Security middleware deployment planning

From PDP/Grid Wiki
Jump to navigationJump to search

TODO TODO TODO Don't read this!!!

Deciding which security middleware to deploy at your site depends on the scenario you need to implement.

gLExec on worker nodes

The gLExec on worker node scenario has been heavily discussed and debated (TODO: insert link here) in the context of Multi-user pilot jobs. In order to help you set this up on your site, check if the following statements apply.

  • My site is part of the EGEE/EGI grid
  • I use YAIM to manage all my nodes
  • I let YAIM create all my user accounts (variable: CONFIG_USERS=yes)

If all statements apply, install Argus and let GLEXEC_wn use that. But be aware of the following

  • Is your site part of the EGEE/EGI grid?
Yes/No.


Sites part of EGEE/EGI

  • Do you use YAIM (and nothing else) to configure your site? Yes/No

YAIM managed sites

  • Do you let YAIM create user accounts on every node? Yes/No

YAIM user management

  • Do you need to install gLExec on WN? Yes/No




Summary: normally you should install Argus for central authorization and mapping, but a few special cases apply. Alternatively, SCAS may be used.

See if any of the following statements apply.

I would like to do policy management, user mapping and user banning all from one place
The default choice is to set up Argus[1], and configure your resources to use it (see below).
I use dynamic secondary group mappings which require LDAP updates
In this case, you need to use the LDAP enforcement plugin for LCMAPS. This cannot be used in conjunction with Argus; use SCAS as the default alternative.
My cluster is set up to do local mappings to match users to job slots
This is a special case, which can be handled by setting up LCMAPS without a central authorization service (i.e. node-local).
I'm using 3rd party plugins for LCMAPS
We can't say in general if a plugin will or will not work with either Argus or SCAS in this case. You should try Argus first, SCAS next, and node-local setups finally.
I've tried Argus and it didn't work; now what?
Open a support ticket in GGUS[2] for Argus and get it fixed. In the meantime, try to use SCAS as an alternative.
I don't want/need central policy management, mapping or banning
You should set up LCMAPS independently per resource, possibly with a shared NFS gridmapdir to keep consistency between mappings.
Retrieved from "https://wiki.nikhef.nl/grid/index.php?title=Security_middleware_deployment_planning&oldid=7370"