|2008-06-06 12:18, original submission:|
LHCb found that jobs submitted via their DIRAC system e.g. by their
French users can easily abort due to the length of the proxy chain.
The DIRAC system uses MyProxy to renew user proxies as needed.
Such a renewed proxy always has 3 delegations ("/CN=proxy") added
to the certificate subject (that is how MyProxy works).
Next it dresses the plain grid proxy with the VOMS extensions that
are needed for the user's jobs, which adds another delegation.
On job submission to the grid the resulting proxy gets delegated to
the RB or WMS, which in turn delegates it to the CE.
By this time there have been 3 + 1 + 1 + 1 = 6 delegations added to
the certificate subject, so the user part of the chain has a length
The Globus OpenSSL code provided by VDT 1.6 and earlier restricts
the total chain length to a maximum of 9.
In the LHCb scenario that leaves a maximum of 2 subjects related
to the CA that signed the certificate. Unfortunately there are
CAs that add 3 subjects, e.g. the French CA.
Furthermore, even if the CA only adds 2 subjects, the proxy chain
is at the limit, making further delegations (e.g. to SRM or FTS)
It seems fairly urgent that this restriction be removed.
The Globus trunk has been fixed in June last year:
This means that VDT 1.10 most probably contains the fix.
Alternatively we could have the same patch applied to VDT 1.6.