Set up gLExec with SCAS

From PDP/Grid Wiki
Jump to navigationJump to search

Setting up gLExec on the worker node to query SCAS for authorization decisions is preferably done through YAIM, but some set-ups require manual configuration as outlined below.

This page is part of the guide on HOWTO set up gLExec on the worker node.

Installation

For the installation and configuration of SCAS, see the gLite page on SCAS[1].

For the installation of gLExec on the worker node, see the release notes and the installation manual.

Typical gLite installation is done with 

wget -O /etc/yum.repos.d/glite-GLEXEC_wn.repo http://grid-deployment.web.cern.ch/grid-deployment/glite/repos/3.2/glite-GLEXEC_wn.repo
yum install glite-GLEXEC_wn


Configuration with YAIM

Please see the YAIM guide for general instructions on using YAIM, and the list of variables that need to be set in site-info.def, or services/glite-glexec_wn.

Important variables: 

GLEXEC_WN_OPMODE=setuid
GLEXEC_WN_SCAS_ENABLED=yes
SCAS_ENDPOINTS="https://scas1.example.com:8443 https://scas2.example.com:8443"

In this example there are two endpoints, that gLExec will use in a randomized fashion to even the load. It will try all the endpoints in case the first one doesn't respond.

After setting the variables, running YAIM is usually done as follows: 

/opt/glite/yaim/bin/yaim -c -s site-info.def -n TORQUE_client -n WN -n GLEXEC_wn

Manual configuration

Simple configuration. The following assumes you have pool accounts that are expected to use gLExec named pilota001, pilota002, etc. and pilotb001, etc.

Edit /opt/glite/etc/glexec.conf as follows. Make sure the file's mode is 

-rw-r----- 1 root glexec  /opt/glite/etc/glexec.conf

[glexec]
silent_logging               = no
log_level                    = 0
user_white_list              = .pilota,.pilotb
linger                       = yes
lcmaps_db_file               = /opt/glite/etc/lcmaps/lcmaps-glexec.db
lcmaps_log_file              = /var/log/glexec/lcas_lcmaps.log
lcmaps_debug_level           = 0
lcmaps_log_level             = 1
lcmaps_get_account_policy    = glexec_get_account
lcmaps_verify_account_policy = glexec_verify_account

lcas_db_file                 = /opt/glite/etc/lcas/lcas-glexec.db
lcas_log_file                = /var/log/glexec/lcas_lcmaps.log
lcas_debug_level             = 0
lcas_log_level               = 1
user_identity_switch_by      = lcmaps
preserve_env_variables       = no
log_destination              = file
log_file                     = /var/log/glexec/glexec_log

Place this in /opt/glite/etc/lcas/lcas-glexec.db: 

pluginname=/opt/glite/lib64/modules/lcas_userban.mod,pluginargs=/opt/glite/etc/lcas/ban_users.db

Place this in /opt/glite/etc/lcmaps/lcmaps-glexec.db: 

path = /opt/glite/lib64/modules
verify_proxy = "lcmaps_verify_proxy.mod" 
               " -certdir /etc/grid-security/certificates/"
               " --allow-limited-proxy"

posix_enf = "lcmaps_posix_enf.mod"
            " -maxuid 1"
            " -maxpgid 1"
            " -maxsgid 32"

scasclient = "lcmaps_scas_client.mod"
             " -capath /etc/grid-security/certificates/"
             "--endpoint https://scas1.example.com:8443"
             "--endpoint https://scas2.example.com:8443"
             " -resourcetype wn"
             " -actiontype execute-now"

glexec_get_account:
verify_proxy -> scasclient
scasclient -> posix_enf
Retrieved from "https://wiki.nikhef.nl/grid/index.php?title=Set_up_gLExec_with_SCAS&oldid=7376"