Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "MAN12"

From EGIWiki
Jump to navigation Jump to search
(Created page with "{{Template:Op menubar}} {{Template:Doc_menubar}} {{TOC_right}} {{Ops_procedures |Doc_title = Per-User Sub-Proxy |Doc_link = https://wiki.egi.eu/wiki/MAN12 |Version = ...")
 
Line 15: Line 15:
= Steps  =
= Steps  =


In order to configure the CREAM CE to handle the PUSP, the following steps must be performed:
#Prepare the grid-mapfile with proper mapping, for instance: 
<blockquote>
&nbsp;"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:*" .testvo
</blockquote>
or
<blockquote>
&nbsp;"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:prova" testvo001
&nbsp;"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:provola" testvo001
</blockquote>
3. prepare the glexec.conf. It is important to put:
#userswitch will be done by glexec instead of lcmaps
user_identity_switch_by = glexec
#bypass lcas usage
use_lcas=no
#use new mapping policy, we will write it to lcmaps.db
lcmaps_get_account_policy = combi_mapping
4. prepare the lcmaps.db:
path = /usr/lib64/lcmaps
###classic non-PUSP modules
verify_proxy = "lcmaps_verify_proxy.mod"
              " -certdir /etc/grid-security/certificates/"
              " --allow-limited-proxy"
localaccount = "lcmaps_localaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" poolaccount = "lcmaps_poolaccount.mod" " -override_inconsistency" " -gridmapfile /etc/grid-security/grid-mapfile" " -gridmapdir /etc/grid-security/gridmapdir" vomslocalgroup = "lcmaps_voms_localgroup.mod" " -groupmapfile /etc/grid-security/groupmapfile" " -mapmin 0" vomslocalaccount = "lcmaps_voms_localaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" " -use_voms_gid" vomspoolaccount = "lcmaps_voms_poolaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" " -gridmapdir /etc/grid-security/gridmapdir" " -do_not_use_secondary_gids"
<br>
###PUSP specific modules
ban_dn = "lcmaps_ban_dn.mod"
        "-banmapfile /etc/grid-security/ban_users.db"
robot_ban_dn = "lcmaps_robot_ban_dn.mod"
              "-banmapfile /etc/grid-security/ban_users.db"
robot_local = "lcmaps_robot_localaccount.mod"
              "-gridmapfile /etc/grid-security/grid-mapfile"
robot_pool = "lcmaps_robot_poolaccount.mod"
              "-gridmapfile /etc/grid-security/grid-mapfile"
            "-gridmapdir /etc/grid-security/gridmapdir/"
###Combined policy
combi_mapping:
    ban_dn -&gt; robot_ban_dn
  robot_ban_dn -&gt; verify_proxy
  verify_proxy -&gt; robot_pool
  ~robot_pool -&gt; robot_local
  ~robot_local -&gt; vomslocalgroup
  vomslocalgroup -&gt; vomspoolaccount | vomslocalaccount
<br>


= Reference =
= Reference =
[http://wiki.nikhef.nl/grid/Lcmaps-plugins-robot Main reference on the Lcmaps-plugins-robot]
[http://wiki.nikhef.nl/grid/Lcmaps-plugins-robot Main reference on the Lcmaps-plugins-robot]

Revision as of 16:40, 19 May 2015

Main EGI.eu operations services Support Documentation Tools Activities Performance Technology Catch-all Services Resource Allocation Security


Documentation menu: Home Manuals Procedures Training Other Contact For: VO managers Administrators



Title Per-User Sub-Proxy
Document link https://wiki.egi.eu/wiki/MAN12
Last modified 19 May 2015
Policy Group Acronym
Policy Group Name
Contact Group
Document Status DRAFT
Approved Date
Procedure Statement This manual shows how to set up a per-user sub-proxy (PUSP) to allow identification of the individual users under a common robot certificate.
Owner Owner of procedure


Steps

In order to configure the CREAM CE to handle the PUSP, the following steps must be performed:

  1. Prepare the grid-mapfile with proper mapping, for instance: 

 "/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:*" .testvo

or

 "/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:prova" testvo001

 "/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:provola" testvo001

3. prepare the glexec.conf. It is important to put:

  1. userswitch will be done by glexec instead of lcmaps

user_identity_switch_by = glexec

  1. bypass lcas usage

use_lcas=no

  1. use new mapping policy, we will write it to lcmaps.db

lcmaps_get_account_policy = combi_mapping

4. prepare the lcmaps.db:

path = /usr/lib64/lcmaps

      1. classic non-PUSP modules

verify_proxy = "lcmaps_verify_proxy.mod"

              " -certdir /etc/grid-security/certificates/"
             " --allow-limited-proxy"

localaccount = "lcmaps_localaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" poolaccount = "lcmaps_poolaccount.mod" " -override_inconsistency" " -gridmapfile /etc/grid-security/grid-mapfile" " -gridmapdir /etc/grid-security/gridmapdir" vomslocalgroup = "lcmaps_voms_localgroup.mod" " -groupmapfile /etc/grid-security/groupmapfile" " -mapmin 0" vomslocalaccount = "lcmaps_voms_localaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" " -use_voms_gid" vomspoolaccount = "lcmaps_voms_poolaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" " -gridmapdir /etc/grid-security/gridmapdir" " -do_not_use_secondary_gids"


      1. PUSP specific modules

ban_dn = "lcmaps_ban_dn.mod"

        "-banmapfile /etc/grid-security/ban_users.db"

robot_ban_dn = "lcmaps_robot_ban_dn.mod"

              "-banmapfile /etc/grid-security/ban_users.db"

robot_local = "lcmaps_robot_localaccount.mod"

             "-gridmapfile /etc/grid-security/grid-mapfile"

robot_pool = "lcmaps_robot_poolaccount.mod"

             "-gridmapfile /etc/grid-security/grid-mapfile"
            "-gridmapdir /etc/grid-security/gridmapdir/"
      1. Combined policy

combi_mapping:

   ban_dn -> robot_ban_dn
  robot_ban_dn -> verify_proxy
  verify_proxy -> robot_pool 
  ~robot_pool -> robot_local
  ~robot_local -> vomslocalgroup
  vomslocalgroup -> vomspoolaccount | vomslocalaccount


Reference

Main reference on the Lcmaps-plugins-robot