VOMS AA ignores expired AUP
Closed this issue · 2 comments
vokac commented
Although this topic was already touched in #446 this issue still seems to be present, e.g.
$ curl -s -X GET -H "Authorization: Bearer $BEARER_TOKEN" -H "Content-Type: application/json" https://atlas-auth.web.cern.ch/iam/aup/ | jq .signatureValidityInDays
3650
$ curl -s -X GET -H "Authorization: Bearer $BEARER_TOKEN" -H "Content-Type: application/json" https://atlas-auth.web.cern.ch/iam/aup/signature/b41bd224-951e-47b9-8f86-c234e491d8b4 | jq .signatureTime
"2010-01-01T00:00:00.000Z"
$ voms-proxy-init -voms atlas
Enter GRID pass phrase for this identity:
Contacting voms-atlas-auth.app.cern.ch:443 [/DC=ch/DC=cern/OU=computers/CN=atlas-auth.web.cern.ch] "atlas"...
Remote VOMS server contacted succesfully.
Created proxy in /tmp/x509up_u8021.
Your proxy is valid until Tue Jan 16 13:29:13 CET 2024
AUP expiration is currently set to 10 years for our IAM instance, I used IAM API to set AUP expiration to the January 1st 2010, but I'm still able to get VOMS proxy with expired AUP.
rmiccoli commented
Hi, we think it is due to the fact that CERN IAM instances are using old images of voms-aa.
vokac commented
Discussed with CERN IAM Ops, they'll deploy updated voms-aa and also keep up-to-date version in future.