LToS: Difference between revisions
No edit summary |
|||
(One intermediate revision by the same user not shown) | |||
Line 121: | Line 121: | ||
</pre> | </pre> | ||
The --noregen option is important because you just want to add voms extensions to the pusp proxy that already exists in /tmp/x509up_u20533. | The --noregen option is important because you just want to add voms extensions to the pusp proxy that already exists in /tmp/x509up_u20533. | ||
Now, it looks like a good old usual beapps proxy : | |||
<pre> | |||
voms-proxy-info --all | |||
subject : /DC=org/DC=terena/DC=tcs/C=BE/O=Vrije Universiteit Brussel/CN=Robot - STEPHANE GERARD stgerard@vub.ac.be/CN=user:mdupont/CN=730118287 | |||
issuer : /DC=org/DC=terena/DC=tcs/C=BE/O=Vrije Universiteit Brussel/CN=Robot - STEPHANE GERARD stgerard@vub.ac.be/CN=user:mdupont | |||
identity : /DC=org/DC=terena/DC=tcs/C=BE/O=Vrije Universiteit Brussel/CN=Robot - STEPHANE GERARD stgerard@vub.ac.be | |||
type : RFC3820 compliant impersonation proxy | |||
strength : 1024 | |||
path : /tmp/x509up_u20533 | |||
timeleft : 11:59:57 | |||
key usage : Digital Signature, Key Encipherment | |||
=== VO beapps extension information === | |||
VO : beapps | |||
subject : /DC=org/DC=terena/DC=tcs/C=BE/O=Vrije Universiteit Brussel/CN=Robot - STEPHANE GERARD stgerard@vub.ac.be | |||
issuer : /DC=org/DC=terena/DC=tcs/C=BE/ST=Brussels/L=Brussels/O=Le reseau telematique belge de la recherche/CN=voms01.begrid.be | |||
attribute : /beapps/Role=NULL/Capability=NULL | |||
timeleft : 11:59:56 | |||
uri : voms01.begrid.be:18004 | |||
</pre> | |||
== Further reading == | |||
* https://wiki.egi.eu/wiki/Usage_of_the_per_user_sub_proxy_in_EGI | |||
* https://wiki.egi.eu/wiki/MAN12 |
Latest revision as of 12:57, 19 May 2016
Configuration of the CE
This link explains how to set up the PUSP mechanism on the CE. However, if you apply these recipes to the letter, it will break the CE. Here are the actual configurations we have applied :
- /etc/glexec.conf
[glexec] create_target_proxy=no lcas_db_file=/etc/lcas/lcas-glexec.db lcas_debug_level=5 lcas_log_file=/var/log/glexec/lcas_lcmaps.log lcas_log_level=5 lcmaps_db_file=/etc/lcmaps/lcmaps.db.glexec.pusp lcmaps_debug_level=5 lcmaps_get_account_policy=combi_mapping lcmaps_log_file=/var/log/glexec/lcas_lcmaps.log lcmaps_log_level=5 lcmaps_voms_verification=no linger=no log_destination=file log_file=/var/log/glexec/glexec.log log_level=5 omission_private_key_white_list=tomcat preserve_env_variables= silent_logging=no use_lcas=no user_identity_switch_by=lcmaps user_white_list=tomcat
- /etc/lcmaps/lcmaps.db.glexec.pusp
path = /usr/lib64/lcmaps vomspoolaccount = "lcmaps_voms_poolaccount.mod" "-gridmapfile /etc/lcmaps/gridmapfile" "-gridmapdir /etc/grid-security/gridmapdir" "-override_inconsistency" vomslocalgroup = "lcmaps_voms_localgroup.mod" "-groupmapfile /etc/lcmaps/groupmapfile" "-mapmin 0 " proxycheck = "lcmaps_verify_proxy.mod" "-certdir /etc/grid-security/certificates" "--allow-limited-proxy" posixenf = "lcmaps_posix_enf.mod" "-maxuid 1" "-maxpgid 1" "-maxsgid 32" vomslocalaccount = "lcmaps_voms_localaccount.mod" "-gridmapfile /etc/lcmaps/gridmapfile" "-use_voms_gid" robot_pool = "lcmaps_robot_poolaccount.mod" "-gridmapfile /etc/grid-security/grid-mapfile" "-gridmapdir /etc/grid-security/gridmapdir/" poolaccount = "lcmaps_poolaccount.mod" "-override_inconsistency" "-gridmapfile /etc/grid-security/grid-mapfile" "-gridmapdir /etc/grid-security/gridmapdir" robot_ban_dn = "lcmaps_robot_ban_dn.mod" "-banmapfile /etc/lcas/ban_users.db" localaccount = "lcmaps_localaccount.mod" "-gridmapfile /etc/grid-security/grid-mapfile" ban_dn = "lcmaps_ban_dn.mod" "-banmapfile /etc/lcas/ban_users.db" robot_local = "lcmaps_robot_localaccount.mod" "-gridmapfile /etc/grid-security/grid-mapfile" # Policies: voms: proxycheck -> vomslocalgroup vomslocalgroup -> vomslocalaccount vomslocalaccount -> posixenf | vomspoolaccount vomspoolaccount -> posixenf standard: proxycheck -> localaccount localaccount -> posixenf | poolaccount poolaccount -> posixenf combi_mapping: ban_dn -> robot_ban_dn robot_ban_dn -> proxycheck proxycheck -> robot_pool ~robot_pool -> robot_local ~robot_local -> vomslocalgroup vomslocalgroup -> vomslocalaccount vomslocalaccount -> posixenf | vomspoolaccount vomspoolaccount -> posixenf
Creation of per-user sub-proxies for beapps VO
First of all, you (= the VO admin) need to get a robot certificate that you will register in beapps VO. After that, you have to extract the usercert and the private key in a directory (.globus_pusp) directory and set the correct permissions. Thanks to this script, you can create a PUSP for a given user (mdupont) by issuing the following command :
./create_pusp -u mdupont -c ~/.globus_pusp/usercert.pem -k ~/.globus_pusp/userkey.pem
Now, if you issue the command :
voms-proxy-info --all subject : /DC=org/DC=terena/DC=tcs/C=BE/O=Vrije Universiteit Brussel/CN=Robot - STEPHANE GERARD stgerard@vub.ac.be/CN=user:mdupont issuer : /DC=org/DC=terena/DC=tcs/C=BE/O=Vrije Universiteit Brussel/CN=Robot - STEPHANE GERARD stgerard@vub.ac.be identity : /DC=org/DC=terena/DC=tcs/C=BE/O=Vrije Universiteit Brussel/CN=Robot - STEPHANE GERARD stgerard@vub.ac.be type : RFC3820 compliant impersonation proxy strength : 1024 path : /tmp/x509up_u20533 timeleft : 23:59:51 key usage : Digital Signature, Key Encipherment
you will see that the voms extensions are missing from this proxy. To add the beapps voms extension :
voms-proxy-init --voms beapps --noregen
The --noregen option is important because you just want to add voms extensions to the pusp proxy that already exists in /tmp/x509up_u20533.
Now, it looks like a good old usual beapps proxy :
voms-proxy-info --all subject : /DC=org/DC=terena/DC=tcs/C=BE/O=Vrije Universiteit Brussel/CN=Robot - STEPHANE GERARD stgerard@vub.ac.be/CN=user:mdupont/CN=730118287 issuer : /DC=org/DC=terena/DC=tcs/C=BE/O=Vrije Universiteit Brussel/CN=Robot - STEPHANE GERARD stgerard@vub.ac.be/CN=user:mdupont identity : /DC=org/DC=terena/DC=tcs/C=BE/O=Vrije Universiteit Brussel/CN=Robot - STEPHANE GERARD stgerard@vub.ac.be type : RFC3820 compliant impersonation proxy strength : 1024 path : /tmp/x509up_u20533 timeleft : 11:59:57 key usage : Digital Signature, Key Encipherment === VO beapps extension information === VO : beapps subject : /DC=org/DC=terena/DC=tcs/C=BE/O=Vrije Universiteit Brussel/CN=Robot - STEPHANE GERARD stgerard@vub.ac.be issuer : /DC=org/DC=terena/DC=tcs/C=BE/ST=Brussels/L=Brussels/O=Le reseau telematique belge de la recherche/CN=voms01.begrid.be attribute : /beapps/Role=NULL/Capability=NULL timeleft : 11:59:56 uri : voms01.begrid.be:18004