Service Account - /core get anonymus info

[antonelepfl]

When I get the information on https://bspsa.cineca.it/advanced/pizdaint/rest/core

I have missing information:

In normal PizDaint I get the correct information:

I think this might be a Unicore related issue. Maybe restarting the service helps

[BerndSchuller]

Since you are asking, UNICORE is working fine. I am correctly authenticated at Piz Daint with both my old and new collab accounts (BTW your second screenshot is from Jureca, not DAINT)

As to accessing https://bspsa.cineca.it/advanced/pizdaint/rest/core I see the same issue: the "anonymous" DN.

[antonelepfl]

Right Bernd, in PizDaint I also get the correct information:

[lbologna]

Hello @antonelepfl @BerndSchuller,

last week we moved the vm where the Service Account is running to a different machine on CINECA. This implied the change of the IP but the domain has remained the same and the vm is up: https://bspsa.cineca.it/status/

@BerndSchuller may this IP change have caused a mulfunctioning of the mapping to the HPC system user (the submission is not performed through token authentication but via username and password insertion)?

Here we report the entire error message of a test call, where an IP address issue seems to be raised: 400 '"{\"errorMessage\":\"Could not submit job: eu.unicore.security.AuthorisationException: There are no accessible targetsystem factories for: Name: CN=ANONYMOUS,O=UNKNOWN,OU=UNKNOWN\\nXlogin: uid: [], gids: [addingOSgroups: true]\\nRole: anonymous: No role information available\\nSecurity tokens: Delegation to consignor status: false, core delegation status: false\\nMessage signature status: UNCHECKED\\nClient\'s original IP: 131.175.198.110 Please check your security setup!\",\"status\":500}"'

Thanks.

[BerndSchuller]

hi Luca, all,

@BerndSchuller may this IP change have caused a mulfunctioning of the mapping to the HPC system user (the submission is not performed through token authentication but via username and password insertion)?

Last week Fabio Verzelloni from CSCS updated the UNICORE installation. It is possible that the special mapping for the service account was not ported over properly. Please contact him!

[lbologna]

Hello @BerndSchuller ,

thank you, I will write to Fabio.

[antonelepfl]

@lbologna do we have any update on this?

[lbologna]

Hello @antonelepfl,

Fabio at CSCS solved the authentication issue. Now the submission works but it seems we are getting html text as response, instead of json as it was before.

@BerndSchuller is this due to the new UNICORE version? maybe we are we disregarding some parameters in the job submission?

Thanks.

[BerndSchuller]

always add a "Accept: application/json" header to your REST calls

[lbologna]

Thanks @BerndSchuller,

we found a misprint in the call code and were using "Content-Type" (as for POST) instead of "Accept". Strangely enough, never gave any problem before. Now it seems to work again.

@antonelepfl could you please try again? Thanks.

[antonelepfl]

Hi @lbologna so the issue with /core is fixed but now when I try to submit a job I get:

{"errorMessage":"Error uploading to '/BlueConfig': java.io.IOException: Execution on TSI server failed. Reply was TSI_FAILED: [Errno 13] Permission denied: '/scratch/snx3000/unicore/FILESPACE/29afbc2c-78e5-46a3-a80a-2daf939c501b///BlueConfig'\n","status":500}

Not very sure if it is related to the change of Content-Type that you did though. (see that sometimes you need to use both and for upload too)

[rcsm17]

Hi @lbologna so the issue with /core is fixed but now when I try to submit a job I get:

{"errorMessage":"Error uploading to '/BlueConfig': java.io.IOException: Execution on TSI server failed. Reply was TSI_FAILED: [Errno 13] Permission denied: '/scratch/snx3000/unicore/FILESPACE/29afbc2c-78e5-46a3-a80a-2daf939c501b///BlueConfig'\n","status":500}

Not very sure if it is related to the change of Content-Type that you did though. (see that sometimes you need to use both and for upload too)

Hi @antonelepfl can you try again now ?

[antonelepfl]

Yes now it works! Thanks. We can close this ticket