Difference between revisions of "MAN12"
(Created page with "{{Template:Op menubar}} {{Template:Doc_menubar}} {{TOC_right}} {{Ops_procedures |Doc_title = Per-User Sub-Proxy |Doc_link = https://wiki.egi.eu/wiki/MAN12 |Version = ...") |
(→Steps) |
||
Line 15: | Line 15: | ||
= Steps = | = Steps = | ||
In order to configure the CREAM CE to handle the PUSP, the following steps must be performed: | |||
#Prepare the grid-mapfile with proper mapping, for instance: | |||
<blockquote> | |||
"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:*" .testvo | |||
</blockquote> | |||
or | |||
<blockquote> | |||
"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:prova" testvo001 | |||
"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:provola" testvo001 | |||
</blockquote> | |||
3. prepare the glexec.conf. It is important to put: | |||
#userswitch will be done by glexec instead of lcmaps | |||
user_identity_switch_by = glexec | |||
#bypass lcas usage | |||
use_lcas=no | |||
#use new mapping policy, we will write it to lcmaps.db | |||
lcmaps_get_account_policy = combi_mapping | |||
4. prepare the lcmaps.db: | |||
path = /usr/lib64/lcmaps | |||
###classic non-PUSP modules | |||
verify_proxy = "lcmaps_verify_proxy.mod" | |||
" -certdir /etc/grid-security/certificates/" | |||
" --allow-limited-proxy" | |||
localaccount = "lcmaps_localaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" poolaccount = "lcmaps_poolaccount.mod" " -override_inconsistency" " -gridmapfile /etc/grid-security/grid-mapfile" " -gridmapdir /etc/grid-security/gridmapdir" vomslocalgroup = "lcmaps_voms_localgroup.mod" " -groupmapfile /etc/grid-security/groupmapfile" " -mapmin 0" vomslocalaccount = "lcmaps_voms_localaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" " -use_voms_gid" vomspoolaccount = "lcmaps_voms_poolaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" " -gridmapdir /etc/grid-security/gridmapdir" " -do_not_use_secondary_gids" | |||
<br> | |||
###PUSP specific modules | |||
ban_dn = "lcmaps_ban_dn.mod" | |||
"-banmapfile /etc/grid-security/ban_users.db" | |||
robot_ban_dn = "lcmaps_robot_ban_dn.mod" | |||
"-banmapfile /etc/grid-security/ban_users.db" | |||
robot_local = "lcmaps_robot_localaccount.mod" | |||
"-gridmapfile /etc/grid-security/grid-mapfile" | |||
robot_pool = "lcmaps_robot_poolaccount.mod" | |||
"-gridmapfile /etc/grid-security/grid-mapfile" | |||
"-gridmapdir /etc/grid-security/gridmapdir/" | |||
###Combined policy | |||
combi_mapping: | |||
ban_dn -> robot_ban_dn | |||
robot_ban_dn -> verify_proxy | |||
verify_proxy -> robot_pool | |||
~robot_pool -> robot_local | |||
~robot_local -> vomslocalgroup | |||
vomslocalgroup -> vomspoolaccount | vomslocalaccount | |||
<br> | |||
= Reference = | = Reference = | ||
[http://wiki.nikhef.nl/grid/Lcmaps-plugins-robot Main reference on the Lcmaps-plugins-robot] | [http://wiki.nikhef.nl/grid/Lcmaps-plugins-robot Main reference on the Lcmaps-plugins-robot] |
Revision as of 16:40, 19 May 2015
Main | EGI.eu operations services | Support | Documentation | Tools | Activities | Performance | Technology | Catch-all Services | Resource Allocation | Security |
Documentation menu: | Home • | Manuals • | Procedures • | Training • | Other • | Contact ► | For: | VO managers • | Administrators |
Title | Per-User Sub-Proxy |
Document link | https://wiki.egi.eu/wiki/MAN12 |
Last modified | 19 May 2015 |
Policy Group Acronym | |
Policy Group Name | |
Contact Group | |
Document Status | DRAFT |
Approved Date | |
Procedure Statement | This manual shows how to set up a per-user sub-proxy (PUSP) to allow identification of the individual users under a common robot certificate. |
Owner | Owner of procedure |
Steps
In order to configure the CREAM CE to handle the PUSP, the following steps must be performed:
- Prepare the grid-mapfile with proper mapping, for instance:
"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:*" .testvo
or
"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:prova" testvo001
"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:provola" testvo001
3. prepare the glexec.conf. It is important to put:
- userswitch will be done by glexec instead of lcmaps
user_identity_switch_by = glexec
- bypass lcas usage
use_lcas=no
- use new mapping policy, we will write it to lcmaps.db
lcmaps_get_account_policy = combi_mapping
4. prepare the lcmaps.db:
path = /usr/lib64/lcmaps
- classic non-PUSP modules
verify_proxy = "lcmaps_verify_proxy.mod"
" -certdir /etc/grid-security/certificates/" " --allow-limited-proxy"
localaccount = "lcmaps_localaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" poolaccount = "lcmaps_poolaccount.mod" " -override_inconsistency" " -gridmapfile /etc/grid-security/grid-mapfile" " -gridmapdir /etc/grid-security/gridmapdir" vomslocalgroup = "lcmaps_voms_localgroup.mod" " -groupmapfile /etc/grid-security/groupmapfile" " -mapmin 0" vomslocalaccount = "lcmaps_voms_localaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" " -use_voms_gid" vomspoolaccount = "lcmaps_voms_poolaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" " -gridmapdir /etc/grid-security/gridmapdir" " -do_not_use_secondary_gids"
- PUSP specific modules
ban_dn = "lcmaps_ban_dn.mod"
"-banmapfile /etc/grid-security/ban_users.db"
robot_ban_dn = "lcmaps_robot_ban_dn.mod"
"-banmapfile /etc/grid-security/ban_users.db"
robot_local = "lcmaps_robot_localaccount.mod"
"-gridmapfile /etc/grid-security/grid-mapfile"
robot_pool = "lcmaps_robot_poolaccount.mod"
"-gridmapfile /etc/grid-security/grid-mapfile" "-gridmapdir /etc/grid-security/gridmapdir/"
- Combined policy
combi_mapping:
ban_dn -> robot_ban_dn robot_ban_dn -> verify_proxy verify_proxy -> robot_pool ~robot_pool -> robot_local ~robot_local -> vomslocalgroup vomslocalgroup -> vomspoolaccount | vomslocalaccount