Unauthorized query during dirac-proxy-init
254 views
Skip to first unread message
Diego Michelotto
Jul 11, 2013, 3:28:02 AM7/11/13
to diracgr...@googlegroups.com
Dear All,
i try to integrate my web grid portal with DIRAC, during the user registration i add the user into DIRAC and after i upload his certificate in DIRAC-ProxyManager, but when i upload the certificate i have the error "Unauthorized query".
Details:
I successfully add the user with the command dirac-admin-add-user -N testdemo06 -D "USER_DN" -M testd...@mail.it -G gridit_user, but when i try to upload the certificate with the command dirac-proxy-init -C pathtousercert -K pathtouserkey -g gridit_user, I have this error:
Generating proxy...
Enter Certificate password:
Uploading proxy for lhcb_user...
Unautorized query
If I add the user, restart the DIRAC services or wait some minutes, and upload the certificate with the same commands all works fine.
Someone have a suggestion for this problem?
Cheers,
Diego
Andrei Tsaregorodtsev
Jul 11, 2013, 4:45:29 AM7/11/13
to diracgr...@googlegroups.com
Hi Diego,
User registration means entering some information into the DIRAC Registry which is part of the Configuration Service ( CS ).
The user info is entered into the CS database from where all the other DIRAC components are getting it. However, in order to be
efficient and not to overload the service, each component is keeping a cache of the configuration data. It means that a change
in the CS can be available for some DIRAC components few minutes later ( no more than 10 minutes ). Since the CS data is
meant to be static ( slowly changing ) this is considered to be acceptable. I think you hitting this problem and the Proxy Manager
does not know yet the newly introduced user. The solution can be to defer the proxy upload as you did. It is probably acceptable
since this operation you do only once at the new user registration moment.
Cheers,
Andrei
User registration means entering some information into the DIRAC Registry which is part of the Configuration Service ( CS ).
The user info is entered into the CS database from where all the other DIRAC components are getting it. However, in order to be
efficient and not to overload the service, each component is keeping a cache of the configuration data. It means that a change
in the CS can be available for some DIRAC components few minutes later ( no more than 10 minutes ). Since the CS data is
meant to be static ( slowly changing ) this is considered to be acceptable. I think you hitting this problem and the Proxy Manager
does not know yet the newly introduced user. The solution can be to defer the proxy upload as you did. It is probably acceptable
since this operation you do only once at the new user registration moment.
Cheers,
Andrei
Diego Michelotto
Jul 11, 2013, 5:42:30 AM7/11/13
to diracgr...@googlegroups.com
Hi Andrei,
thank you for your quickly reply.
It is possible to force the Proxy Manager for reload the new configuration?
Because a security policy of the IGTF that says that a certificate with its private key can not remain on the server for more than a few minutes.
For this reason I prefer not wait 10 minutes before uploading the user certificate in DIRAC.
Cheers,
Diego
Adrian Casajús
Jul 11, 2013, 5:54:44 AM7/11/13
to Diego Michelotto, diracgrid-forum
Hi Diego,
It is possible to force the Proxy Manager for reload the new configuration?
No without restarting it.
Because a security policy of the IGTF that says that a certificate with its private key can not remain on the server for more than a few minutes.
What does this have to do with uploading a proxy to DIRAC? All grid services keep user proxies to execute tasks, access data, process requests, connect to other services....
For this reason I prefer not wait 10 minutes before uploading the user certificate in DIRAC.
I do not understand your concern. Can you elaborate further? What's the problem with registering the user, waiting for the PM to update and then upload your proxy?
Cheers,
Adri
--
You received this message because you are subscribed to the Google Groups "diracgrid-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to diracgrid-for...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Diego Michelotto
Jul 11, 2013, 6:14:24 AM7/11/13
to diracgr...@googlegroups.com, Diego Michelotto
Hi Andrei,
You are right when you say that the grid services using a proxy, but in my case I have the user's certificate and the user's key and not the user's proxy. I can not keep only the proxy because I'm using the multi vo DIRAC configuration, so I have to load the user's proxy for each group/VO in DIRAC regenerating every time the proxy with the correct group.
I hope I have explained my problem better.
Cheers,
Diego
Reply all
Reply to author
Forward
0 new messages