[EMAIL PROTECTED] ~]$ csf-job-create rsl $GLOBUS_LOCATION/docs/metascheduler/examples/gram_job.xml job1 Service location:https://202.112.9.201:8443/wsrf/services/metascheduler/JobService CreateJob Successfully: job1
[EMAIL PROTECTED] ~]$ csf-job-submit job1 submit() => https://202.112.9.201:8443/wsrf/services/metascheduler/JobService [EMAIL PROTECTED] ~]$ csf-job-status job1 Job fault type: ; nested exception is: javax.xml.rpc.soap.SOAPFaultException: ; nested exception is: org.globus.common.ChainedIOException: Authentication failed [Caused by: Operation unauthorized (Mechanism level: Authorization failed. Expected "/CN=host/node1" target but received "/O=Grid/OU=GlobusTest/OU=simpleCA-node1/CN=leo")] in container log file it seems that CSF didn't submit job.the output is below. 2007-08-31 17:46:33,873 ERROR impl.JobGramTask [JobGramTask,init:209] Error subm itting job request: ; nested exception is: org.globus.common.ChainedIOException: Authentication failed [Caused by: Operation unauthorized (Mechanism level: Authorization failed. Expected "/CN=hos t/node1" target but received "/O=Grid/OU=GlobusTest/OU=simpleCA-node1/CN=leo")] 2007-08-31 17:46:34,654 ERROR impl.JobGramTask [JobGramTask,init:214] Error dest roying job here are other files [EMAIL PROTECTED] ~]$ cat /usr/local/globus-4.0.4/etc/globus_delegation_service/factory-security-config.xml <securityConfig xmlns="http://www.globus.org";> <method name="requestSecurityToken"> <auth-method> <GSITransport/> <GSISecureMessage/> <GSISecureConversation/> </auth-method> </method> <auth-method> <none/> </auth-method> <authz value="gridmap"/> </securityConfig> [EMAIL PROTECTED] ~]$ cat /usr/local/globus-4.0.4/etc/globus_delegation_service/service-security-config.xml <securityConfig xmlns="http://www.globus.org";> <auth-method> <GSITransport/> <GSISecureMessage/> <GSISecureConversation/> </auth-method> <authz value="gridmap"/> </securityConfig> [EMAIL PROTECTED] ~]$ cat /usr/local/globus-4.0.4/etc/globus_wsrf_core/global_security_descriptor.xml <?xml version="1.0" encoding="UTF-8"?> <securityConfig xmlns="http://www.globus.org";> <credential> <key-file value="/etc/grid-security/containerkey.pem"/> <cert-file value="/etc/grid-security/containercert.pem"/> </credential> <gridmap value="/etc/grid-security/grid-mapfile"/> [EMAIL PROTECTED] ~]$ cat /etc/grid-security/grid-mapfile "/O=Grid/OU=GlobusTest/OU=simpleCA-node1/CN=leo" guser "guser" guser thank you very much for your help Best regards! ======= 2007-08-31 11:22:24 您在来信中写道:======= >Sorry for my late reply......I am confused too... >From your first question, it sames like a "host"mode authorization >problem.Maybe the CSF client's default authorization is "host".(and I >think it should have the option to change this.....) >But now it sames that "gridmap" authorization still works. > >Maybe you should retry the test from the beginning and keep all the >configuration as its original status. and print the following message: >the error message, >the contents of /etc/host file, >$GLOBUS_LOCATION/etc/metascheduler/*security-config.xml , >$GLOBUS_LOCATION/etc/globus_delegation_service/*security-config.xml. >$GLOBUS_LOCATION/etc/globus_wsrf_core/global_security_descriptor.xml >and your /etc/grid-security/grid-mapfile > >If the CSF use the delegation servcie, this service's authorization >mechanism can still affect the whole procdure. > >在 07-8-30,丁涛<[EMAIL PROTECTED]> 写道: >> Hi, Yu >> >> the content of >> $GLOBUS_LOCATION/etc/metascheduler/ms-security-config.xml file is >> <securityConfig xmlns="http://www.globus.org";> >> <auth-method> >> <GSISecureConversation/> >> </auth-method> >> <authz value="gridmap"/> >> <gridmap value="/etc/grid-security/grid-mapfile"/> >> </securityConfig> >> >> and if i change <authz value="gridmap"/> to <authz value="self"/> >> when i run CSF, the output will be like this >> >> [EMAIL PROTECTED] ~]$ csf-job-create rsl >> $GLOBUS_LOCATION/docs/metascheduler/examples/gram_job.xml job1 >> RemoteEx catched! Create Job error! >> org.globus.wsrf.impl.security.authorization.exceptions.AuthorizationException: >> "/O=Grid/OU=GlobusTest/OU=simpleCA-node1/CN=leo" is not authorized to use >> operation: >> {http://www.platform.com/namespaces/2003/05/metascheduler/job}createResource >> on this service >> >> so how can i configure the file? thanks a lot. >> >> >> Best regards! >> >> ======= 2007-08-30 17:49:34 您在来信中写道:======= >> >> >I didn't use CSF before, from globus document, it same that CSF is a >> >kind of service provide task schedular function. So if you can find >> >the file security-config.xml under the directory >> >$GLOBUS_LOCATION/etc/metascheduler or some others related with CSF. >> >Edit security-config.xml for your will. For examples,if you want a >> >"self" mode authorization >> >add a line or change a line like this: >> ><authz value="self"> >> >and do not forget to have a copy before your modification:) >> >It same like this, Try. >> > >> >在 07-8-30,丁涛<[EMAIL PROTECTED]> 写道: >> >> hi,Yu >> >> >> >> actually i run "rft" locally. >> >> i changed /etc/hosts like "127.0.0.1 node1" and execute "rft -h >> >> node1 -f /tmp/rft.xfr" it's OK! >> >> and if i changed /etc/hosts like "202.112.9.201 node1" and execute >> >> "rft -h node1 -f /tmp/rft.xfr -z self" it's OK too! >> >> but for CSF i can't find a argument like "-z self" to tell the >> >> command to expect my own identity. >> >> anyway thanks Yu and Charles, you both help me. >> >> >> >> >> >> Best regards! >> >> >> >> >> >> >Is 202.112.9.201 your local IP address? and do you exectue the "rft" >> >> >command locally? If it is, try to delete the line "202.112.9.201 >> >> >node1" in your /etc/hosts and maybe write an other line "127.0.0.1 >> >> >localhost ". This maybe function.... >> >> > >> >> >I meet this kind of problem before,but dose not remember the detail >> >> >solution for every kind. This kind of problem occured often by two >> >> >kinds of aspects: one is about server-side authorization >> >> >mode(self,host or identity), the other is the conversion between IP >> >> >and Domain Name problem. >> >> > >> >> > >> >> >在 07-8-29,丁涛<[EMAIL PROTECTED]> 写道: >> >> >> hi, Charles >> >> >> >> >> >> >> >> >> in my /etc/hosts file, there is nothing but the real IP address and >> >> >> node1. >> >> >> like >> >> >> 202.112.9.201 node1 >> >> >> >> >> >> >> >> >> >> >> >> Best regards! >> >> >> >> >> >> ======= 2007-08-29 22:49:38 您在来信中写道:======= >> >> >> >> >> >> >In your first example, it looks like you started the container as >> >> >> >yourself by hand. Now it looks like you started the container with >> >> >> >the host certificates. The trouble now is that a reverse lookup on >> >> >> >node1's IP address is returning localhost. Make sure your /etc/hosts >> >> >> >file doesn't have any entries like: >> >> >> >127.0.0.1 node1 >> >> >> > >> >> >> > >> >> >> >Charles >> >> >> > >> >> >> >On Aug 29, 2007, at 5:29 AM, 丁涛 wrote: >> >> >> > >> >> >> >> hi,Charles >> >> >> >> >> >> >> >> thanks for your reply. but it didn't work.and the output below >> >> >> >> isn't like before. >> >> >> >> and csf still didn't work. why this happen? >> >> >> >> >> >> >> >> [EMAIL PROTECTED] ~]$ rft -h node1 -f /tmp/rft.xfr -z self >> >> >> >> Number of transfers in this request: 1 >> >> >> >> Subscribed for overall status >> >> >> >> Termination time to set: 60 minutes >> >> >> >> >> >> >> >> Overall status of transfer: >> >> >> >> Finished/Active/Failed/Retrying/Pending >> >> >> >> 0/0/1/0/0 >> >> >> >> Error:Error authenticating user at source/dest hostAuthentication >> >> >> >> failed [Caused by: Operation unauthorized (Mechanism level: >> >> >> >> Authorization failed. Expected "/CN=host/localhost" target but >> >> >> >> received "/O=Grid/OU=GlobusTest/OU=simpleCA-node1/CN=host/node1")] >> >> >> >> [Caused by: Authentication failed [Caused by: Operation >> >> >> >> unauthorized (Mechanism level: Authorization failed. Expected "/ >> >> >> >> CN=host/localhost" target but received "/O=Grid/OU=GlobusTest/ >> >> >> >> OU=simpleCA-node1/CN=host/node1")]] >> >> >> >> All Transfers failed >> >> >> >> >> >> >> >> Best regards! >> >> >> >> >> >> >> >> ======= 2007-08-28 23:03:24 您在来信中写道:======= >> >> >> >> >> >> >> >>> For the rft -h node1, you'll need to add something telling the >> >> >> >>> command to expect your own identity. >> >> >> >>> >> >> >> >>> $ rfh -h node1 -f /tmp/rft.xfr -z self >> >> >> >>> >> >> >> >>> should work. For globusrun-ws, try -self. >> >> >> >>> >> >> >> >>> >> >> >> >>> Charles >> >> >> >>> >> >> >> >>> On Aug 28, 2007, at 4:42 AM, Ding Tao wrote: >> >> >> >>> >> >> >> >>>> hi, all >> >> >> >>>> >> >> >> >>>> when i rum $rft -h node1 -f /tmp/rft.xfr and $csf-job-status >> >> >> >>>> job1, i meet the same problem which shows below. >> >> >> >>>> >> >> >> >>>> 2007-09-04 09:46:49,378 ERROR delegation.DelegationUtil >> >> >> >>>> [main,getCertificateChainRP:558] >> >> >> >>>> org.globus.common.ChainedIOException: Authentication failed >> >> >> >>>> [Caused >> >> >> >>>> by: Operation unauthorized (Mechanism level: Authorization failed. >> >> >> >>>> Expected "/CN=host/node1" target but received "/O=Grid/ >> >> >> >>>> OU=GlobusTest/OU=simpleCA-node1/CN=leo")] >> >> >> >>>> >> >> >> >>>> my /etc/grid-security/grid-mapfile is "/O=Grid/OU=GlobusTest/ >> >> >> >>>> OU=simpleCA-node1/CN=leo" guser >> >> >> >>>> >> >> >> >>>> these are output of grid-proxy-info >> >> >> >>>> [EMAIL PROTECTED] ~]$ grid-proxy-info >> >> >> >>>> subject : /O=Grid/OU=GlobusTest/OU=simpleCA-node1/CN=leo/ >> >> >> >>>> CN=1342777527 >> >> >> >>>> issuer : /O=Grid/OU=GlobusTest/OU=simpleCA-node1/CN=leo >> >> >> >>>> identity : /O=Grid/OU=GlobusTest/OU=simpleCA-node1/CN=leo >> >> >> >>>> type : Proxy draft (pre-RFC) compliant impersonation proxy >> >> >> >>>> strength : 512 bits >> >> >> >>>> path : /tmp/x509up_u505 >> >> >> >>>> timeleft : 11:59:49 >> >> >> >>>> >> >> >> >>>> and i comfirm that i set PATH JAVA_HOME ANT_HOME and run `source >> >> >> >>>> $GLOBUS_LOCATION/etc/globus-user-env.sh & source $GLOBUS_LOCATION/ >> >> >> >>>> etc/globus-devel-env.sh ` >> >> >> >>>> >> >> >> >>>> i know there are sth wrong with authentication but how can i solve >> >> >> >>>> this problem. >> >> >> >>>> >> >> >> >>>> Best regards! >> >> >> >>>> >> >> >> >>>> ------------------------------------------------------- >> >> >> >>>> Ding Tao >> >> >> >>>> 丁涛 >> >> >> >>>> >> >> >> >>>> Network Information Center, >> >> >> >>>> Beijing University of Posts & Telecommunications (BUPT), >> >> >> >>>> 10 Xi Tu Cheng Rd.,Beijing,100876, >> >> >> >>>> P.R.China >> >> >> >>>> >> >> >> >>>> 北京邮电大学信息网络中心 邮编100876 >> >> >> >>>> >> >> >> >>>> E-Mail: [EMAIL PROTECTED] >> >> >> >>>> ------------------------------------------------------- >> >> >> >>>> >> >> >> >>>> 2007-08-28 >> >> >> >> >> >> >> >> = = = = = = = = = = = = = = = = = = = = >> >> >> >> >> >> >> >> ------------------------------------------------------- >> >> >> >> Ding Tao >> >> >> >> 丁涛 >> >> >> >> >> >> >> >> Network Information Center, >> >> >> >> Beijing University of Posts & Telecommunications (BUPT), >> >> >> >> 10 Xi Tu Cheng Rd.,Beijing,100876, >> >> >> >> P.R.China >> >> >> >> >> >> >> >> 北京邮电大学信息网络中心 邮编100876 >> >> >> >> >> >> >> >> E-Mail: [EMAIL PROTECTED] >> >> >> >> ------------------------------------------------------- >> >> >> >> >> >> >> >> 2007-08-29 >> >> >> >> >> >> = = = = = = = = = = = = = = = = = = = = >> >> >> >> >> >> ------------------------------------------------------- >> >> >> Ding Tao >> >> >> 丁涛 >> >> >> >> >> >> Network Information Center, >> >> >> Beijing University of Posts & Telecommunications (BUPT), >> >> >> 10 Xi Tu Cheng Rd.,Beijing,100876, >> >> >> P.R.China >> >> >> >> >> >> 北京邮电大学信息网络中心 邮编100876 >> >> >> >> >> >> E-Mail: [EMAIL PROTECTED] >> >> >> ------------------------------------------------------- >> >> >> >> >> >> 2007-08-29 >> >> >> >> >> >> >> = = = = = = = = = = = = = = = = = = = = >> >> >> >> ------------------------------------------------------- >> >> Ding Tao >> >> 丁涛 >> >> >> >> Network Information Center, >> >> Beijing University of Posts & Telecommunications (BUPT), >> >> 10 Xi Tu Cheng Rd.,Beijing,100876, >> >> P.R.China >> >> >> >> 北京邮电大学信息网络中心 邮编100876 >> >> >> >> E-Mail: [EMAIL PROTECTED] >> >> ------------------------------------------------------- >> >> >> >> 2007-08-30 >> >> >> >> = = = = = = = = = = = = = = = = = = = = >> >> ------------------------------------------------------- >> Ding Tao >> 丁涛 >> >> Network Information Center, >> Beijing University of Posts & Telecommunications (BUPT), >> 10 Xi Tu Cheng Rd.,Beijing,100876, >> P.R.China >> >> 北京邮电大学信息网络中心 邮编100876 >> >> E-Mail: [EMAIL PROTECTED] >> ------------------------------------------------------- >> >> 2007-08-30 >> = = = = = = = = = = = = = = = = = = = = ------------------------------------------------------- Ding Tao 丁涛 Network Information Center, Beijing University of Posts & Telecommunications (BUPT), 10 Xi Tu Cheng Rd.,Beijing,100876, P.R.China 北京邮电大学信息网络中心 邮编100876 E-Mail: [EMAIL PROTECTED] ------------------------------------------------------- 2007-08-31
