VOMS proxy expiration time always set to 12 hours regardless vomslife

[ickc]

Hi, @rwf14f,

MWE, running on vm77:

❯ voms-proxy-init --voms souk.ac.uk --vomslife 10000:0; date 
Enter GRID pass phrase for this identity:
Contacting voms02.gridpp.ac.uk:15519 [/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk] "souk.ac.uk"...
Remote VOMS server contacted succesfully.

voms02.gridpp.ac.uk:15519: The validity of this VOMS AC in your proxy is shortened to 604800 seconds!

Created proxy in /tmp/x509up_u511.

Your proxy is valid until Tue Nov 07 11:00:29 GMT 2023
Mon Nov  6 23:00:30 GMT 2023

Explanation:

• A very long vomslife is requested for it to shorten to max config value, which is revealed as 604800 seconds (1 week) here.
• The date command is run immediately after that. From that we can deduce the time is actually only 43200 seconds (12 hours).

When running instead

❯ voms-proxy-init --voms souk.ac.uk --vomslife 1:0; date 
Enter GRID pass phrase for this identity:
Contacting voms02.gridpp.ac.uk:15519 [/C=UK/O=eScience/OU=Oxford/L=OeSC/CN=voms02.gridpp.ac.uk] "souk.ac.uk"...
Remote VOMS server contacted succesfully.

Created proxy in /tmp/x509up_u511.

Your proxy is valid until Tue Nov 07 11:07:16 GMT 2023
Mon Nov  6 23:07:17 GMT 2023

i.e. Requesting for 1 hour also resulted in 12 hours.

[rwf14f]

A VOMS proxy consists of a grid proxy and a VOMS AC (attribute certificate) that is added to the grid proxy as an extension. Both have their own expiration date which you can check by running voms-proxy-info --all. The --voms-life option sets the the lifetime of the AC, but not of the proxy, which defaults to 12 hours. The AC can't be used without a valid proxy, extending it beyond the lifetime of the proxy isn't going to work. Don't use --voms-life, use --valid <h:m> instead to set the lifetime of both, the proxy and the AC, to the same value. Proxies should be short-lived. Long-lived proxies can become a security risk as they cannot be revoked. If a proxy is compromised, the user certificate has to be revoked instead.

[ickc]

Thanks!

The official documentation is misleading: VOMS Client Guide. So is the stdout/stderr above. it seems they make it impossible to read through the documentation and knows what's going on. At this page, https://italiangrid.github.io/voms/documentation.html, they have 3 different guides and 7 different versions without any description on how to navigate it.

We plan to release our own documentation in https://souk-data-centre.readthedocs.io/en/latest/user/pipeline/4-IO/1-grid-storage-system/ and https://souk-data-centre.readthedocs.io/en/latest/user/pipeline/4-IO/1-grid-storage-system-2/. Could you take a quick look if there's anything inaccurate or worth expanding there?

Also, is there other better documentations out there? Processes like this must have been done a million times and I imagine someone must have documented it for end users already?