Skip to content

[9.0] fix: credDict does not necessarly have a VO#7492

Closed
fstagni wants to merge 1 commit intoDIRACGrid:integrationfrom
fstagni:fixVO
Closed

[9.0] fix: credDict does not necessarly have a VO#7492
fstagni wants to merge 1 commit intoDIRACGrid:integrationfrom
fstagni:fixVO

Conversation

@fstagni
Copy link
Contributor

@fstagni fstagni commented Feb 29, 2024

No description provided.

@fstagni fstagni requested a review from atsareg as a code owner February 29, 2024 10:20
chaen
chaen reviewed Mar 1, 2024
View reviewed changes
src/DIRAC/WorkloadManagementSystem/Service/SandboxStoreHandler.py
credDict["group"],
credDict["VO"],
credDict.get("VO", "unknown"),
self.__localSEName,
Copy link
Contributor

@chaen chaen Mar 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there should always be a VO. If not, there's something fishy.
Or are we sometimes not calling this method with a proxy ?

DIRAC/src/DIRAC/Core/Security/m2crypto/X509Chain.py

Lines 957 to 965 in 3856af9

if retVal["OK"]:
diracGroup = retVal["Value"]
credDict["group"] = diracGroup
if withRegistryInfo:
retVal = Registry.getGroupsForUser(credDict["username"])
if retVal["OK"] and diracGroup in retVal["Value"]:
credDict["validGroup"] = True
credDict["groupProperties"] = Registry.getPropertiesForGroup(diracGroup)
credDict["VO"] = Registry.getVOForGroup(diracGroup)

Copy link
Contributor Author

@fstagni fstagni Mar 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can certainly call this without a proxy, this is actually what we do from the Web.

Copy link
Contributor Author

@fstagni fstagni Mar 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, when we call this from the WebApp, we are using the user certificate, not the proxy nor a server certificate, and this is what we get in the credDict the end:

{'subject': '/DC=ch/DC=cern/OU=computers/CN=lbcertifdirac70.cern.ch', 'issuer': '/DC=ch/DC=cern/CN=CERN Grid Certification Authority', 'secondsLeft': 17751500, 'isProxy': False, 'isLimitedProxy': False, 'validDN': False, 'validGroup': False, 'DN': '/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=fstagni/CN=693025/CN=Federico Stagni', 'x509Chain': <X509Chain 3 certs [/DC=ch/DC=cern/OU=computers/CN=lbcertifdirac70.cern.ch][/DC=ch/DC=cern/CN=CERN Grid Certification Authority][/C=ch/O=CERN/CN=CERN Root Certification Authority 2]>, 'properties': ['NormalUser'], 'group': 'dteam_user', 'username': 'fstagni'}

So, I can close this PR and get the VO also for this case.

Copy link
Contributor

@chaen chaen Mar 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Though please keep it under the withRegistryInfo flag (it should be indented)

Copy link
Contributor Author

@fstagni fstagni Mar 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why? This part does not seem reachable:

DIRAC/src/DIRAC/Core/DISET/private/Transports/SSL/M2Utils.py

Line 196 in 16c620e

creds = chain.getCredentials(withRegistryInfo=False)

(introduced back in https://github.com/DIRACGrid/DIRAC/pull/4584/files#diff-dd84180c08082195283af10ef43ad09b451e4e401fb7e4fbecd050ccc178e42c)

chaen
chaen reviewed Mar 1, 2024
View reviewed changes
src/DIRAC/WorkloadManagementSystem/Service/SandboxStoreHandler.py
credDict["username"],
credDict["group"],
credDict["VO"],
credDict.get("VO", "unknown"),
Copy link
Contributor

@chaen chaen Mar 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
credDict.get("VO", "unknown"),
vo,

@fstagni fstagni closed this Mar 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chaen chaen chaen left review comments

@atsareg atsareg Awaiting requested review from atsareg atsareg is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fstagni @chaen