LToS: Difference between revisions

From T2B Wiki
Jump to navigation Jump to search
No edit summary
 
(8 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Configuration of the CE ==
== Configuration of the CE ==
This [https://wiki.egi.eu/wiki/MAN12 link] explains how to set up the PUSP mechanism on the CE.
This [https://wiki.egi.eu/wiki/MAN12 link] explains how to set up the PUSP mechanism on the CE. However, if you apply these recipes to the letter, it will break the CE. Here are the actual configurations we have applied :
* /etc/glexec.conf
<pre>
[glexec]
create_target_proxy=no
lcas_db_file=/etc/lcas/lcas-glexec.db
lcas_debug_level=5
lcas_log_file=/var/log/glexec/lcas_lcmaps.log
lcas_log_level=5
lcmaps_db_file=/etc/lcmaps/lcmaps.db.glexec.pusp
lcmaps_debug_level=5
lcmaps_get_account_policy=combi_mapping
lcmaps_log_file=/var/log/glexec/lcas_lcmaps.log
lcmaps_log_level=5
lcmaps_voms_verification=no
linger=no
log_destination=file
log_file=/var/log/glexec/glexec.log
log_level=5
omission_private_key_white_list=tomcat
preserve_env_variables=
silent_logging=no
use_lcas=no
user_identity_switch_by=lcmaps
user_white_list=tomcat
</pre>
 
* /etc/lcmaps/lcmaps.db.glexec.pusp
<pre>
path = /usr/lib64/lcmaps
 
vomspoolaccount = "lcmaps_voms_poolaccount.mod"
                      "-gridmapfile /etc/lcmaps/gridmapfile"
                      "-gridmapdir /etc/grid-security/gridmapdir"
                      "-override_inconsistency"
 
vomslocalgroup = "lcmaps_voms_localgroup.mod"
                      "-groupmapfile /etc/lcmaps/groupmapfile"
                      "-mapmin 0 "
 
proxycheck = "lcmaps_verify_proxy.mod"
                  "-certdir /etc/grid-security/certificates"
                  "--allow-limited-proxy"
 
posixenf = "lcmaps_posix_enf.mod"
                "-maxuid 1"
                "-maxpgid 1"
                "-maxsgid 32"
 
vomslocalaccount = "lcmaps_voms_localaccount.mod"
                        "-gridmapfile /etc/lcmaps/gridmapfile"
                        "-use_voms_gid"
 
robot_pool = "lcmaps_robot_poolaccount.mod"
                  "-gridmapfile /etc/grid-security/grid-mapfile"
                  "-gridmapdir /etc/grid-security/gridmapdir/"
 
poolaccount = "lcmaps_poolaccount.mod"
                  "-override_inconsistency"
                  "-gridmapfile /etc/grid-security/grid-mapfile"
                  "-gridmapdir /etc/grid-security/gridmapdir"
 
robot_ban_dn = "lcmaps_robot_ban_dn.mod"
                    "-banmapfile /etc/lcas/ban_users.db"
 
localaccount = "lcmaps_localaccount.mod"
                    "-gridmapfile /etc/grid-security/grid-mapfile"
 
ban_dn = "lcmaps_ban_dn.mod"
              "-banmapfile /etc/lcas/ban_users.db"
 
robot_local = "lcmaps_robot_localaccount.mod"
                  "-gridmapfile /etc/grid-security/grid-mapfile"
 
 
# Policies:
voms:
proxycheck -> vomslocalgroup
vomslocalgroup -> vomslocalaccount
vomslocalaccount -> posixenf | vomspoolaccount
vomspoolaccount -> posixenf
 
standard:
proxycheck -> localaccount
localaccount -> posixenf | poolaccount
poolaccount -> posixenf
 
combi_mapping:
ban_dn -> robot_ban_dn
robot_ban_dn -> proxycheck
proxycheck -> robot_pool
~robot_pool -> robot_local
~robot_local -> vomslocalgroup
vomslocalgroup -> vomslocalaccount
vomslocalaccount -> posixenf | vomspoolaccount
vomspoolaccount -> posixenf
</pre>
 
== Creation of per-user sub-proxies for beapps VO ==
First of all, you (= the VO admin) need to get a robot certificate that you will register in beapps VO. After that, you have to extract the usercert and the private key in a directory (.globus_pusp) directory and set the correct permissions. Thanks to this [https://ndpfsvn.nikhef.nl/viewvc/mwsec/trunk/lcmaps-plugins-robot/tools/ script], you can create a PUSP for a given user (mdupont) by issuing the following command :
<pre>
./create_pusp -u mdupont -c ~/.globus_pusp/usercert.pem -k ~/.globus_pusp/userkey.pem
</pre>
Now, if you issue the command :
<pre>
voms-proxy-info --all
 
subject  : /DC=org/DC=terena/DC=tcs/C=BE/O=Vrije Universiteit Brussel/CN=Robot - STEPHANE GERARD stgerard@vub.ac.be/CN=user:mdupont
issuer    : /DC=org/DC=terena/DC=tcs/C=BE/O=Vrije Universiteit Brussel/CN=Robot - STEPHANE GERARD stgerard@vub.ac.be
identity  : /DC=org/DC=terena/DC=tcs/C=BE/O=Vrije Universiteit Brussel/CN=Robot - STEPHANE GERARD stgerard@vub.ac.be
type      : RFC3820 compliant impersonation proxy
strength  : 1024
path      : /tmp/x509up_u20533
timeleft  : 23:59:51
key usage : Digital Signature, Key Encipherment
</pre>
you will see that the voms extensions are missing from this proxy. To add the beapps voms extension :
<pre>
voms-proxy-init --voms beapps --noregen
</pre>
The --noregen option is important because you just want to add voms extensions to the pusp proxy that already exists in /tmp/x509up_u20533.
 
Now, it looks like a good old usual beapps proxy :
<pre>
voms-proxy-info --all
 
subject  : /DC=org/DC=terena/DC=tcs/C=BE/O=Vrije Universiteit Brussel/CN=Robot - STEPHANE GERARD stgerard@vub.ac.be/CN=user:mdupont/CN=730118287
issuer    : /DC=org/DC=terena/DC=tcs/C=BE/O=Vrije Universiteit Brussel/CN=Robot - STEPHANE GERARD stgerard@vub.ac.be/CN=user:mdupont
identity  : /DC=org/DC=terena/DC=tcs/C=BE/O=Vrije Universiteit Brussel/CN=Robot - STEPHANE GERARD stgerard@vub.ac.be
type      : RFC3820 compliant impersonation proxy
strength  : 1024
path      : /tmp/x509up_u20533
timeleft  : 11:59:57
key usage : Digital Signature, Key Encipherment
=== VO beapps extension information ===
VO        : beapps
subject  : /DC=org/DC=terena/DC=tcs/C=BE/O=Vrije Universiteit Brussel/CN=Robot - STEPHANE GERARD stgerard@vub.ac.be
issuer    : /DC=org/DC=terena/DC=tcs/C=BE/ST=Brussels/L=Brussels/O=Le reseau telematique belge de la recherche/CN=voms01.begrid.be
attribute : /beapps/Role=NULL/Capability=NULL
timeleft  : 11:59:56
uri      : voms01.begrid.be:18004
</pre>
 
== Further reading ==
 
* https://wiki.egi.eu/wiki/Usage_of_the_per_user_sub_proxy_in_EGI
* https://wiki.egi.eu/wiki/MAN12

Latest revision as of 12:57, 19 May 2016

Configuration of the CE

This link explains how to set up the PUSP mechanism on the CE. However, if you apply these recipes to the letter, it will break the CE. Here are the actual configurations we have applied :

  • /etc/glexec.conf
[glexec]
create_target_proxy=no
lcas_db_file=/etc/lcas/lcas-glexec.db
lcas_debug_level=5
lcas_log_file=/var/log/glexec/lcas_lcmaps.log
lcas_log_level=5
lcmaps_db_file=/etc/lcmaps/lcmaps.db.glexec.pusp
lcmaps_debug_level=5
lcmaps_get_account_policy=combi_mapping
lcmaps_log_file=/var/log/glexec/lcas_lcmaps.log
lcmaps_log_level=5
lcmaps_voms_verification=no
linger=no
log_destination=file
log_file=/var/log/glexec/glexec.log
log_level=5
omission_private_key_white_list=tomcat
preserve_env_variables=
silent_logging=no
use_lcas=no
user_identity_switch_by=lcmaps
user_white_list=tomcat
  • /etc/lcmaps/lcmaps.db.glexec.pusp
path = /usr/lib64/lcmaps

vomspoolaccount = "lcmaps_voms_poolaccount.mod"
                       "-gridmapfile /etc/lcmaps/gridmapfile"
                       "-gridmapdir /etc/grid-security/gridmapdir"
                       "-override_inconsistency"

vomslocalgroup = "lcmaps_voms_localgroup.mod"
                      "-groupmapfile /etc/lcmaps/groupmapfile"
                      "-mapmin 0 "

proxycheck = "lcmaps_verify_proxy.mod"
                  "-certdir /etc/grid-security/certificates"
                  "--allow-limited-proxy"

posixenf = "lcmaps_posix_enf.mod"
                "-maxuid 1"
                "-maxpgid 1"
                "-maxsgid 32"

vomslocalaccount = "lcmaps_voms_localaccount.mod"
                        "-gridmapfile /etc/lcmaps/gridmapfile"
                        "-use_voms_gid"

robot_pool = "lcmaps_robot_poolaccount.mod"
                  "-gridmapfile /etc/grid-security/grid-mapfile"
                  "-gridmapdir /etc/grid-security/gridmapdir/"

poolaccount = "lcmaps_poolaccount.mod"
                   "-override_inconsistency"
                   "-gridmapfile /etc/grid-security/grid-mapfile"
                   "-gridmapdir /etc/grid-security/gridmapdir"

robot_ban_dn = "lcmaps_robot_ban_dn.mod"
                    "-banmapfile /etc/lcas/ban_users.db"

localaccount = "lcmaps_localaccount.mod"
                    "-gridmapfile /etc/grid-security/grid-mapfile"

ban_dn = "lcmaps_ban_dn.mod"
              "-banmapfile /etc/lcas/ban_users.db"

robot_local = "lcmaps_robot_localaccount.mod"
                   "-gridmapfile /etc/grid-security/grid-mapfile"


# Policies:
voms:
proxycheck -> vomslocalgroup
vomslocalgroup -> vomslocalaccount
vomslocalaccount -> posixenf | vomspoolaccount
vomspoolaccount -> posixenf

standard:
proxycheck -> localaccount
localaccount -> posixenf | poolaccount
poolaccount -> posixenf

combi_mapping:
ban_dn -> robot_ban_dn
robot_ban_dn -> proxycheck
proxycheck -> robot_pool
~robot_pool -> robot_local
~robot_local -> vomslocalgroup
vomslocalgroup -> vomslocalaccount
vomslocalaccount -> posixenf | vomspoolaccount
vomspoolaccount -> posixenf

Creation of per-user sub-proxies for beapps VO

First of all, you (= the VO admin) need to get a robot certificate that you will register in beapps VO. After that, you have to extract the usercert and the private key in a directory (.globus_pusp) directory and set the correct permissions. Thanks to this script, you can create a PUSP for a given user (mdupont) by issuing the following command :

./create_pusp -u mdupont -c ~/.globus_pusp/usercert.pem -k ~/.globus_pusp/userkey.pem

Now, if you issue the command :

voms-proxy-info --all

subject   : /DC=org/DC=terena/DC=tcs/C=BE/O=Vrije Universiteit Brussel/CN=Robot - STEPHANE GERARD stgerard@vub.ac.be/CN=user:mdupont
issuer    : /DC=org/DC=terena/DC=tcs/C=BE/O=Vrije Universiteit Brussel/CN=Robot - STEPHANE GERARD stgerard@vub.ac.be
identity  : /DC=org/DC=terena/DC=tcs/C=BE/O=Vrije Universiteit Brussel/CN=Robot - STEPHANE GERARD stgerard@vub.ac.be
type      : RFC3820 compliant impersonation proxy
strength  : 1024
path      : /tmp/x509up_u20533
timeleft  : 23:59:51
key usage : Digital Signature, Key Encipherment

you will see that the voms extensions are missing from this proxy. To add the beapps voms extension :

voms-proxy-init --voms beapps --noregen

The --noregen option is important because you just want to add voms extensions to the pusp proxy that already exists in /tmp/x509up_u20533.

Now, it looks like a good old usual beapps proxy :

voms-proxy-info --all

subject   : /DC=org/DC=terena/DC=tcs/C=BE/O=Vrije Universiteit Brussel/CN=Robot - STEPHANE GERARD stgerard@vub.ac.be/CN=user:mdupont/CN=730118287
issuer    : /DC=org/DC=terena/DC=tcs/C=BE/O=Vrije Universiteit Brussel/CN=Robot - STEPHANE GERARD stgerard@vub.ac.be/CN=user:mdupont
identity  : /DC=org/DC=terena/DC=tcs/C=BE/O=Vrije Universiteit Brussel/CN=Robot - STEPHANE GERARD stgerard@vub.ac.be
type      : RFC3820 compliant impersonation proxy
strength  : 1024
path      : /tmp/x509up_u20533
timeleft  : 11:59:57
key usage : Digital Signature, Key Encipherment
=== VO beapps extension information ===
VO        : beapps
subject   : /DC=org/DC=terena/DC=tcs/C=BE/O=Vrije Universiteit Brussel/CN=Robot - STEPHANE GERARD stgerard@vub.ac.be
issuer    : /DC=org/DC=terena/DC=tcs/C=BE/ST=Brussels/L=Brussels/O=Le reseau telematique belge de la recherche/CN=voms01.begrid.be
attribute : /beapps/Role=NULL/Capability=NULL
timeleft  : 11:59:56
uri       : voms01.begrid.be:18004

Further reading