Argus PEP Server: Troubleshooting¶
PEP Daemon Returns “Stale” Results¶
The PEPd keeps a short (10 minutes by default) response cache. So
identical requests made within a short time period will always provide
the same answer. If you’re testing this can be a pain. You can clear the
cache using the pepdctl clearResponseCache
command. You can also
turn of the cache through the maximumCachedResponses
documented in
the PEPd configuration. Just be sure to enable it
again before you put the system under heavy load.
Note that the PDP also caches the policies it reads, so during testing
you may also want to configure the PDP to more
quickly pick up policies from the PAP via the retentionInterval
option.
Testing a policy without submitting a job¶
When authoring new policies or troubleshooting an existing policies it can be helpful to mock up requests, instead of getting users to perform the request over and over as you diagnose the problem. The PEPd offers a C and Java command line tool. The C tool is useful for specifically testing cases where policies are based on the resource ID, action ID, subject ID, and FQAN attributes. The Java tool allows you to mock up any request.
Here is an example of using the C command line tool to test a job submission. It specifies the PEPd service, resource ID, action ID, user’s DN, and primary FQAN.
/opt/glite/bin/pepcli -v -x \
-p http://vesta.switch.ch:8154/authz \
-r http://authz-interop.org/xacml/resource/resource-type/wn \
-a http://authz-interop.org/xacml/action/action-type/execute-now \
-s "CN=Alessandro Usai,O=SWITCH,C=CH,DC=users,DC=switch,DC=grid,DC=quovadisglobal,DC=com" \
-f /dech \