[Swift-devel] Re: latest Falkon code is in SVN!

Ioan Raicu iraicu at cs.uchicago.edu
Wed Sep 5 17:05:30 CDT 2007 

Hi,
I don't know off the top of my head what might be wrong, I'll dig into 
it later.

I would argue for having the default with no security enabled, 
especially between workers and the service. 

Remember that the typical scenario is:
client in the public internet
service on login node of some grid site
workers on compute nodes of the same grid site

I could understand if you want to have client to service security as a 
default, but even that might cause more problems than its worth as most 
new users will probably get stuck at that point. 

I guess we can make the defaults anything we want, but we should clearly 
outline in the readme files on how to change it.

Ioan

Ben Clifford wrote:
> On Fri, 31 Aug 2007, Ioan Raicu wrote:
>
>   
>> Right, bu default, all the scripts are without security.  To enable security,
>> one would have to modify 3 scripts (the service script -- remove -nosec
>> option, the worker script -- replace http with https, and the client script --
>> replace http with https), and update the etc/client-security-config.xml on the
>> worker and client accordingly with the relevant security parameters.  It is
>> pretty straight forward, but I haven't got the chance to document it yet.
>>     
>
> I made this change:
>
> --- worker/etc/client-security-config.xml       (revision 1191)
> +++ worker/etc/client-security-config.xml       (working copy)
> @@ -1,8 +1,8 @@
>  <?xml version="1.0" encoding="UTF-8"?>
>  <!-- worker side -->
>  <securityConfig xmlns="http://www.globus.org">
> -<!--    <authz value="self"/>  -->
> -    <authz value="none"/>  
> +   <authz value="self"/>
> +<!--    <authz value="none"/>   -->
>      <!--<GSITransport>
>          <integrity/> 
>          <privacy/>     
>
> but I get subject name errors when I run the worker, thusly:
>
> Caused by: org.globus.common.ChainedIOException: Authentication failed 
> [Caused by: Operation unauthorized (Mechanism level: Authorization failed. 
> Expected "/CN=host/localhost" target but received 
> "/DC=org/DC=doegrids/OU=People/CN=Benjamin Clifford 418168")]
>
>
> I'm expecting everything to be using my subject name and there to be no 
> host subject names anywhere.
>
> I can give more details about the other changes I've made if it would be 
> useful.
>
>   

-- 
============================================
Ioan Raicu
Ph.D. Student
============================================
Distributed Systems Laboratory
Computer Science Department
University of Chicago
1100 E. 58th Street, Ryerson Hall
Chicago, IL 60637
============================================
Email: iraicu at cs.uchicago.edu
Web:   http://www.cs.uchicago.edu/~iraicu
       http://dsl.cs.uchicago.edu/
============================================
============================================

More information about the Swift-devel mailing list