Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

MAN12

From EGIWiki
Jump to navigation Jump to search
Main EGI.eu operations services Support Documentation Tools Activities Performance Technology Catch-all Services Resource Allocation Security


Documentation menu: Home Manuals Procedures Training Other Contact For: VO managers Administrators



Title Per-User Sub-Proxy
Document link https://wiki.egi.eu/wiki/MAN12
Last modified 19 May 2015
Policy Group Acronym
Policy Group Name
Contact Group
Document Status DRAFT
Approved Date
Procedure Statement This manual shows how to set up a per-user sub-proxy (PUSP) to allow identification of the individual users under a common robot certificate.
Owner Owner of procedure


Goal

The goal of the per-user sub-proxy (PUSP) is allowing identification of the individual users under a common robot certificate. More information on this feature are on this wiki.

To make this work, the installation of a dedicated plugin is needed. To install the plugin, available at NIKHEF, we will follow the corresponding guide.

Steps

In order to configure the CREAM CE to handle the PUSP, the following steps must be performed.

WARNING

If you reconfigure the service using YAIM/Puppet, the configuration will be overwritten.

Installing the plugin

The installation is very simple:

rpm -ivh https://software.nikhef.nl/dist/mwsec/rpm/testing/epel6/x86_64/lcmaps-plugins-robot-0.0.3-1.el6.x86_64.rpm

Prepare the configuration

You can add one or more pool-account based mappings to grid-mapfile:

"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:*" .testvo 

or single users:

"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:test" testvo001
"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=user:testtwo" testvo001

Then the glexec.conf must be configured with the following options

#userswitch will be done by glexec instead of lcmaps
user_identity_switch_by = glexec 
#bypass lcas usage, assuming you're running the LCMAPS ban_dn plugin
use_lcas=no 
#use new mapping policy, we will write it to lcmaps.db
lcmaps_get_account_policy = combi_mapping 

Finally prepare the lcmaps.db like the following:

path = /usr/lib64/lcmaps

### classic non-PUSP modules

verify_proxy = "lcmaps_verify_proxy.mod"
               " -certdir /etc/grid-security/certificates/"
               " --allow-limited-proxy"

localaccount = "lcmaps_localaccount.mod"
" -gridmapfile /etc/grid-security/grid-mapfile"
poolaccount = "lcmaps_poolaccount.mod"
" -override_inconsistency"
" -gridmapfile /etc/grid-security/grid-mapfile"
" -gridmapdir /etc/grid-security/gridmapdir"
vomslocalgroup = "lcmaps_voms_localgroup.mod"
" -groupmapfile /etc/grid-security/groupmapfile"
" -mapmin 0"
vomslocalaccount = "lcmaps_voms_localaccount.mod"
" -gridmapfile /etc/grid-security/grid-mapfile"
" -use_voms_gid"
vomspoolaccount = "lcmaps_voms_poolaccount.mod"
" -gridmapfile /etc/grid-security/grid-mapfile"
" -gridmapdir /etc/grid-security/gridmapdir"
" -do_not_use_secondary_gids"

### PUSP specific modules
ban_dn = "lcmaps_ban_dn.mod"
         "-banmapfile /etc/grid-security/ban_users.db"
robot_ban_dn = "lcmaps_robot_ban_dn.mod"
               "-banmapfile /etc/grid-security/ban_users.db"
robot_local = "lcmaps_robot_localaccount.mod"
              "-gridmapfile /etc/grid-security/grid-mapfile"
robot_pool = "lcmaps_robot_poolaccount.mod"
              "-gridmapfile /etc/grid-security/grid-mapfile"
              "-gridmapdir /etc/grid-security/gridmapdir/"

### Combined policy
combi_mapping:
    ban_dn -> robot_ban_dn
    robot_ban_dn -> verify_proxy
    verify_proxy -> robot_pool
    ~robot_pool -> robot_local
    ~robot_local -> vomslocalgroup
    vomslocalgroup -> vomspoolaccount | vomslocalaccount

Accounting

Few modifications are enough to enable PUSP-aware accounting on CREAM. In file:

/etc/glite-ce-cream/cream-config.xml

the following start tag should be modified like this:

<service id="CREAM service (core2)" dn_filter="/CN=Robot[^/]+/CN=user:[^/]+">

adding explicitely the dn_filter attribute, or modifying it if already present.

Notes

After configuring the CREAM CE, please make sure the GridFTP server is still working. By default, it uses lcas.db and lcmaps.db at their default locations.

Reference

Main reference on the Lcmaps-plugins-robot [1]