 
#################
 
# Setup proxies #
 
#################
 
CLIENT_CERT="/home/okoeroo/mkproxy-x509-voms"
 
USER_PROXY="$CLIENT_CERT"
 
SOURCE_PROXY="$CLIENT_CERT"
 
TARGET_PROXY="/tmp/target_proxy"
 
  
=== Basic functionality tests (automated) ===
+
The EES will log to syslog (usually '''/var/log/messages''') and must provide basic information on the incoming authorization requests, similar to:
 +
Apr 10 15:21:24 ees_instance ees: setAttributeIssuer(), tried to set NULL issuer
 +
Apr 10 15:21:24 ees_instance ees: Running plugin ees_plugin_transformer.mod
 +
Apr 10 15:21:24 ees_instance ees: Running transformer
 +
Apr 10 15:21:24 ees_instance ees: Running plugin ees_dummy_good.mod
  
Execute the script as '''root''' after properly configuring the script. See previous section for details:
+
=== Performance tests ===
sh glexec-lcas-lcmaps-compound-test.sh
+
Using '''ab''', the Apache benchmarking tool, the EES performance can be benchmarked.
 +
Create a request.xml containing a typical XACML request (similar to the excerpt shown in the automated functionality test script) and invoke ab.
 +
  ab -n 1000 -c 100 -p ~/request.xml http://ees_instance:6217/
  
Output:
+
You should see something like this (or better)
http://www.nikhef.nl/grid/ndpf/files/EMI_1_SAC_documentation/certification_output/glexec-lcas-lcmaps-compound-test.28-april-2011.out
+
  Requests per second:   272.75 [#/sec] (mean)
 +
  Time per request:      366.632 [ms] (mean)
  
 
=== Regression tests ===
 
=== Regression tests ===
 
+
Not applicable
Savannah bug [https://savannah.cern.ch/bugs/?53192 53192]: '''scas-client: segfaults with malformed lcmaps-glexec.db''' (implemented):
 
 
 
The SCAS-client plugin will not trigger a segmentation fault and pull gLExec with it when the SCAS host is not a FQDN.
 
 
 
Savannah bug [https://savannah.cern.ch/bugs/?77130 77130 ]: '''[lcmaps-plugins-scas] crashes on invalid -capath''' (implemented):
 
 
 
Verified by moving the CA path and reconfiguring the SCAS plugin to use an non-existing directory as -capath value.
 
 
 
Savannah bug [https://savannah.cern.ch/bugs/?80927 80927]: '''bug #80927: [LCMAPS] Mapping fails if VOMS AC contains a generic attribute''' (implemented):
 
 
 
Added VOMS generic attributes to the VO registration in the VOMS service.
 
 
 
Savannah bug [https://savannah.cern.ch/bugs/?80822 80882]: '''LCMAPS-plugins-c-pep cannot read proxy from NFS partition''' (not implemented):
 
 
 
Tested but turns out that the tests were not done properly with a false-positive as a result. The package version 1.1.4 fixes this problem. The 1.1.3 works as advertised on all other use cases.
 
 
 
Savannah bug [https://savannah.cern.ch/bugs/?80815 80815]: '''GLExec support for tracking group ids''' (implemented):
 
 
 
The gLExec and LCMAPS suite now has a plugin called the [[LCMAPS_Tracking_GroupID_plugin]] and supports the tracking groupid feature of Condor, Sun Grid Engine and other batch systems.
 
 
 
Savannah bug [https://savannah.cern.ch/bugs/?80548 80548]: '''GLExec possible segfault when reading proxy''' (implemented):
 
 
 
When reading a proxy file, the '\0' is added at the end, before we're sure if we didn't have an I/O error.
 
 
 
Savannah bug [https://savannah.cern.ch/bugs/?80547 80547]: ''GLExec segfaults if argc == 0'''' (implemented):
 
 
 
When gLExec is called using e.g. execve with NULL as argument list (i.e. resulting internally in argc==0) it segfaults.
 
 
 
Savannah bug [https://savannah.cern.ch/bugs/?79988 79988]: '''gLExec crashes when no explicit linger option is set in the glexec.conf''' (implemented):
 
 
 
When the glexec.conf does not contain either linger=yes or linger=no, gLExec crashes. Since the default is equivalent to specifying linger=yes, it's easy to work around.
 
 
 
Savannah bug [https://savannah.cern.ch/bugs/?57746 57746]: '''Error "could not get X509 cred from gss credential!" when using gridftp but normal job submission works''' (implemented):
 
 
 
The proxy handling from the lcas-lcmaps-gt4-interface to the LCAS and LCMAPS interface has been fixed to cope with this.
 
 
 
Savannah bug [https://savannah.cern.ch/bugs/?60825 60825]: '''Strange characters in LCAS plugin string''' (implemented):
 
 
 
A fix was made in the LCAS framework and the problem doesn't occur anymore.
 
 
 
Savannah bug [https://savannah.cern.ch/bugs/?64535 64535]: '''no lcmaps/lcas logs for gridftp''' (implemented):
 
 
 
The logs appear in both the log files, when the proper LCAS_LOG_FILE or LCMAPS_LOG_FILE are exported. Also Syslog will be used by default and works.
 
 
 
Savannah bug [https://savannah.cern.ch/bugs/?80647 80647]: '''LCAS authorizes me but reports that I am not''' (implemented):
 
 
 
This is fixed. The LCAS framework authorization decision isn't ignored anymore for the lcas-lcmaps-gt4-interface.
 
 
 
Savannah bug [https://savannah.cern.ch/bugs/?80900 80900]: '''LCAS fails to find the VOMS credentials on a GridFTPd''' (implemented):
 
 
 
The proxy handling from the lcas-lcmaps-gt4-interface to LCAS is now fixed to the older (and faster) method and grabs the right credentials for a decision and passing to the VOMS api.
 

Latest revision as of 13:16, 5 March 2013

This test plan is following the EMI SA2 template.

EES Test Plan

Service Description

The EES is a daemon that acts as an obligation transformer for requests to the PEPd. The EES takes SAML2-XACML2 authorization request messages as input. The EES takes the local site policy into account to transform the incoming request. The EES will start a new execution thread and apply the defined policy to the incoming request.

More information on the EES.

Yum Installation

To install the EES configure the YUM-based EPEL and EMI repositories. The IGTF distribution can also be done through a YUM-based repository, including the FetchCRL3 utility to refresh the CA CRLs. Note that the need for the IGTF distribution depends on the set of configured EES plugins.

The EES depends directly on:

  • SAML2-XACML2-C-LIB
  • (g)libc

EES configurations specify plugins which operate on the incoming request. The EES ships with a transformer plug-in, which is used to unpack the XACML obligations from the PDP response. This is needed since they are merged into the PEPd request and subsequently sent to the EES by the EES obligation handler (living inside the PEPd).

Install the EES service by performing: yum install ees

This will install the package ees which will pull in the following packages:

  • ees
  • xacml (called saml2-xacml2-c-lib for EMI-1)

Install the EES obligation handler by performing: yum install ees-pepd-oh

This will install the package ees-pepd-oh which will pull in the following packages:

  • argus-pep-server
  • java

This is the first release of the EES service and the EES obligation handler in EMI. There is nothing to upgrade from.

System tests

Test setup EES

First we install and setup the system for testing. This means to prepare the system taking a clean CentOS 5 or Scientific Linux 5 machine as a baseline.

yum install ees

If there is no ees useraccount yet, create it

useradd -r ees

Start the ees service

/etc/init.d/ees start

The basic installation is now done. We can now test the basic functionality of the EES by using the following script. Note that it uses nc which can be installed using: yum install nc

#!/bin/bash

# Configuration
host=0.0.0.0
port=6217

MSG='<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:XACMLcontext="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:XACMLassertion="urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:assertion" xmlns:XACMLpolicy="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:XACMLService="http://www.globus.org/security/XACMLAuthorization/bindings" xmlns:XACMLsamlp="urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:protocol" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<SOAP-ENV:Body>
<XACMLsamlp:XACMLAuthzDecisionQuery CombinePolicies="true" ReturnContext="true" InputContextOnly="false" IssueInstant="2010-03-25T14:55:01Z" Version="2.0" ID="ID-1804289383">
<saml:Issuer xsi:type="saml:NameIDType" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">NetCat</saml:Issuer>
<XACMLcontext:Request xsi:type="XACMLcontext:RequestType">
<XACMLcontext:Action xsi:type="XACMLcontext:ActionType">
</XACMLcontext:Action>
</XACMLcontext:Request>
</XACMLsamlp:XACMLAuthzDecisionQuery>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
'

# Takes three args, a test string and a pattern to match to
test_main() {
  output=`echo -n "$1" | nc -n -i1 $host $port | grep -w "$2"`
  if [ -z "$output" ]
  then
    echo "ERR"
  else
    echo "OK"
  fi  
}

echo -en "Basic sanity test\t"
test_main "$MSG" "200 OK"
echo -en "Basic failure test\t"
test_main "<TEST>" "500 Internal"

Expected result:

(testuser@ees.testmachine:~) ./ees_test.sh 
Basic sanity test       OK
Basic failure test      OK

Test setup EES Obligation handler

EES preparation

The default /etc/ees.conf configuration file will contain the EES transformer plugin which is able to decode obligations from incoming XACML requests. Here is a ees.conf snippet which loads the transformer plug-in:

 # plug-ins
   transformer        = "ees_plugin_transformer.mod"
   good               = "ees_dummy_good.mod"
 # policies
 transformer:
   transformer -> good

To test integration in the Argus PEPd, configure the EES OH in the pepd.ini configuration file.

PEPd preparation

Install the OH plug-in .jar file by running on the PEPd (argus-pep-server) service node:

yum install ees-pepd-oh

This will install it into /var/lib/argus/pepd/lib/ or equivalent PEPd library directory. Configure the PEPd to use the EES OH and specify the url of a running EES instance. Here is a pepd.ini snippet:

 [SERVICE]
 ...
 obligationHandlers = EES_OH
 ...
 [EES_OH]
 ENDPOINT = http://ees_instance:6217/
 parserClass = org.glite.authz.pep.obligation.eesmap.EESObligationHandlerConfigurationParser

Restart the pepd:

/etc/init.d/argus-pepd restart

which should result in output in the pepd process log

2011-04-10 12:43:21.420Z - INFO [IniOHConfigurationParserHelper] - Loading Obligation Handler EES_OH
2011-04-10 12:43:21.421Z - INFO [EESObligationHandlerConfigurationParser] - EES Obligations sent to endpoint: http://ees_instance:6217/
2011-04-10 12:43:21.421Z - INFO [EESObligationHandlerConfigurationParser] - Starting new EES OH
2011-04-10 12:43:21.428Z - INFO [EESObligationHandler] - Loading EES OH!
2011-04-10 12:43:21.428Z - INFO [IniOHConfigurationParserHelper] - Added obligation handler: EES_OH

Basic functionality tests (manual)

Configure gLExec to use the lcmaps-plugins-c-pep plug-in and the dummy plug-in from the lcmaps-plugins-basic plug-ins. Configure the C-PEP plug-in to connect to your running PEPd instance and configure the LCMAPS good plug-in to map to the 'nobody:nobody' account:

# where to look for modules
path = /usr/lib64/modules

# module definitions
good = "lcmaps_dummy_good.mod"
       " --dummy-username nobody"
       " --dummy-group nobody"
       " --dummy-sec-group nobody"

pepc = "lcmaps_c_pep.mod"
       "--pep-daemon-endpoint-url https://argus.testbed:8154/authz"
       " -resourceid http://authz-interop.org/xacml/resource/resource-type/wn"
       " -actionid http://glite.org/xacml/action/execute"
       " -capath /etc/grid-security/certificates/"
       " -pep-certificate-mode implicit"

glexec_get_account:
pepc -> good

The expected result is a account mapping by gLExec to the user 'nobody:nobody' account. This can be verified by running the following command and verifying activity by the PEPd and the EES by tailing their log files.

(user@testmachine:~) /usr/sbin/glexec /usr/bin/id -a
uid=99(nobody) gid=99(nobody) groups=99(nobody)

The gLExec/LCMAPS syslog output will be something like

Apr 10 15:21:11 genome3 glexec[11844]: lcmaps_plugin_c_pep-plugin_run(): found dn: /O=dutchgrid/O=users/O=nikhef/CN=My First Grid Certificate
Apr 10 15:21:24 genome3 glexec[11844]: 2011-04-10.13:21:11Z-11844 : lcmaps_plugin_c_pep-plugin_run(): C-PEP plugin succeeded

For the PEPd /var/log/argus/pepd/process.log should provide detailed information on the incoming authorization requests if the loglevel has been sufficiently raised in /etc/argus/pepd/logging.xml (loglevel 'ALL' is useful here). It will contain a reference to the EES similar to:

2011-04-10 13:20:33.521Z - DEBUG [EESObligationHandler] - Starting transfer to EES

The EES will log to syslog (usually /var/log/messages) and must provide basic information on the incoming authorization requests, similar to:

Apr 10 15:21:24 ees_instance ees: setAttributeIssuer(), tried to set NULL issuer 
Apr 10 15:21:24 ees_instance ees: Running plugin ees_plugin_transformer.mod 
Apr 10 15:21:24 ees_instance ees: Running transformer 
Apr 10 15:21:24 ees_instance ees: Running plugin ees_dummy_good.mod

Performance tests

Using ab, the Apache benchmarking tool, the EES performance can be benchmarked. Create a request.xml containing a typical XACML request (similar to the excerpt shown in the automated functionality test script) and invoke ab.

 ab -n 1000 -c 100 -p ~/request.xml http://ees_instance:6217/

You should see something like this (or better)

 Requests per second:    272.75 [#/sec] (mean)
 Time per request:       366.632 [ms] (mean)

Regression tests

Not applicable