Difference between revisions of "MAN12"
(→Steps) |
|||
(15 intermediate revisions by 3 users not shown) | |||
Line 12: | Line 12: | ||
|Procedure_statement = This manual shows how to set up a [https://wiki.egi.eu/wiki/Fedcloud-tf:WorkGroups:Federated_AAI:per-user_sub-proxy per-user sub-proxy (PUSP)] to allow identification of the individual users under a common robot certificate. | |Procedure_statement = This manual shows how to set up a [https://wiki.egi.eu/wiki/Fedcloud-tf:WorkGroups:Federated_AAI:per-user_sub-proxy per-user sub-proxy (PUSP)] to allow identification of the individual users under a common robot certificate. | ||
}} | }} | ||
= Goal<br> = | |||
The goal of the per-user sub-proxy (PUSP) is allowing identification of the individual users under a common robot certificate. More information on this feature are on [https://wiki.egi.eu/wiki/Fedcloud-tf:WorkGroups:Federated_AAI:per-user_sub-proxy this wiki]. | |||
To make this work, the installation of a dedicated plugin is needed. To install the plugin, available at NIKHEF, we will follow [http://wiki.nikhef.nl/grid/Lcmaps-plugins-robot the corresponding guide]. | |||
= Steps = | = Steps = | ||
Line 17: | Line 23: | ||
In order to configure the CREAM CE to handle the PUSP, the following steps must be performed. | In order to configure the CREAM CE to handle the PUSP, the following steps must be performed. | ||
== | == WARNING == | ||
'''If you reconfigure the service using YAIM/Puppet, the configuration will be overwritten.''' | |||
== Installing the plugin == | |||
The installation is very simple: | |||
<pre>rpm -ivh https://software.nikhef.nl/dist/mwsec/rpm/epel6/x86_64/lcmaps-plugins-robot-0.0.5-1.el6.x86_64.rpm | |||
</pre> | |||
"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN= | == Prepare the configuration == | ||
"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN= | |||
You can add one or more pool-account based mappings to grid-mapfile: <br> | |||
"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=eToken:*" .testvo | |||
or single users: <br> | |||
"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=eToken:test" testvo001 | |||
"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=eToken:testtwo" testvo001 | |||
Line 38: | Line 54: | ||
lcmaps_get_account_policy = combi_mapping | lcmaps_get_account_policy = combi_mapping | ||
Finally prepare the lcmaps.db like the following: | |||
<pre>path = /usr/lib64/lcmaps | |||
### classic non-PUSP modules | |||
verify_proxy = "lcmaps_verify_proxy.mod" | |||
" -certdir /etc/grid-security/certificates/" | |||
" --allow-limited-proxy" | |||
localaccount = "lcmaps_localaccount.mod" | |||
" -gridmapfile /etc/grid-security/grid-mapfile" | |||
poolaccount = "lcmaps_poolaccount.mod" | |||
" -override_inconsistency" | |||
" -gridmapfile /etc/grid-security/grid-mapfile" | |||
" -gridmapdir /etc/grid-security/gridmapdir" | |||
vomslocalgroup = "lcmaps_voms_localgroup.mod" | |||
" -groupmapfile /etc/grid-security/groupmapfile" | |||
" -mapmin 0" | |||
vomslocalaccount = "lcmaps_voms_localaccount.mod" | |||
" -gridmapfile /etc/grid-security/grid-mapfile" | |||
" -use_voms_gid" | |||
vomspoolaccount = "lcmaps_voms_poolaccount.mod" | |||
" -gridmapfile /etc/grid-security/grid-mapfile" | |||
" -gridmapdir /etc/grid-security/gridmapdir" | |||
" -do_not_use_secondary_gids" | |||
### PUSP specific modules | |||
ban_dn = "lcmaps_ban_dn.mod" | |||
"-banmapfile /etc/grid-security/ban_users.db" | "-banmapfile /etc/grid-security/ban_users.db" | ||
robot_ban_dn = "lcmaps_robot_ban_dn.mod" | |||
"-banmapfile /etc/grid-security/ban_users.db" | |||
robot_local = "lcmaps_robot_localaccount.mod" | |||
"-gridmapfile /etc/grid-security/grid-mapfile" | |||
robot_pool = "lcmaps_robot_poolaccount.mod" | |||
"-gridmapfile /etc/grid-security/grid-mapfile" | |||
"-gridmapdir /etc/grid-security/gridmapdir/" | |||
robot_ban_dn | ### Combined policy | ||
combi_mapping: | |||
ban_dn -> robot_ban_dn | |||
robot_ban_dn -> verify_proxy | |||
verify_proxy -> robot_pool | |||
~robot_pool -> robot_local | |||
~robot_local -> vomslocalgroup | |||
vomslocalgroup -> vomspoolaccount | vomslocalaccount</pre> | |||
== Accounting == | |||
Few modifications are enough to enable PUSP-aware accounting on CREAM. In file: | |||
<pre>/etc/glite-ce-cream/cream-config.xml | |||
</pre> | |||
the following start tag should be modified like this: | |||
<pre><service id="CREAM service (core2)" dn_filter="/CN=Robot[^/]+/CN=eToken:[^/]+"> | |||
</pre> | |||
adding explicitely the dn_filter attribute, or modifying it if already present. | |||
== Notes<br> == | |||
After configuring the CREAM CE, please make sure the GridFTP server is still working. By default, it uses lcas.db and lcmaps.db at their default locations. <br> | |||
= Reference = | |||
[http://wiki.nikhef.nl/grid/Lcmaps-plugins-robot Main reference on the Lcmaps-plugins-robot] | [http://wiki.nikhef.nl/grid/Lcmaps-plugins-robot Main reference on the Lcmaps-plugins-robot] | ||
[https://wiki.egi.eu/wiki/Fedcloud-tf:WorkGroups:Federated_AAI:per-user_sub-proxy ] |
Latest revision as of 16:40, 5 September 2016
Main | EGI.eu operations services | Support | Documentation | Tools | Activities | Performance | Technology | Catch-all Services | Resource Allocation | Security |
Documentation menu: | Home • | Manuals • | Procedures • | Training • | Other • | Contact ► | For: | VO managers • | Administrators |
Title | Per-User Sub-Proxy |
Document link | https://wiki.egi.eu/wiki/MAN12 |
Last modified | 19 May 2015 |
Policy Group Acronym | |
Policy Group Name | |
Contact Group | |
Document Status | DRAFT |
Approved Date | |
Procedure Statement | This manual shows how to set up a per-user sub-proxy (PUSP) to allow identification of the individual users under a common robot certificate. |
Owner | Owner of procedure |
Goal
The goal of the per-user sub-proxy (PUSP) is allowing identification of the individual users under a common robot certificate. More information on this feature are on this wiki.
To make this work, the installation of a dedicated plugin is needed. To install the plugin, available at NIKHEF, we will follow the corresponding guide.
Steps
In order to configure the CREAM CE to handle the PUSP, the following steps must be performed.
WARNING
If you reconfigure the service using YAIM/Puppet, the configuration will be overwritten.
Installing the plugin
The installation is very simple:
rpm -ivh https://software.nikhef.nl/dist/mwsec/rpm/epel6/x86_64/lcmaps-plugins-robot-0.0.5-1.el6.x86_64.rpm
Prepare the configuration
You can add one or more pool-account based mappings to grid-mapfile:
"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=eToken:*" .testvo
or single users:
"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=eToken:test" testvo001 "/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=eToken:testtwo" testvo001
Then the glexec.conf must be configured with the following options
#userswitch will be done by glexec instead of lcmaps user_identity_switch_by = glexec #bypass lcas usage, assuming you're running the LCMAPS ban_dn plugin use_lcas=no #use new mapping policy, we will write it to lcmaps.db lcmaps_get_account_policy = combi_mapping
Finally prepare the lcmaps.db like the following:
path = /usr/lib64/lcmaps ### classic non-PUSP modules verify_proxy = "lcmaps_verify_proxy.mod" " -certdir /etc/grid-security/certificates/" " --allow-limited-proxy" localaccount = "lcmaps_localaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" poolaccount = "lcmaps_poolaccount.mod" " -override_inconsistency" " -gridmapfile /etc/grid-security/grid-mapfile" " -gridmapdir /etc/grid-security/gridmapdir" vomslocalgroup = "lcmaps_voms_localgroup.mod" " -groupmapfile /etc/grid-security/groupmapfile" " -mapmin 0" vomslocalaccount = "lcmaps_voms_localaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" " -use_voms_gid" vomspoolaccount = "lcmaps_voms_poolaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" " -gridmapdir /etc/grid-security/gridmapdir" " -do_not_use_secondary_gids" ### PUSP specific modules ban_dn = "lcmaps_ban_dn.mod" "-banmapfile /etc/grid-security/ban_users.db" robot_ban_dn = "lcmaps_robot_ban_dn.mod" "-banmapfile /etc/grid-security/ban_users.db" robot_local = "lcmaps_robot_localaccount.mod" "-gridmapfile /etc/grid-security/grid-mapfile" robot_pool = "lcmaps_robot_poolaccount.mod" "-gridmapfile /etc/grid-security/grid-mapfile" "-gridmapdir /etc/grid-security/gridmapdir/" ### Combined policy combi_mapping: ban_dn -> robot_ban_dn robot_ban_dn -> verify_proxy verify_proxy -> robot_pool ~robot_pool -> robot_local ~robot_local -> vomslocalgroup vomslocalgroup -> vomspoolaccount | vomslocalaccount
Accounting
Few modifications are enough to enable PUSP-aware accounting on CREAM. In file:
/etc/glite-ce-cream/cream-config.xml
the following start tag should be modified like this:
<service id="CREAM service (core2)" dn_filter="/CN=Robot[^/]+/CN=eToken:[^/]+">
adding explicitely the dn_filter attribute, or modifying it if already present.
Notes
After configuring the CREAM CE, please make sure the GridFTP server is still working. By default, it uses lcas.db and lcmaps.db at their default locations.