Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "MAN12"

From EGIWiki
Jump to navigation Jump to search
Line 15: Line 15:
= Steps  =
= Steps  =


In order to configure the CREAM CE to handle the PUSP, the following steps must be performed:
In order to configure the CREAM CE to handle the PUSP, the following steps must be performed.


#Prepare the grid-mapfile with proper mapping, for instance:
== Prepare the grid-mapfile, glexec.con  ==
 
You can add pool-account based mapping: <br>


  "/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:*" .testvo  
  "/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:*" .testvo  


or
or single users: <br>


  "/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:prova" testvo001
  "/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:prova" testvo001
  "/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:provola" testvo001
  "/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:provola" testvo001
   
   
#prepare the glexec.conf with the following options:
 
Then the glexec.conf must be configured with the following options  


  #userswitch will be done by glexec instead of lcmaps
  #userswitch will be done by glexec instead of lcmaps
Line 35: Line 38:
  lcmaps_get_account_policy = combi_mapping  
  lcmaps_get_account_policy = combi_mapping  


#prepare the lcmaps.db like the following:  
Then prepare the lcmaps.db like the following:  


  path = /usr/lib64/lcmaps  
  path = /usr/lib64/lcmaps  
Line 41: Line 44:
  verify_proxy = "lcmaps_verify_proxy.mod"  
  verify_proxy = "lcmaps_verify_proxy.mod"  
   
   
              " -certdir /etc/grid-security/certificates/"
              " -certdir /etc/grid-security/certificates/"
            " --allow-limited-proxy"
          " --allow-limited-proxy"
  localaccount = "lcmaps_localaccount.mod"
  localaccount = "lcmaps_localaccount.mod"
  " -gridmapfile /etc/grid-security/grid-mapfile"
  " -gridmapfile /etc/grid-security/grid-mapfile"
Line 60: Line 63:
  " -do_not_use_secondary_gids"
  " -do_not_use_secondary_gids"


<br>
###PUSP specific modules
ban_dn = "lcmaps_ban_dn.mod"


### PUSP specific modules
ban_dn = "lcmaps_ban_dn.mod"
         "-banmapfile /etc/grid-security/ban_users.db"
         "-banmapfile /etc/grid-security/ban_users.db"
robot_ban_dn = "lcmaps_robot_ban_dn.mod"
 
robot_ban_dn = "lcmaps_robot_ban_dn.mod"  
 
               "-banmapfile /etc/grid-security/ban_users.db"
               "-banmapfile /etc/grid-security/ban_users.db"
robot_local = "lcmaps_robot_localaccount.mod"
 
robot_local = "lcmaps_robot_localaccount.mod"  
 
               "-gridmapfile /etc/grid-security/grid-mapfile"
               "-gridmapfile /etc/grid-security/grid-mapfile"
robot_pool = "lcmaps_robot_poolaccount.mod"
 
robot_pool = "lcmaps_robot_poolaccount.mod"  
 
               "-gridmapfile /etc/grid-security/grid-mapfile"
               "-gridmapfile /etc/grid-security/grid-mapfile"
              "-gridmapdir /etc/grid-security/gridmapdir/"
            "-gridmapdir /etc/grid-security/gridmapdir/"
 
###Combined policy
 
combi_mapping:


### Combined policy
     ban_dn -&gt; robot_ban_dn
combi_mapping:
  robot_ban_dn -&gt; verify_proxy
     ban_dn -> robot_ban_dn
  verify_proxy -&gt; robot_pool  
    robot_ban_dn -> verify_proxy
  ~robot_pool -&gt; robot_local
    verify_proxy -> robot_pool  
  ~robot_local -&gt; vomslocalgroup
    ~robot_pool -> robot_local
  vomslocalgroup -&gt; vomspoolaccount | vomslocalaccount
    ~robot_local -> vomslocalgroup
    vomslocalgroup -> vomspoolaccount | vomslocalaccount


= Reference =
= Reference =
[http://wiki.nikhef.nl/grid/Lcmaps-plugins-robot Main reference on the Lcmaps-plugins-robot]
[http://wiki.nikhef.nl/grid/Lcmaps-plugins-robot Main reference on the Lcmaps-plugins-robot]

Revision as of 18:04, 19 May 2015

Main EGI.eu operations services Support Documentation Tools Activities Performance Technology Catch-all Services Resource Allocation Security


Documentation menu: Home Manuals Procedures Training Other Contact For: VO managers Administrators



Title Per-User Sub-Proxy
Document link https://wiki.egi.eu/wiki/MAN12
Last modified 19 May 2015
Policy Group Acronym
Policy Group Name
Contact Group
Document Status DRAFT
Approved Date
Procedure Statement This manual shows how to set up a per-user sub-proxy (PUSP) to allow identification of the individual users under a common robot certificate.
Owner Owner of procedure


Steps

In order to configure the CREAM CE to handle the PUSP, the following steps must be performed.

Prepare the grid-mapfile, glexec.con

You can add pool-account based mapping: 

"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:*" .testvo

or single users: 

"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:prova" testvo001
"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:provola" testvo001

Then the glexec.conf must be configured with the following options 

#userswitch will be done by glexec instead of lcmaps
user_identity_switch_by = glexec 
#bypass lcas usage, assuming you're running the LCMAPS ban_dn plugin
use_lcas=no 
#use new mapping policy, we will write it to lcmaps.db
lcmaps_get_account_policy = combi_mapping

Then prepare the lcmaps.db like the following: 

path = /usr/lib64/lcmaps 
###classic non-PUSP modules
verify_proxy = "lcmaps_verify_proxy.mod" 

             " -certdir /etc/grid-security/certificates/"
          " --allow-limited-proxy"
localaccount = "lcmaps_localaccount.mod"
" -gridmapfile /etc/grid-security/grid-mapfile"
poolaccount = "lcmaps_poolaccount.mod"
" -override_inconsistency"
" -gridmapfile /etc/grid-security/grid-mapfile"
" -gridmapdir /etc/grid-security/gridmapdir"
vomslocalgroup = "lcmaps_voms_localgroup.mod"
" -groupmapfile /etc/grid-security/groupmapfile"
" -mapmin 0"
vomslocalaccount = "lcmaps_voms_localaccount.mod"
" -gridmapfile /etc/grid-security/grid-mapfile"
" -use_voms_gid"
vomspoolaccount = "lcmaps_voms_poolaccount.mod"
" -gridmapfile /etc/grid-security/grid-mapfile"
" -gridmapdir /etc/grid-security/gridmapdir"
" -do_not_use_secondary_gids"


      1. PUSP specific modules

ban_dn = "lcmaps_ban_dn.mod" 

        "-banmapfile /etc/grid-security/ban_users.db"

robot_ban_dn = "lcmaps_robot_ban_dn.mod" 

              "-banmapfile /etc/grid-security/ban_users.db"

robot_local = "lcmaps_robot_localaccount.mod" 

             "-gridmapfile /etc/grid-security/grid-mapfile"

robot_pool = "lcmaps_robot_poolaccount.mod" 

             "-gridmapfile /etc/grid-security/grid-mapfile"
            "-gridmapdir /etc/grid-security/gridmapdir/"
      1. Combined policy

combi_mapping: 

   ban_dn -> robot_ban_dn
  robot_ban_dn -> verify_proxy
  verify_proxy -> robot_pool 
  ~robot_pool -> robot_local
  ~robot_local -> vomslocalgroup
  vomslocalgroup -> vomspoolaccount | vomslocalaccount

Reference

Main reference on the Lcmaps-plugins-robot

Retrieved from "https://wiki.egi.eu/w/index.php?title=MAN12&oldid=79603"