LToS: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| Line 96: | Line 96: | ||
vomslocalaccount -> posixenf | vomspoolaccount | vomslocalaccount -> posixenf | vomspoolaccount | ||
vomspoolaccount -> posixenf | vomspoolaccount -> posixenf | ||
</pre> | |||
== Creation of per-user sub-proxies for beapps VO == | |||
First of all, you (= the VO admin) need to get a robot certificate that you will register in beapps VO. After that, you have to extract the usercert and the private key in a directory (.globus_pusp) directory and set the correct permissions. Thanks to this [script https://ndpfsvn.nikhef.nl/viewvc/mwsec/trunk/lcmaps-plugins-robot/tools/], you can create a PUSP for a given user (mdupont) by issuing the following command : | |||
<pre> | |||
./create_pusp -u mdupont -c ~/.globus_pusp/usercert.pem -k ~/.globus_pusp/userkey.pem | |||
</pre> | </pre> | ||
Revision as of 20:15, 18 May 2016
Configuration of the CE
This link explains how to set up the PUSP mechanism on the CE. However, if you apply these recipes to the letter, it will break the CE. Here are the actual configurations we have applied :
- /etc/glexec.conf
[glexec] create_target_proxy=no lcas_db_file=/etc/lcas/lcas-glexec.db lcas_debug_level=5 lcas_log_file=/var/log/glexec/lcas_lcmaps.log lcas_log_level=5 lcmaps_db_file=/etc/lcmaps/lcmaps.db.glexec.pusp lcmaps_debug_level=5 lcmaps_get_account_policy=combi_mapping lcmaps_log_file=/var/log/glexec/lcas_lcmaps.log lcmaps_log_level=5 lcmaps_voms_verification=no linger=no log_destination=file log_file=/var/log/glexec/glexec.log log_level=5 omission_private_key_white_list=tomcat preserve_env_variables= silent_logging=no use_lcas=no user_identity_switch_by=lcmaps user_white_list=tomcat
- /etc/lcmaps/lcmaps.db.glexec.pusp
path = /usr/lib64/lcmaps
vomspoolaccount = "lcmaps_voms_poolaccount.mod"
"-gridmapfile /etc/lcmaps/gridmapfile"
"-gridmapdir /etc/grid-security/gridmapdir"
"-override_inconsistency"
vomslocalgroup = "lcmaps_voms_localgroup.mod"
"-groupmapfile /etc/lcmaps/groupmapfile"
"-mapmin 0 "
proxycheck = "lcmaps_verify_proxy.mod"
"-certdir /etc/grid-security/certificates"
"--allow-limited-proxy"
posixenf = "lcmaps_posix_enf.mod"
"-maxuid 1"
"-maxpgid 1"
"-maxsgid 32"
vomslocalaccount = "lcmaps_voms_localaccount.mod"
"-gridmapfile /etc/lcmaps/gridmapfile"
"-use_voms_gid"
robot_pool = "lcmaps_robot_poolaccount.mod"
"-gridmapfile /etc/grid-security/grid-mapfile"
"-gridmapdir /etc/grid-security/gridmapdir/"
poolaccount = "lcmaps_poolaccount.mod"
"-override_inconsistency"
"-gridmapfile /etc/grid-security/grid-mapfile"
"-gridmapdir /etc/grid-security/gridmapdir"
robot_ban_dn = "lcmaps_robot_ban_dn.mod"
"-banmapfile /etc/lcas/ban_users.db"
localaccount = "lcmaps_localaccount.mod"
"-gridmapfile /etc/grid-security/grid-mapfile"
ban_dn = "lcmaps_ban_dn.mod"
"-banmapfile /etc/lcas/ban_users.db"
robot_local = "lcmaps_robot_localaccount.mod"
"-gridmapfile /etc/grid-security/grid-mapfile"
# Policies:
voms:
proxycheck -> vomslocalgroup
vomslocalgroup -> vomslocalaccount
vomslocalaccount -> posixenf | vomspoolaccount
vomspoolaccount -> posixenf
standard:
proxycheck -> localaccount
localaccount -> posixenf | poolaccount
poolaccount -> posixenf
combi_mapping:
ban_dn -> robot_ban_dn
robot_ban_dn -> proxycheck
proxycheck -> robot_pool
~robot_pool -> robot_local
~robot_local -> vomslocalgroup
vomslocalgroup -> vomslocalaccount
vomslocalaccount -> posixenf | vomspoolaccount
vomspoolaccount -> posixenf
Creation of per-user sub-proxies for beapps VO
First of all, you (= the VO admin) need to get a robot certificate that you will register in beapps VO. After that, you have to extract the usercert and the private key in a directory (.globus_pusp) directory and set the correct permissions. Thanks to this [script https://ndpfsvn.nikhef.nl/viewvc/mwsec/trunk/lcmaps-plugins-robot/tools/], you can create a PUSP for a given user (mdupont) by issuing the following command :
./create_pusp -u mdupont -c ~/.globus_pusp/usercert.pem -k ~/.globus_pusp/userkey.pem