MAN12
Jump to navigation
Jump to search
Main | EGI.eu operations services | Support | Documentation | Tools | Activities | Performance | Technology | Catch-all Services | Resource Allocation | Security |
Documentation menu: | Home • | Manuals • | Procedures • | Training • | Other • | Contact ► | For: | VO managers • | Administrators |
Title | Per-User Sub-Proxy |
Document link | https://wiki.egi.eu/wiki/MAN12 |
Last modified | 19 May 2015 |
Policy Group Acronym | |
Policy Group Name | |
Contact Group | |
Document Status | DRAFT |
Approved Date | |
Procedure Statement | This manual shows how to set up a per-user sub-proxy (PUSP) to allow identification of the individual users under a common robot certificate. |
Owner | Owner of procedure |
Steps
In order to configure the CREAM CE to handle the PUSP, the following steps must be performed.
Prepare the grid-mapfile, glexec.con
You can add pool-account based mapping:
"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:*" .testvo
or single users:
"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:prova" testvo001 "/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:provola" testvo001
Then the glexec.conf must be configured with the following options
#userswitch will be done by glexec instead of lcmaps user_identity_switch_by = glexec #bypass lcas usage, assuming you're running the LCMAPS ban_dn plugin use_lcas=no #use new mapping policy, we will write it to lcmaps.db lcmaps_get_account_policy = combi_mapping
Then prepare the lcmaps.db like the following:
path = /usr/lib64/lcmaps ###classic non-PUSP modules verify_proxy = "lcmaps_verify_proxy.mod" " -certdir /etc/grid-security/certificates/" " --allow-limited-proxy" localaccount = "lcmaps_localaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" poolaccount = "lcmaps_poolaccount.mod" " -override_inconsistency" " -gridmapfile /etc/grid-security/grid-mapfile" " -gridmapdir /etc/grid-security/gridmapdir" vomslocalgroup = "lcmaps_voms_localgroup.mod" " -groupmapfile /etc/grid-security/groupmapfile" " -mapmin 0" vomslocalaccount = "lcmaps_voms_localaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" " -use_voms_gid" vomspoolaccount = "lcmaps_voms_poolaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" " -gridmapdir /etc/grid-security/gridmapdir" " -do_not_use_secondary_gids"
- PUSP specific modules
ban_dn = "lcmaps_ban_dn.mod"
"-banmapfile /etc/grid-security/ban_users.db"
robot_ban_dn = "lcmaps_robot_ban_dn.mod"
"-banmapfile /etc/grid-security/ban_users.db"
robot_local = "lcmaps_robot_localaccount.mod"
"-gridmapfile /etc/grid-security/grid-mapfile"
robot_pool = "lcmaps_robot_poolaccount.mod"
"-gridmapfile /etc/grid-security/grid-mapfile" "-gridmapdir /etc/grid-security/gridmapdir/"
- Combined policy
combi_mapping:
ban_dn -> robot_ban_dn robot_ban_dn -> verify_proxy verify_proxy -> robot_pool ~robot_pool -> robot_local ~robot_local -> vomslocalgroup vomslocalgroup -> vomspoolaccount | vomslocalaccount