Difference between revisions of "MAN12"
Jump to navigation
Jump to search
Notes
Reference
Line 17: | Line 17: | ||
In order to configure the CREAM CE to handle the PUSP, the following steps must be performed. | In order to configure the CREAM CE to handle the PUSP, the following steps must be performed. | ||
== Installing the plugin == | == Installing the plugin == | ||
The installation is very simple: | The installation is very simple: | ||
<pre>rpm -ivh https://software.nikhef.nl/dist/mwsec/rpm/testing/epel6/x86_64/lcmaps-plugins-robot-0.0.3-1.el6.x86_64.rpm | <pre>rpm -ivh https://software.nikhef.nl/dist/mwsec/rpm/testing/epel6/x86_64/lcmaps-plugins-robot-0.0.3-1.el6.x86_64.rpm | ||
</pre> | </pre> | ||
Line 88: | Line 88: | ||
~robot_local -> vomslocalgroup | ~robot_local -> vomslocalgroup | ||
vomslocalgroup -> vomspoolaccount | vomslocalaccount</pre> | vomslocalgroup -> vomspoolaccount | vomslocalaccount</pre> | ||
== Notes<br> == | |||
After configuring the CREAM CE, please make sure the GridFTP server is still working. By default, it uses lcas.db and lcmaps.db at their default locations. <br> | |||
== Reference<br> == | |||
[http://wiki.nikhef.nl/grid/Lcmaps-plugins-robot Original Guide on how to configure the plugin]<br> | |||
= Reference = | = Reference = | ||
[http://wiki.nikhef.nl/grid/Lcmaps-plugins-robot Main reference on the Lcmaps-plugins-robot] | [http://wiki.nikhef.nl/grid/Lcmaps-plugins-robot Main reference on the Lcmaps-plugins-robot] |
Revision as of 18:49, 19 May 2015
Main | EGI.eu operations services | Support | Documentation | Tools | Activities | Performance | Technology | Catch-all Services | Resource Allocation | Security |
Documentation menu: | Home • | Manuals • | Procedures • | Training • | Other • | Contact ► | For: | VO managers • | Administrators |
Title | Per-User Sub-Proxy |
Document link | https://wiki.egi.eu/wiki/MAN12 |
Last modified | 19 May 2015 |
Policy Group Acronym | |
Policy Group Name | |
Contact Group | |
Document Status | DRAFT |
Approved Date | |
Procedure Statement | This manual shows how to set up a per-user sub-proxy (PUSP) to allow identification of the individual users under a common robot certificate. |
Owner | Owner of procedure |
Steps
In order to configure the CREAM CE to handle the PUSP, the following steps must be performed.
Installing the plugin
The installation is very simple:
rpm -ivh https://software.nikhef.nl/dist/mwsec/rpm/testing/epel6/x86_64/lcmaps-plugins-robot-0.0.3-1.el6.x86_64.rpm
Prepare the configuration
You can add pool-account based mapping to grid-mapfile:
"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:*" .testvo
or single users:
"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:prova" testvo001 "/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:provola" testvo001
Then the glexec.conf must be configured with the following options
#userswitch will be done by glexec instead of lcmaps user_identity_switch_by = glexec #bypass lcas usage, assuming you're running the LCMAPS ban_dn plugin use_lcas=no #use new mapping policy, we will write it to lcmaps.db lcmaps_get_account_policy = combi_mapping
Finally prepare the lcmaps.db like the following:
path = /usr/lib64/lcmaps ### classic non-PUSP modules verify_proxy = "lcmaps_verify_proxy.mod" " -certdir /etc/grid-security/certificates/" " --allow-limited-proxy" localaccount = "lcmaps_localaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" poolaccount = "lcmaps_poolaccount.mod" " -override_inconsistency" " -gridmapfile /etc/grid-security/grid-mapfile" " -gridmapdir /etc/grid-security/gridmapdir" vomslocalgroup = "lcmaps_voms_localgroup.mod" " -groupmapfile /etc/grid-security/groupmapfile" " -mapmin 0" vomslocalaccount = "lcmaps_voms_localaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" " -use_voms_gid" vomspoolaccount = "lcmaps_voms_poolaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" " -gridmapdir /etc/grid-security/gridmapdir" " -do_not_use_secondary_gids" ### PUSP specific modules ban_dn = "lcmaps_ban_dn.mod" "-banmapfile /etc/grid-security/ban_users.db" robot_ban_dn = "lcmaps_robot_ban_dn.mod" "-banmapfile /etc/grid-security/ban_users.db" robot_local = "lcmaps_robot_localaccount.mod" "-gridmapfile /etc/grid-security/grid-mapfile" robot_pool = "lcmaps_robot_poolaccount.mod" "-gridmapfile /etc/grid-security/grid-mapfile" "-gridmapdir /etc/grid-security/gridmapdir/" ### Combined policy combi_mapping: ban_dn -> robot_ban_dn robot_ban_dn -> verify_proxy verify_proxy -> robot_pool ~robot_pool -> robot_local ~robot_local -> vomslocalgroup vomslocalgroup -> vomspoolaccount | vomslocalaccount
Notes
After configuring the CREAM CE, please make sure the GridFTP server is still working. By default, it uses lcas.db and lcmaps.db at their default locations.
Reference
Original Guide on how to configure the plugin