EMI Argus-EES test plan

From PDP/Grid Wiki
Revision as of 11:25, 29 April 2011 by Aramv@nikhef.nl (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

This test plan is following the EMI SA2 template.

EES Test Plan

Service Description

The EES is a daemon that acts as an obligation transformer for requests to the PEPd. The EES takes SAML2-XACML2 authorization request messages as input. The EES takes the local site policy into account to transform the incoming request. The EES will start a new execution thread and apply the defined policy to the incoming request.

More information on the EES.

Yum Installation

To install the EES configure the YUM-based EPEL repository and the YUM repository which hold our the EMI packages. The IGTF distribution can also be done through a YUM-based repository, including the FetchCRL3 utility to refresh the CA CRLs.

The EES depends directly on:

  • SAML2-XACML2-C-LIB
  • (g)libc

EES configurations specify plugins which operate on the incoming request. The EES ships with a transformer plug-in, which is used to unpack XACML obligations from an XACML request from the PDP.

Install the EES service by performing: yum install ees This will install the package ees which will pull in the following packages:

  • ees
  • saml2-xacml2-c-lib

Install the EES obligation handler by performing: yum install ees-pepd-oh This will install the package ees-pepd-oh which will pull in the following packages:

  • argus-pep-server
  • java

This is the first release of the EES service and the EES obligation handler in EMI. There is nothing to upgrade from.

System tests

Test setup EES

First we install and setup the system for testing. This means to prepare the system taking a clean CentOS 5 or Scientific Linux 5 machine as a baseline. 

yum install ees

The basic installation is now done. We can now test the basic functionality of the EES by using the following script. 

#!/bin/bash

# Configuration
host=0.0.0.0
port=6217

MSG='<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:XACMLcontext="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:XACMLassertion="urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:assertion" xmlns:XACMLpolicy="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:XACMLService="http://www.globus.org/security/XACMLAuthorization/bindings" xmlns:XACMLsamlp="urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:protocol" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<SOAP-ENV:Body>
<XACMLsamlp:XACMLAuthzDecisionQuery CombinePolicies="true" ReturnContext="true" InputContextOnly="false" IssueInstant="2010-03-25T14:55:01Z" Version="2.0" ID="ID-1804289383">
<saml:Issuer xsi:type="saml:NameIDType" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">NetCat</saml:Issuer>
<XACMLcontext:Request xsi:type="XACMLcontext:RequestType">
<XACMLcontext:Action xsi:type="XACMLcontext:ActionType">
</XACMLcontext:Action>
</XACMLcontext:Request>
</XACMLsamlp:XACMLAuthzDecisionQuery>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
'

# Takes three args, a test string and a pattern to match to
test_main() {
  output=`echo -n "$1" | nc -n -i1 $host $port | grep -w "$2"`
  if [ -z "$output" ]
  then
    echo "ERR"
  else
    echo "OK"
  fi  
}

echo -n "Basic sanity test\t"
test_main "$MSG" "200 OK"
echo -n "Basic failure test\t"
test_main "<TEST>" "500 Internal"

Test setup EES Obligation handler

EES preparation

The installation default of the /etc/glexec.conf file will work fine, but you'll need to whitelist yourself to authorize your account to use gLExec.

Whitelist yourself in the /etc/glexec.conf: 

user_white_list              = okoeroo

PEPd preparation

Configure gLExec to use LCAS and to use the specified lcas.db. Here is a glexec.conf snippet: 

use_lcas                     = yes
lcas_db_file                 = /etc/lcas/lcas-testing.db
lcas_log_file                = /var/log/glexec/lcas_lcmaps.log
lcas_debug_level             = 5

The /etc/lcas/lcas-testing.db would then look like: 

# LCAS policy file/plugin definition
pluginname=/usr/lib64/modules/lcas_userban.mod,pluginargs=/etc/lcas/userban.db

Touch the file /etc/lcas/userban.db, otherwise the LCAS UserBan module will fail on the inability to read the userban.db file.

LCMAPS preparation

lcmaps_db_file               = /etc/lcmaps/lcmaps-testing.db
lcmaps_get_account_policy    = test_policy
lcmaps_log_file              = /var/log/glexec/lcas_lcmaps.log
lcmaps_debug_level           = 5

The /etc/lcmaps/lcmaps-testing.db would then look like: 

# LCMAPS policy file/plugin definition

# default path for the modules
path = /usr/lib64/modules/

# Plugin definitions:
good             = "lcmaps_dummy_good.mod"
                   " --dummy-username nobody"
                   " --dummy-group nobody"
                   " --dummy-sec-group nobody"

posix_enf        = "lcmaps_posix_enf.mod"
                   " -maxuid 1"
                   " -maxpgid 1"
                   " -maxsgid 32"

verifyproxy = "lcmaps_verify_proxy.mod"
              " -certdir /etc/grid-security/certificates"

# Policies:
test_policy:
verifyproxy -> good
good -> posix_enf

Basic functionality tests (manual)

Have proxy certificate on the test system, here located at $HOME/mkproxy-x509-voms. Using the following gLExec script to activate gLExec with your own user certificate: 

#!/bin/sh

GLEXEC_BIN="/usr/sbin/glexec"
if [ ! -f ${GLEXEC_BIN} ]; then
    GLEXEC_BIN="${GLEXEC_LOCATION}/sbin/glexec"
    if [ ! -f ${GLEXEC_BIN} ]; then
        echo "No glexec found"
        exit 1
    fi
fi

if [ "${X509_USER_PROXY}" = "" ]; then
    export X509_USER_PROXY=$HOME/mkproxy-x509-voms
fi

export GLEXEC_CLIENT_CERT=${X509_USER_PROXY}
export GLEXEC_SOURCE_PROXY=${X509_USER_PROXY}

#echo "------------"
cmd="${GLEXEC_BIN} /usr/bin/id -a"

$cmd
echo $?
exit 0

Run the test script and the following result is expected: 

[okoeroo@localhost ~]$ ./test-glexec.sh 
uid=99(nobody) gid=99(nobody) groups=99(nobody)
0

Test setup (automated)

Download the gLExec (and LCAS/LCMAPS) compound test script. The SVN revision number 15284 of the compound test script was used.


WARNING: The script will rewrite the glexec.conf file multiple times to test all possible permutations of the configuration file. Also the LCAS and LCMAPS configuration files will be rewritten (in lcas-testing.db and lcmaps-testing.db files) to work.


Edit the script to configure it. Here is what was used for this certification: 

#################
# Setup options #
#################
CONTINUEONERROR=no

TEST_ACCOUNT="okoeroo"

GLEXEC_EXEC="/usr/sbin/glexec"
GLEXEC_OWNERSHIP_SETUID="root.root"
GLEXEC_FILE_PERM_SETUID="6555"
GLEXEC_OWNERSHIP_NON_SETUID="root.root"
GLEXEC_FILE_PERM_NON_SETUID="0555"

CONF_OWNERSHIP_SETUID="glexec.glexec"
CONF_FILE_PERM_SETUID="0440"
CONF_OWNERSHIP_NON_SETUID="root.root"
CONF_FILE_PERM_NON_SETUID="0444"

test_glexec_conf="/etc/glexec.conf"
test_lcas_db="/etc/lcas/lcas-testing.db"
test_lcas_db_path="/usr/lib64/modules/"
test_lcas_log_file="/var/log/glexec/lcas_lcmaps.log"
test_lcas_userban_file="/etc/lcas/userban.db"
test_lcas_debug_level="0"

test_lcmaps_db="/etc/lcmaps/lcmaps-testing.db"
test_lcmaps_db_path="/usr/lib64/modules/"
test_lcmaps_log_file="/var/log/glexec/lcas_lcmaps.log"
test_lcmaps_debug_level="0"

priv_sep_file="/tmp/glexec_priv_sep_test.sh"
CAPATH="/etc/grid-security/certificates"
SCAS_ENDPOINT="https://eir.nikhef.nl:8443"
PEPD_ENDPOINT="https://argus.testbed:8154/authz"
GLEXEC_TEST_GRID_MAPFILE="/tmp/glexec-test-grid-mapfile"

LOCALACCOUNT_TEST_MAP_USER="$TEST_ACCOUNT"
#LOCALACCOUNT_TEST_MAP_USER="pool001"
POOLACCOUNT_TEST_MAP_USER=".pool"

### Test selection ###
USE_SCAS="yes"
USE_SCAS=""

#################
# Setup proxies #
#################
CLIENT_CERT="/home/okoeroo/mkproxy-x509-voms"
USER_PROXY="$CLIENT_CERT"
SOURCE_PROXY="$CLIENT_CERT"
TARGET_PROXY="/tmp/target_proxy"

Basic functionality tests (automated)

Execute the script as root after properly configuring the script. See previous section for details: 

sh glexec-lcas-lcmaps-compound-test.sh

Output: 

http://www.nikhef.nl/grid/ndpf/files/EMI_1_SAC_documentation/certification_output/glexec-lcas-lcmaps-compound-test.28-april-2011.out

Regression tests

Savannah bug 53192: scas-client: segfaults with malformed lcmaps-glexec.db (implemented):

The SCAS-client plugin will not trigger a segmentation fault and pull gLExec with it when the SCAS host is not a FQDN.

Savannah bug 77130 : [lcmaps-plugins-scas] crashes on invalid -capath (implemented):

Verified by moving the CA path and reconfiguring the SCAS plugin to use an non-existing directory as -capath value.

Savannah bug 80927: bug #80927: [LCMAPS] Mapping fails if VOMS AC contains a generic attribute (implemented):

Added VOMS generic attributes to the VO registration in the VOMS service.

Savannah bug 80882: LCMAPS-plugins-c-pep cannot read proxy from NFS partition (not implemented):

Tested but turns out that the tests were not done properly with a false-positive as a result. The package version 1.1.4 fixes this problem. The 1.1.3 works as advertised on all other use cases.

Savannah bug 80815: GLExec support for tracking group ids (implemented):

The gLExec and LCMAPS suite now has a plugin called the LCMAPS_Tracking_GroupID_plugin and supports the tracking groupid feature of Condor, Sun Grid Engine and other batch systems.

Savannah bug 80548: GLExec possible segfault when reading proxy (implemented):

When reading a proxy file, the '\0' is added at the end, before we're sure if we didn't have an I/O error.

Savannah bug 80547: GLExec segfaults if argc == 0'' (implemented):

When gLExec is called using e.g. execve with NULL as argument list (i.e. resulting internally in argc==0) it segfaults.

Savannah bug 79988: gLExec crashes when no explicit linger option is set in the glexec.conf (implemented):

When the glexec.conf does not contain either linger=yes or linger=no, gLExec crashes. Since the default is equivalent to specifying linger=yes, it's easy to work around.

Savannah bug 57746: Error "could not get X509 cred from gss credential!" when using gridftp but normal job submission works (implemented):

The proxy handling from the lcas-lcmaps-gt4-interface to the LCAS and LCMAPS interface has been fixed to cope with this.

Savannah bug 60825: Strange characters in LCAS plugin string (implemented):

A fix was made in the LCAS framework and the problem doesn't occur anymore.

Savannah bug 64535: no lcmaps/lcas logs for gridftp (implemented):

The logs appear in both the log files, when the proper LCAS_LOG_FILE or LCMAPS_LOG_FILE are exported. Also Syslog will be used by default and works.

Savannah bug 80647: LCAS authorizes me but reports that I am not (implemented):

This is fixed. The LCAS framework authorization decision isn't ignored anymore for the lcas-lcmaps-gt4-interface.

Savannah bug 80900: LCAS fails to find the VOMS credentials on a GridFTPd (implemented):

The proxy handling from the lcas-lcmaps-gt4-interface to LCAS is now fixed to the older (and faster) method and grabs the right credentials for a decision and passing to the VOMS api.

Retrieved from "https://wiki.nikhef.nl/grid/index.php?title=EMI_Argus-EES_test_plan&oldid=5445"