GLExec Argus Quick Installation Guide
Introduction
gLExec is a program to make the required mapping between the grid world and the Unix notion of users and groups, and has the capacity to enforce that mapping by modifying the uid and gids of running processes. Based on LCAS and LCMAPS, it can both act as a light-weight 'gatekeeper' replacement, and even be used on the worker node in late-binding (pilot job) scenarios.
The gLExec uses the LCMAPS framework to abstract different implementations and techniques that can be implemented through the use of specialized plug-ins. The plug-ins do the actual work (e.g. extensive credentials, procuring an account locally or through a central authorization service, like Argus).
For information on the LCMAPS C PEP Plugin (the LCMAPS Argus callout plugin) see LCMAPS C PEP plugin for a list of valid options.
Package installation
- Enable the correct UMD or EMI repository and the EPEL repository.
- Install the correct CA distribution
- Install and run the fetch-crl utility.
- Install either the emi-glexec_wn metapackage or do a manual yum install of the following list of packages:
glexec lcmaps lcmaps-plugins-basic lcmaps-plugins-c-pep lcmaps-plugins-tracking-groupid lcmaps-plugins-verify-proxy lcmaps-plugins-voms
You optionally can also install LCAS:
lcas lcas-plugins-basic lcas-plugins-check-executable lcas-plugins-voms
glexec-wrapper-scripts
the MkGlTempDir utility:
mkgltempdir
the gLExec nagios plugin:
nagios-plugins-emi.glexec
and the YAIM configuration module for the gLExec workernode:
yaim-glexec-wn
- Create UNIX user and group glexec if they haven't been created yet (gLExec versions ≥ 0.9 automatically create them). E.g.:
groupadd -r glexec useradd -r -g glexec -d / -s /sbin/nologin -c "gLExec user account to be used with /usr/sbin/glexec" glexec
Manual configuration
As a minimum, gLExec and LCMAPS configuration files need to be configured. For use with Argus, something along the lines of the following gLExec and LCMAPS configuration files suffice:
/etc/glexec.conf
# Glexec configuration file # [glexec] user_white_list = batman, superman, .woman log_level = 3 #log_destination = file #log_file = /var/log/glexec/glexec.log lcmaps_db_file = /etc/lcmaps/lcmaps-glexec.db lcmaps_debug_level = 3 #lcmaps_log_file = /var/log/glexec/lcas_lcmaps.log lcmaps_get_account_policy = glexec_get_account #use_lcas = no #lcas_db_file = /etc/lcas/lcas-glexec.db #lcas_debug_level = 0
Edit at least the user whitelist. See the Man pages of gLExec for full information on all the configuration options.
Make sure the glexec.conf file is only writable for user root and/or glexec. In the preferred switching mode, the preferred installation of glexec binary and config files are:
-rws--x--x 1 root root 12345 2010-02-29 12:34 /usr/sbin/glexec -r-------- 1 glexec root 123 2010-02-29 12:34 /etc/glexec.conf
i.e. run
chown root.root /usr/sbin/glexec chmod 4711 /usr/sbin/glexec chown glexec.root /etc/glexec.conf chmod 400 /etc/glexec.conf
/etc/lcmaps/lcmaps-glexec.db for use with the Argus Authorization Service
# LCMAPS config file for glexec # # where to look for modules path = /usr/lib64/lcmaps # module definitions verify_proxy = "lcmaps_verify_proxy.mod" " -certdir /etc/grid-security/certificates/" " --allow-limited-proxy" pepc = "lcmaps_c_pep.mod" "--pep-daemon-endpoint-url https://argus.example.org:8154/authz" " -resourceid http://authz-interop.org/xacml/resource/resource-type/wn" " -actionid http://glite.org/xacml/action/execute" " -capath /etc/grid-security/certificates/" " -pep-certificate-mode implicit" " --use-pilot-proxy-as-cafile" # Add this on RHEL 6 based systems glexec_get_account: verify_proxy -> pepc
Edit at least:
- the pep-daemon-endpoint-url, to point to the correct Argus PEPd server.
- the resourceid to match a resource in the active policy of the Argus PAP service (run pap-admin lp on the Argus server to check).
- the actionid to match the action in the resource in the active policy of Argus PAP service as mentioned under 2.
- add/remove the --use-pilot-proxy-as-cafile depending on architecture.
/etc/lcas/lcas.db
In case LCAS is used for e.g. user banning, one can use the following simple /etc/lcas/lcas.db file:
# LCAS policy file/plugin definition # Written by: Oscar Koeroo - okoeroo * at * nikhef * dot * nl pluginname=lcas_userban.mod,pluginargs=/etc/lcas/ban_users.db
Make sure to create an (empty) ban_users.db file:
touch /etc/lcas/ban_users.db
Configuration using YAIM
GLExec can be configured using YAIM, see the YAIM guide for details on using YAIM. Typically a gLExec-with-Argus installation needs to set the following variables:
# Change this to the correct endpoint ARGUS_PEPD_ENDPOINTS="https://argus.example.org:8154/authz" # Change this to the correct resource field in the PAP policy GLEXEC_WN_PEPC_RESOURCEID="http://authz-interop.org/xacml/resource/resource-type/wn" # Change this to the correct action in the PAP policy GLEXEC_WN_PEPC_ACTIONID="http://glite.org/xacml/action/execute" GLEXEC_WN_ARGUS_ENABLED=yes GLEXEC_WN_SCAS_ENABLED="no" # Change this to the list of users that may run gLExec GLEXEC_EXTRA_WHITELIST="superman, batman, .atlp" GLEXEC_WN_OPMODE="setuid" GLEXEC_WN_USE_LCAS="no" #GLEXEC_WN_LCAS_DEBUG_LEVEL="0" GLEXEC_WN_LOG_LEVEL=3 GLEXEC_WN_LCMAPS_DEBUG_LEVEL=3 GLEXEC_WN_LOG_DESTINATION=syslog #GLEXEC_WN_LOG_DESTINATION=file #GLEXEC_WN_LOG_FILE=/var/log/glexec/glexec.log #GLEXEC_WN_LCASLCMAPS_LOG=/var/log/glexec/lcas_lcmaps.log GLEXEC_WN_INPUT_LOCK=flock GLEXEC_WN_TARGET_LOCK=flock
See for further details on the different options https://twiki.cern.ch/twiki/bin/view/LCG/Site-info_configuration_variables#GLEXEC_wn.
NOTE: on RedHat 6 based systems running EMI-2, one needs to add, by hand, the option --use-pilot-proxy-as-cafile to the pepc section in the lcmaps-glexec.db file. See the /etc/lcmaps/lcmaps-glexec.db file in the Manual configuration section above.
Authorization and Mapping
GLExec will interact with Argus using an LCMAPS plug-in which uses the Argus PEP-C library to call out to the Argus PEP Daemon. The response from the Argus PEP Daemon is extracted and used to deny or fulfill the mapping request to the resource.
Based on the Grid credentials, LCMAPS C PEP plug-in will send an XACML request to the Argus PEP Daemon, and then parse the XACML response decision to authorize the user and the obligations to map him to a local account which will effectively switch the active Unix account of the running process.
XACML Request
The gLExec LCMAPS PEP plug-in sends an XACML request to the PEP Daemon with the following elements by default (The previously used XACML attribute profile can still be selected, but this needs to be explicitly configured).
- XACML subject with the attribute element:
- AttributeId: urn:oasis:names:tc:xacml:1.0:subject:key-info
- Value: The PEM encoded Grid credentials provided by the calling process, fetched from the file content located by the environment variable $GLEXEC_USER_CERT. The location to the proxy file of the pilot job payload owner (e.g. the end user) must be set by this variable in order for gLExec to pass it on. The mapping will be based on this information.
- XACML resource with the attribute element:
- AttributeId: urn:oasis:names:tc:xacml:1.0:resource:resource-id
- Value: The type of resource of the node and service from where the request originated (e.g. SE, CE, WN or RB/WMS).
- XACML action with the attribute element:
- AttributeId: urn:oasis:names:tc:xacml:1.0:action:action-id
- Value: The type of action to be taken on the node from where the request originated (e.g. access-file, queue, execute-now).
- XACML environment with the attribute element:
- AttributeId: urn:oasis:names:tc:xacml:1.0:subject:key-info
- Value: The PEM encoded Grid credentials provided by the calling process, fetched from the file content located by the environment variable $X509_USER_PROXY. The location to the proxy file of the pilot job executor or pilot job framework manager must be set by this variable in case of a pilot job framework scenario.
XACML Response
The PEP Daemon sends back a XACML response to the gLExec LCMAPS PEP plug-in. The following XACML response elements are parsed to authorize and map the user:
- XACML decision element: Contains the authorization decision Permit, Deny, Indeterminate or NotApplicable
- XACML obligation, ObligationId: http://glite.org/xacml/obligation/local-environment-map/posix, with the three possible attribute assignment elements:
- AttributeId: http://glite.org/xacml/attribute/user-id
- Value: Contains the Unix User ID of the mapped user account in a string format.
- AttributeId: http://glite.org/xacml/attribute/group-id/primary
- Value: Contains the Unix Group ID of the mapped primary group in a string format.
- AttributeId: http://glite.org/xacml/attribute/group-id
- Value: Contains the Unix Secondary Group ID of the mapped group in a string format.
The local identity mapping will only succeed if the authorization decision is Permit.
Quick test
Two environment variables MUST be setup before trying gLExec:
- X509_USER_PROXY : Contains the path to the proxy file of the gLExec calling identity. This is the pilot job executor identity.
- GLEXEC_CLIENT_CERT : Contains the path to the proxy file of the identity that must get authorized and subsequently mapped by gLExec. This is the pilot job payload identity.
Run gLExec with the following command in order to perform a quick test:
export X509_USER_PROXY=${X509_USER_PROXY:-"/tmp/x509up_`id -u`"} export GLEXEC_CLIENT_CERT=${GLEXEC_CLIENT_CERT:-$X509_USER_PROXY} /usr/sbin/glexec /usr/bin/id -a; echo $?
The expected output is something like
uid=40205(testuseraccount) gid=2013(testusergroup) 0
Debugging hints / Known Issues
Currently, for RedHat 6 based installations, YAIM does not provide the correct lcmaps-glexec.db, see the Note Configuration using YAIM for details.
See Debugging hints and Exit codes of gLExec.