egi-federation / ansible-role-voms-client Goto Github PK

Hi,

During the creation of a proxy (with any VO) I have the following error message:
org.italigrid.voms.VOMSError: LSC fiel parsing error: Malformed LSC file (vo=vo.grif.fr, host=grid12.lal.in2p3.fr): No distinguished name entries found

Thabn you.
Cheers, Giuseppe

There is not a 1-1 mapping between VOs and their VOMS servers. Sometimes VOs have no VOMS server, and sometimes they have more than 1. Currently, the task which configures the vomses file for the VO has a loop over VO, and has two issues:

1. The task fails when there is no VOMSES configuration for the VO
2. The task only configures the first VOMS found, and does not do all of them.

This should be fixed by having an outer loop over VOs and an inner loop over VOMSes.

Good luck 🤔

Allow to configure only specific VO, saving lots of time when setting up the env.

Some VOs do not have vomses.
The json array passed by lavoisier contains all VOs, some of which we know the task will fail on, since they have a nonstandard structure - this causes the json_query lookup to fail.
At the moment (pre v0.1.0), we have a dirty hack to run the configure tasks across known-good slices of the array. It would be nice to pass known-bad items to the query in order to exclude them.

Build 19 failed because of a timeout. This can be fixed by increasing the timeout

Since Ansible-2.6, reported in ansible/ansible#42162 the pip module docker-py should be replaced with docker. This is causing builds from 31 to fail.

In order to install the voms clients for debian, we would need to build them from source using https://github.com/italiangrid/voms-clients.git

This can be done quite easily, but care should be taken to reduce the size of the container or VM that results, since a full-blown build environment with Java, git, etc is required.

OCD striking...

It may be appropriate to rename the project to ansible-* something to remain aligned with the usual naming scheme we are using and that was used for all the other ansible-related components.
We may or may not also want to use some specific casing.

The voms servers at Padova have recently had a host certificate upgrade - see
https://operations-portal.egi.eu/broadcast/archive/2275

Summary of proposed changes

Update data.yml

A branch has been created for release v0.1.0-rc.

We need to check the following before merging it into master and tagging the release:

• Community Health check
• Builds passing
• Test coverage described and implemented
• All necessary documentation is in place
• Example realistic playbook provided
• Repository enabled in Zenodo
• Role enabled in Galaxy
• Authors file up to date

The task currently creates a "TBD" content only.

The VOMS certs json given by http://cclavoisier01.in2p3.fr:8080/lavoisier/voms-certificates?accept=json has some entries which do not follow the general structure:

{
    "expiry": "Sat May 04 22:57:06 CEST 2019",
    "host": "voms.fnal.gov",
    "X509Cert": [{
      "DN": ["/DC=org/DC=opensciencegrid/O=Open Science Grid/OU=Services/CN=voms1.fnal.gov"]
    }, {
      "CA_DN": ["/DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon OSG CA 1"]
    }, {
      "X509PublicKey": ["-----BEGIN CERTIFICATE-----\nMIIEQDCCAyigAwIBAgIFAQAAwo0wDQYJKoZIhvcNAQELBQAwaDETMBEGCgmSJomT8ixkARkWA29y\nZzEXMBUGCgmSJomT8ixkARkWB2NpbG9nb24xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdDSUxvZ29u\nMRkwFwYDVQQDExBDSUxvZ29uIE9TRyBDQSAxMB4XDTE4MDQwNDIwNTIwNloXDTE5MDUwNDIwNTcw\nNlowfjETMBEGCgmSJomT8ixkARkWA29yZzEfMB0GCgmSJomT8ixkARkWD29wZW5zY2llbmNlZ3Jp\nZDEaMBgGA1UEChMRT3BlbiBTY2llbmNlIEdyaWQxETAPBgNVBAsTCFNlcnZpY2VzMRcwFQYDVQQD\nEw52b21zMS5mbmFsLmdvdjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANrCRdvstr6i\nc7JWeH9v9pTl9TWcNnhjUsqpmfLDsdHnmoW1JYC6JFXCZTpFbS2Fz0c9Q7xgP2M9/WBgHzauHdIN\nwLqJy3oxVa0KIN+gt/NxfwxO5Jy76zY1eg8esI0ZilQjT13GOJsyxNr+0CmP9+I+WOgTXTd/RVG5\njpZyNO7+tH+uUuuIR/hXJyWPxd7xqhxOJ1A9IK3N34WR2p2lQD7nXz2AogFFULmh0EV/xftzkk4G\nRixKU7SZtCd+rYI1Z9NvQosrISm0mOXWORRC/bfovKwLWWmibeWXMbJd+8mC53mQFZRuaLd4m7ph\nKqkkXH/3/RIUZy5qCnJb5UBtuPECAwEAAaOB2jCB1zAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQE\nAwIEsDAmBgNVHSAEHzAdMA0GCysGAQQBgpE2AQYCMAwGCiqGSIb3TAUCAgEwNwYDVR0fBDAwLjAs\noCqgKIYmaHR0cDovL2NybC5jaWxvZ29uLm9yZy9jaWxvZ29uLW9zZy5jcmwwHQYDVR0lBBYwFAYI\nKwYBBQUHAwIGCCsGAQUFBwMBMDcGA1UdEQQwMC6CDnZvbXMxLmZuYWwuZ292gg12b21zLmZuYWwu\nZ292gQ10aW1tQGZuYWwuZ292MA0GCSqGSIb3DQEBCwUAA4IBAQCSSCQ3ptGUM+j5Cp/AHJu0Cw1v\nJQp+eVJGjdShCdm/HK6jaqbNmNggqU2uurcGplnZEON4iaKVuT6vFEWbG0O2yluMCAdaqSJBws5m\ni55kuja4IbsJ8KeSjQlTkrszU3VNQofa4gcNWSql+VYjxggDrnsAunL8lG6CfSHXFDX23zx1yfEk\nw8syQXYZevUq8dky1tNMHCspMY7g9cA+UOCbHvE0xBMdQOU08R4PFpNMP4/AskCadui+ObFqomzB\nVDr5D3FGurRSVNyHXm5FAiIxQcf2sDf9jZRk11jCyjOigZzOoMNOHDHzFlrmCl2NVxklAfEyq6rU\nt2CVYeQq3CJN\n-----END CERTIFICATE-----\n"]
    }, {
      "SerialNumber": ["4295017101"]
    }]
}

Instead, they have errors:

{
    "entries": [{
      "key": "key",
      "entry": ["glow-voms.cs.wisc.edu"]
    }, {
      "key": "ERROR",
      "entry": ["fr.in2p3.lavoisier.interfaces.error.InitializationException: Exception raised for view 'voms-certificate-url' [java.net.SocketTimeoutException: connect timed out]"]
    }]
  }

This causes a task which asks for X509Cert to fail.

I could implement a little filter to exclude entries which do not follow the right structure, but I was wondering whether this data can be cleaned by passing different options to lavoisier.

The python script to cache data from Lavoisier is only python2 compatible and will give errors in python3, as pointed out by @enolfc in #12

Either update the script to be compatible for both environments, or add a new one which will work for python3.