Difference between revisions of "MAN12"
Jump to navigation
Jump to search
(→Steps) |
|||
Line 26: | Line 26: | ||
"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:provola" testvo001 | "/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:provola" testvo001 | ||
#prepare the glexec.conf | #prepare the glexec.conf with the following options: | ||
#userswitch will be done by glexec instead of lcmaps | #userswitch will be done by glexec instead of lcmaps | ||
user_identity_switch_by = glexec | |||
#bypass lcas usage, assuming you're running the LCMAPS ban_dn plugin | |||
use_lcas=no | |||
#use new mapping policy, we will write it to lcmaps.db | |||
lcmaps_get_account_policy = combi_mapping | |||
#prepare the lcmaps.db like the following: | |||
# | |||
path = /usr/lib64/lcmaps | |||
###classic non-PUSP modules | |||
verify_proxy = "lcmaps_verify_proxy.mod" | |||
" -certdir /etc/grid-security/certificates/" | " -certdir /etc/grid-security/certificates/" | ||
" --allow-limited-proxy" | " --allow-limited-proxy" | ||
localaccount = "lcmaps_localaccount.mod" | |||
" -gridmapfile /etc/grid-security/grid-mapfile" | |||
poolaccount = "lcmaps_poolaccount.mod" | |||
" -override_inconsistency" | |||
" -gridmapfile /etc/grid-security/grid-mapfile" | |||
" -gridmapdir /etc/grid-security/gridmapdir" | |||
vomslocalgroup = "lcmaps_voms_localgroup.mod" | |||
" -groupmapfile /etc/grid-security/groupmapfile" | |||
" -mapmin 0" | |||
vomslocalaccount = "lcmaps_voms_localaccount.mod" | |||
" -gridmapfile /etc/grid-security/grid-mapfile" | |||
" -use_voms_gid" | |||
vomspoolaccount = "lcmaps_voms_poolaccount.mod" | |||
" -gridmapfile /etc/grid-security/grid-mapfile" | |||
" -gridmapdir /etc/grid-security/gridmapdir" | |||
" -do_not_use_secondary_gids" | |||
### PUSP specific modules | |||
ban_dn = "lcmaps_ban_dn.mod" | |||
"-banmapfile /etc/grid-security/ban_users.db" | "-banmapfile /etc/grid-security/ban_users.db" | ||
robot_ban_dn = "lcmaps_robot_ban_dn.mod" | |||
robot_ban_dn = "lcmaps_robot_ban_dn.mod" | |||
"-banmapfile /etc/grid-security/ban_users.db" | "-banmapfile /etc/grid-security/ban_users.db" | ||
robot_local = "lcmaps_robot_localaccount.mod" | |||
robot_local = "lcmaps_robot_localaccount.mod" | |||
"-gridmapfile /etc/grid-security/grid-mapfile" | "-gridmapfile /etc/grid-security/grid-mapfile" | ||
robot_pool = "lcmaps_robot_poolaccount.mod" | |||
robot_pool = "lcmaps_robot_poolaccount.mod" | |||
"-gridmapfile /etc/grid-security/grid-mapfile" | "-gridmapfile /etc/grid-security/grid-mapfile" | ||
"-gridmapdir /etc/grid-security/gridmapdir/" | |||
### Combined policy | |||
combi_mapping: | |||
ban_dn -> robot_ban_dn | |||
robot_ban_dn -> verify_proxy | |||
verify_proxy -> robot_pool | |||
~robot_pool -> robot_local | |||
~robot_local -> vomslocalgroup | |||
vomslocalgroup -> vomspoolaccount | vomslocalaccount | |||
= Reference = | = Reference = | ||
[http://wiki.nikhef.nl/grid/Lcmaps-plugins-robot Main reference on the Lcmaps-plugins-robot] | [http://wiki.nikhef.nl/grid/Lcmaps-plugins-robot Main reference on the Lcmaps-plugins-robot] |
Revision as of 17:50, 19 May 2015
Main | EGI.eu operations services | Support | Documentation | Tools | Activities | Performance | Technology | Catch-all Services | Resource Allocation | Security |
Documentation menu: | Home • | Manuals • | Procedures • | Training • | Other • | Contact ► | For: | VO managers • | Administrators |
Title | Per-User Sub-Proxy |
Document link | https://wiki.egi.eu/wiki/MAN12 |
Last modified | 19 May 2015 |
Policy Group Acronym | |
Policy Group Name | |
Contact Group | |
Document Status | DRAFT |
Approved Date | |
Procedure Statement | This manual shows how to set up a per-user sub-proxy (PUSP) to allow identification of the individual users under a common robot certificate. |
Owner | Owner of procedure |
Steps
In order to configure the CREAM CE to handle the PUSP, the following steps must be performed:
- Prepare the grid-mapfile with proper mapping, for instance:
"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:*" .testvo
or
"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:prova" testvo001 "/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:provola" testvo001
- prepare the glexec.conf with the following options:
#userswitch will be done by glexec instead of lcmaps user_identity_switch_by = glexec #bypass lcas usage, assuming you're running the LCMAPS ban_dn plugin use_lcas=no #use new mapping policy, we will write it to lcmaps.db lcmaps_get_account_policy = combi_mapping
- prepare the lcmaps.db like the following:
path = /usr/lib64/lcmaps ###classic non-PUSP modules verify_proxy = "lcmaps_verify_proxy.mod" " -certdir /etc/grid-security/certificates/" " --allow-limited-proxy" localaccount = "lcmaps_localaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" poolaccount = "lcmaps_poolaccount.mod" " -override_inconsistency" " -gridmapfile /etc/grid-security/grid-mapfile" " -gridmapdir /etc/grid-security/gridmapdir" vomslocalgroup = "lcmaps_voms_localgroup.mod" " -groupmapfile /etc/grid-security/groupmapfile" " -mapmin 0" vomslocalaccount = "lcmaps_voms_localaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" " -use_voms_gid" vomspoolaccount = "lcmaps_voms_poolaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" " -gridmapdir /etc/grid-security/gridmapdir" " -do_not_use_secondary_gids"
- PUSP specific modules
ban_dn = "lcmaps_ban_dn.mod"
"-banmapfile /etc/grid-security/ban_users.db"
robot_ban_dn = "lcmaps_robot_ban_dn.mod"
"-banmapfile /etc/grid-security/ban_users.db"
robot_local = "lcmaps_robot_localaccount.mod"
"-gridmapfile /etc/grid-security/grid-mapfile"
robot_pool = "lcmaps_robot_poolaccount.mod"
"-gridmapfile /etc/grid-security/grid-mapfile" "-gridmapdir /etc/grid-security/gridmapdir/"
- Combined policy
combi_mapping:
ban_dn -> robot_ban_dn robot_ban_dn -> verify_proxy verify_proxy -> robot_pool ~robot_pool -> robot_local ~robot_local -> vomslocalgroup vomslocalgroup -> vomspoolaccount | vomslocalaccount