Difference between revisions of "How to ban users with quattor"

From PDP/Grid Wiki
Jump to navigationJump to search
Line 1: Line 1:
Unfortunately, there is no universal method to ban grid users from using gLite services. Below is the summary of services and the method of banning. Note that both the implementation and the documentation need to be improved!
+
Unfortunately, there is no universal method to ban grid users from using gLite services.  
 +
Enter Quattor, and via a single list of banned users we can manage the ban lists on the various node types.
  
* lcg-CE, classic-SE: the banned user DNs need to be stored in /opt/edg/etc/lcas/ban_users.db and /opt/glite/etc/lcas/ban_users.db. The template $L/cfg/sites/ndpf/site/banned_users.tpl takes care of this.
+
'''How to add a user to the ban list?'''
 +
The template $L/cfg/sites/ndpf/site/banlist.tpl define a Pan variable GLOBAL_BANNED_USER_LIST, which is a list() containing the certificate DNs that should be banned. Adding a user to this list is simply a matter of adding one line with the DN (enclosed in double quotes and a comma after the second quote):
  
* WMS: the banned used DNs have to be present in the file /opt/glite/etc/glite_wms_wmproxy.gacl. The quattor template $L/cfg/sites/ndpf/site/users_gacl_wms.tpl takes care of this.
+
variable GLOBAL_BANNED_USER_LIST ?= list(
 +
  "/O=banned users/O=grid/CN=Evil User",
 +
  # this is a comment line
 +
  # use comments to relate the banned user DN to a date and reason
 +
  "/O=some other org/O=whatever/CN=Compromised Account",
 +
);
  
* DPM: the banned user DNs need to be mapped to a non-existing Unix account in /opt/lcg/etc/lcgdm-mapfile-local. This cannot yet be accomplished via our quattor setup.
+
Don't forget to give the date and reason for banning the user!
 +
 
 +
Below is the summary of services and the method of banning as background information:
 +
 
 +
* lcg-CE, classic-SE: the banned user DNs need to be stored in /opt/edg/etc/lcas/ban_users.db and /opt/glite/etc/lcas/ban_users.db.
 +
 
 +
* WMS: the banned used DNs have to be present in the file /opt/glite/etc/glite_wms_wmproxy.gacl.
 +
 
 +
* DPM: the banned user DNs need to be mapped to a non-existing Unix account in /opt/lcg/etc/lcgdm-mapfile-local.
  
 
* MyProxy (PX): To be completed
 
* MyProxy (PX): To be completed

Revision as of 15:08, 25 February 2010

Unfortunately, there is no universal method to ban grid users from using gLite services. Enter Quattor, and via a single list of banned users we can manage the ban lists on the various node types.

How to add a user to the ban list? The template $L/cfg/sites/ndpf/site/banlist.tpl define a Pan variable GLOBAL_BANNED_USER_LIST, which is a list() containing the certificate DNs that should be banned. Adding a user to this list is simply a matter of adding one line with the DN (enclosed in double quotes and a comma after the second quote): 

variable GLOBAL_BANNED_USER_LIST ?= list(
 "/O=banned users/O=grid/CN=Evil User",
 # this is a comment line
 # use comments to relate the banned user DN to a date and reason
 "/O=some other org/O=whatever/CN=Compromised Account",
);

Don't forget to give the date and reason for banning the user!

Below is the summary of services and the method of banning as background information:

  • lcg-CE, classic-SE: the banned user DNs need to be stored in /opt/edg/etc/lcas/ban_users.db and /opt/glite/etc/lcas/ban_users.db.
  • WMS: the banned used DNs have to be present in the file /opt/glite/etc/glite_wms_wmproxy.gacl.
  • DPM: the banned user DNs need to be mapped to a non-existing Unix account in /opt/lcg/etc/lcgdm-mapfile-local.
  • MyProxy (PX): To be completed
Retrieved from "https://wiki.nikhef.nl/grid/index.php?title=How_to_ban_users_with_quattor&oldid=4150"