LToS

From T2B Wiki
Jump to navigation Jump to search

Configuration of the CE

This link explains how to set up the PUSP mechanism on the CE. However, if you apply these recipes to the letter, it will break the CE. Here are the actual configurations we have applied :

  • /etc/glexec.conf
[glexec]
create_target_proxy=no
lcas_db_file=/etc/lcas/lcas-glexec.db
lcas_debug_level=5
lcas_log_file=/var/log/glexec/lcas_lcmaps.log
lcas_log_level=5
lcmaps_db_file=/etc/lcmaps/lcmaps.db.glexec.pusp
lcmaps_debug_level=5
lcmaps_get_account_policy=combi_mapping
lcmaps_log_file=/var/log/glexec/lcas_lcmaps.log
lcmaps_log_level=5
lcmaps_voms_verification=no
linger=no
log_destination=file
log_file=/var/log/glexec/glexec.log
log_level=5
omission_private_key_white_list=tomcat
preserve_env_variables=
silent_logging=no
use_lcas=no
user_identity_switch_by=lcmaps
user_white_list=tomcat
  • /etc/lcmaps/lcmaps.db.glexec.pusp
path = /usr/lib64/lcmaps

vomspoolaccount = "lcmaps_voms_poolaccount.mod"
                       "-gridmapfile /etc/lcmaps/gridmapfile"
                       "-gridmapdir /etc/grid-security/gridmapdir"
                       "-override_inconsistency"

vomslocalgroup = "lcmaps_voms_localgroup.mod"
                      "-groupmapfile /etc/lcmaps/groupmapfile"
                      "-mapmin 0 "

proxycheck = "lcmaps_verify_proxy.mod"
                  "-certdir /etc/grid-security/certificates"
                  "--allow-limited-proxy"

posixenf = "lcmaps_posix_enf.mod"
                "-maxuid 1"
                "-maxpgid 1"
                "-maxsgid 32"

vomslocalaccount = "lcmaps_voms_localaccount.mod"
                        "-gridmapfile /etc/lcmaps/gridmapfile"
                        "-use_voms_gid"

robot_pool = "lcmaps_robot_poolaccount.mod"
                  "-gridmapfile /etc/grid-security/grid-mapfile"
                  "-gridmapdir /etc/grid-security/gridmapdir/"

poolaccount = "lcmaps_poolaccount.mod"
                   "-override_inconsistency"
                   "-gridmapfile /etc/grid-security/grid-mapfile"
                   "-gridmapdir /etc/grid-security/gridmapdir"

robot_ban_dn = "lcmaps_robot_ban_dn.mod"
                    "-banmapfile /etc/lcas/ban_users.db"

localaccount = "lcmaps_localaccount.mod"
                    "-gridmapfile /etc/grid-security/grid-mapfile"

ban_dn = "lcmaps_ban_dn.mod"
              "-banmapfile /etc/lcas/ban_users.db"

robot_local = "lcmaps_robot_localaccount.mod"
                   "-gridmapfile /etc/grid-security/grid-mapfile"


# Policies:
voms:
proxycheck -> vomslocalgroup
vomslocalgroup -> vomslocalaccount
vomslocalaccount -> posixenf | vomspoolaccount
vomspoolaccount -> posixenf

standard:
proxycheck -> localaccount
localaccount -> posixenf | poolaccount
poolaccount -> posixenf

combi_mapping:
ban_dn -> robot_ban_dn
robot_ban_dn -> proxycheck
proxycheck -> robot_pool
~robot_pool -> robot_local
~robot_local -> vomslocalgroup
vomslocalgroup -> vomslocalaccount
vomslocalaccount -> posixenf | vomspoolaccount
vomspoolaccount -> posixenf

Creation of per-user sub-proxies for beapps VO

First of all, you (= the VO admin) need to get a robot certificate that you will register in beapps VO. After that, you have to extract the usercert and the private key in a directory (.globus_pusp) directory and set the correct permissions. Thanks to this [script https://ndpfsvn.nikhef.nl/viewvc/mwsec/trunk/lcmaps-plugins-robot/tools/], you can create a PUSP for a given user (mdupont) by issuing the following command :

./create_pusp -u mdupont -c ~/.globus_pusp/usercert.pem -k ~/.globus_pusp/userkey.pem