Closed alexanderrichards closed 8 years ago
I can't actually recreate this behaviour outside Ganga - i.e. I can't get dirac-proxy-init to NOT add the VOMS extensions - can anyone else recreate this outside Ganga?
@drmarkwslater We're not using this tool to create destroy proxies. We use the voms-proxy-init most of the time I think (I've not played around with the vanilla install for a while) If the dirac-proxy-init does something more sensible than voms-proxy-init or grid-proxy-init currently in the credentials code then surely the best thing to do is to use this as the default tool? (also this goes more hand in hand with the GridPP way of presenting Ganga+Dirac to be the best way to use the grid)
Hi,
dirac-proxy-init in .gangarc is suggested in this documentation written by Mark
https://www.gridpp.ac.uk/wiki/Guide_to_Ganga#Installation_and_Configuration
At first I thought the problem was -M missing from the command, but even with that it didn't work. We are heavily relying on that wiki in the UK for smaller or local groups. If it needs to be corrected please correct it.
I put this in as it is what is used by the Dirac docs on the GridPP wiki. This will mean we get the Dirac user group as well as a default voms proxy. For LHCb, this is set to lhcb-proxy-init I believe.
In any case, @afortiorama are you able to get dirac-proxy-init to NOT create the VOMS extensions? I don't seem to be able to and it also picks the correct ones even without -M:
bash-4.1$ dirac-proxy-init -g gridpp_user Generating proxy... Enter Certificate password: Added VOMS attribute /gridpp Uploading proxy for gridpp_user... Proxy generated: subject : /C=UK/O=eScience/OU=Birmingham/L=ParticlePhysics/CN=mark slater/CN=proxy/CN=proxy issuer : /C=UK/O=eScience/OU=Birmingham/L=ParticlePhysics/CN=mark slater/CN=proxy identity : /C=UK/O=eScience/OU=Birmingham/L=ParticlePhysics/CN=mark slater timeleft : 23:53:59 DIRAC group : gridpp_user path : /tmp/x509up_u34811 username : mark.slater properties : NormalUser VOMS : True VOMS fqan : ['/gridpp']
Proxies uploaded: DN | Group | Until (GMT) /C=UK/O=eScience/OU=Birmingham/L=ParticlePhysics/CN=mark slater | na62.vo.gridpp.ac.uk_user | 2016/05/26 13:17 /C=UK/O=eScience/OU=Birmingham/L=ParticlePhysics/CN=mark slater | gridpp_user | 2016/05/26 13:17 bash-4.1$ voms-proxy-info --all subject : /C=UK/O=eScience/OU=Birmingham/L=ParticlePhysics/CN=mark slater/CN=proxy/CN=proxy issuer : /C=UK/O=eScience/OU=Birmingham/L=ParticlePhysics/CN=mark slater/CN=proxy identity : /C=UK/O=eScience/OU=Birmingham/L=ParticlePhysics/CN=mark slater/CN=proxy type : proxy strength : 1024 bits path : /tmp/x509up_u34811 timeleft : 23:53:36 key usage : Digital Signature, Key Encipherment, Data Encipherment === VO gridpp extension information === VO : gridpp subject : /C=UK/O=eScience/OU=Birmingham/L=ParticlePhysics/CN=mark slater issuer : /C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk attribute : /gridpp/Role=NULL/Capability=NULL timeleft : 23:53:36 uri : voms.gridpp.ac.uk:15000 bash-4.1$ dirac-proxy-init -g na62.vo.gridpp.ac.uk_user Generating proxy... Enter Certificate password: Added VOMS attribute /na62.vo.gridpp.ac.uk Uploading proxy for na62.vo.gridpp.ac.uk_user... Proxy generated: subject : /C=UK/O=eScience/OU=Birmingham/L=ParticlePhysics/CN=mark slater/CN=proxy/CN=proxy issuer : /C=UK/O=eScience/OU=Birmingham/L=ParticlePhysics/CN=mark slater/CN=proxy identity : /C=UK/O=eScience/OU=Birmingham/L=ParticlePhysics/CN=mark slater timeleft : 23:53:59 DIRAC group : na62.vo.gridpp.ac.uk_user path : /tmp/x509up_u34811 username : mark.slater properties : NormalUser VOMS : True VOMS fqan : ['/na62.vo.gridpp.ac.uk']
Proxies uploaded: DN | Group | Until (GMT) /C=UK/O=eScience/OU=Birmingham/L=ParticlePhysics/CN=mark slater | na62.vo.gridpp.ac.uk_user | 2016/05/26 13:17 /C=UK/O=eScience/OU=Birmingham/L=ParticlePhysics/CN=mark slater | gridpp_user | 2016/05/26 13:17 bash-4.1$ voms-proxy-info --all subject : /C=UK/O=eScience/OU=Birmingham/L=ParticlePhysics/CN=mark slater/CN=proxy/CN=proxy issuer : /C=UK/O=eScience/OU=Birmingham/L=ParticlePhysics/CN=mark slater/CN=proxy identity : /C=UK/O=eScience/OU=Birmingham/L=ParticlePhysics/CN=mark slater/CN=proxy type : proxy strength : 1024 bits path : /tmp/x509up_u34811 timeleft : 23:53:37 key usage : Digital Signature, Key Encipherment, Data Encipherment === VO na62.vo.gridpp.ac.uk extension information === VO : na62.vo.gridpp.ac.uk subject : /C=UK/O=eScience/OU=Birmingham/L=ParticlePhysics/CN=mark slater issuer : /C=UK/O=eScience/OU=Imperial/L=Physics/CN=voms03.gridpp.ac.uk attribute : /na62.vo.gridpp.ac.uk/Role=NULL/Capability=NULL timeleft : 23:53:37 uri : voms03.gridpp.ac.uk:15501
I'll keep looking to see if I can see any other issues...
Hi Again!
@afortiorama Putting some debugging messages in shows that Ganga is running the command:
dirac-proxy-init -g gridpp_user -M -valid 24:00
and this works for me (as I say, even without the -M). What happens if you run this on the command line? Does it produce the voms extension correctly? Could you maybe send me your Dirac setup script? Maybe theres some differences there...
Hi Mark,
the problem wasn't with dirac-proxy-init but with what ganga runs. If you read the initial post it tells you what I did.
cheers alessandra
@afortiorama so looking at the specific output of your Ganga session it looks like it's not actually running dirac-proxy-init at all. In Ganga, it has the following:
Your identity: /C=UK/O=eScience/OU=Manchester/L=HEP/CN=alessandra forti Enter GRID pass phrase for this identity:
Which is different from the output of dirac-proxy-init:
Generating proxy... Enter Certificate password:
So could you send me your .gangarc (either attached to this or privately)? I suspect there's some setting that it making Ganga use grid-proxy-init instead.
Found the problem! It seems that python (or at least Ganga) doesn't like:
[group]param=value
instead of:
[group] param=value
I've updated the docs for the GridPP wiki and will check to see if this is a Python or Ganga limitation.
Thanks!
Mark
Here is an email from simon quoting an LSST user:
The original email is below. Hopefully this is a small fix but obviously the new credentials system will be the proper solution.