Set up gLExec with SCAS
Setting up gLExec on the worker node to query SCAS for authorization decisions is preferably done through YAIM, but some set-ups require manual configuration as outlined below.
This page is part of the guide on HOWTO set up gLExec on the worker node.
Typical gLite installation is done with
wget -O /etc/yum.repos.d/glite-GLEXEC_wn.repo http://grid-deployment.web.cern.ch/grid-deployment/glite/repos/3.2/glite-GLEXEC_wn.repo yum install glite-GLEXEC_wn
Configuration with YAIM
GLEXEC_WN_OPMODE=setuid GLEXEC_WN_SCAS_ENABLED=yes SCAS_ENDPOINTS="https://scas1.example.com:8443 https://scas2.example.com:8443"
In this example there are two endpoints, that gLExec will use in a randomized fashion to even the load. It will try all the endpoints in case the first one doesn't respond.
After setting the variables, running YAIM is usually done as follows:
/opt/glite/yaim/bin/yaim -c -s site-info.def -n TORQUE_client -n WN -n GLEXEC_wn
Simple configuration. The following assumes you have pool accounts that are expected to use gLExec named pilota001, pilota002, etc. and pilotb001, etc.
Edit /opt/glite/etc/glexec.conf as follows. Make sure the file's mode is
-rw-r----- 1 root glexec /opt/glite/etc/glexec.conf
[glexec] silent_logging = no log_level = 0 user_white_list = .pilota,.pilotb linger = yes lcmaps_db_file = /opt/glite/etc/lcmaps/lcmaps-glexec.db lcmaps_log_file = /var/log/glexec/lcas_lcmaps.log lcmaps_debug_level = 0 lcmaps_log_level = 1 lcmaps_get_account_policy = glexec_get_account lcmaps_verify_account_policy = glexec_verify_account lcas_db_file = /opt/glite/etc/lcas/lcas-glexec.db lcas_log_file = /var/log/glexec/lcas_lcmaps.log lcas_debug_level = 0 lcas_log_level = 1 user_identity_switch_by = lcmaps preserve_env_variables = no log_destination = file log_file = /var/log/glexec/glexec_log
Place this in /opt/glite/etc/lcas/lcas-glexec.db:
Place this in /opt/glite/etc/lcmaps/lcmaps-glexec.db:
path = /opt/glite/lib64/modules verify_proxy = "lcmaps_verify_proxy.mod" " -certdir /etc/grid-security/certificates/" " --allow-limited-proxy" posix_enf = "lcmaps_posix_enf.mod" " -maxuid 1" " -maxpgid 1" " -maxsgid 32" scasclient = "lcmaps_scas_client.mod" " -capath /etc/grid-security/certificates/" "--endpoint https://scas1.example.com:8443" "--endpoint https://scas2.example.com:8443" " -resourcetype wn" " -actiontype execute-now" glexec_get_account: verify_proxy -> scasclient scasclient -> posix_enf