Lcmaps-plugins-robot

From PDP/Grid Wiki
Jump to navigationJump to search

Introduction

The LCMAPS-plugins-robot package has been developed for EGIs Long Tail of Science pilot project. Unlike the normal LCMAPS plugins, it uses a so-called Per-User Sub-Proxy (PUSP) as input. These proxies are RFC3820 compliant proxy delegations from robot certificates, containing (anonymised) identifying information about the actual user in the added proxy CN field, they are typically generated inside a webportal for users logging in via a SSO system. Hence the different LCMAPS-plugins-robot modules use the first proxy DN instead of the End Entity Certificate (EEC) DN for their mapping or banning decisions. The plugin treats the proxy as a valid PUSP if it satisfies:

  1. the proxy is a valid RFC3820 proxy
  2. its EEC is a robot-type certificate:

Usage

LCMAPS db file

A typical example lcmaps.db showing the different plugins plus two policies, one for pool-account based mappings, the other for local-account based mappings:

# Specify directory where LCMAPS modules are installed
path  = /usr/lib64/lcmaps
 
# Module definitions 
verify_proxy = "lcmaps_verify_proxy.mod"
               " -certdir /etc/grid-security/certificates/"
               " --allow-limited-proxy" # REMOVE FOR CREAM-CE !

# Normal banning module: e.g. for robot EEC
ban_dn = "lcmaps_ban_dn.mod"
         "-banmapfile /etc/grid-security/ban_users.db"

# Per-User Sub-Proxy banning module
robot_ban_dn = "lcmaps_robot_ban_dn.mod"
               "-banmapfile /etc/grid-security/ban_users.db"

# Per-User Sub-Proxy DN to localaccount mapping
robot_local = "lcmaps_robot_localaccount.mod"
              "-gridmapfile /etc/grid-security/grid-mapfile"

# Per-User Sub-Proxy DN to poolaccount mapping
robot_pool = "lcmaps_robot_poolaccount.mod"
              "-gridmapfile /etc/grid-security/grid-mapfile"
              "-gridmapdir /etc/grid-security/gridmapdir/"


# Different policies
pool_mapping:
ban_dn -> robot_ban_dn
robot_ban_dn -> verify_proxy
verify_proxy -> robot_pool

local_mapping:
ban_dn -> robot_ban_dn
robot_ban_dn -> verify_proxy
verify_proxy -> robot_local

In combination with gLExec, such an LCMAPS configuration would allow to do user-switching based on individual Per-User Sub-Proxy DNs.

mapfiles and mapdir

For the localaccount plugin, the grid-mapfile should contain entries such as

"/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:johndoe" nobody
"/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:janedoe" anybody

while for the poolaccount plugin, it should typically contain entries such as

"/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:*" .robotpool

and the gridmapdir should then be populated with names of LDAP- and/or local-accounts by creating empty files with their names:

robotpool001
robotpool002
...

The ban-mapfile (ban_users.db in the example DB file) could contain all kinds of different DNs and can be the same for the 'normal' lcmaps_ban_dn and the 'special' lcmaps_robot_ban_dn modules. For example, to ban both the robot certificate itself and the user janedoe, one would have

"/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin"
"/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:janedoe"

where the 'normal' plugin would trigger on the first, and the robot plugin on the second.

Further reading

General information on gLExec and LCMAPS can be found on the gLExec wiki pages.

man pages

Each plugin comes with its own man page. Online version can be found here:

Software

The current version is 0.0.3-1