Difference between revisions of "How to ban users with quattor"
| Line 2: | Line 2: | ||
Enter Quattor, and via a single list of banned users we can manage the ban lists on the various node types. | Enter Quattor, and via a single list of banned users we can manage the ban lists on the various node types. | ||
| − | + | ||
| + | == How to add a user to the ban list? == | ||
| + | |||
The template $L/cfg/sites/ndpf/site/banlist.tpl define a Pan variable GLOBAL_BANNED_USER_LIST, which is a list() containing the certificate DNs that should be banned. Adding a user to this list is simply a matter of adding one line with the DN (enclosed in double quotes and a comma after the second quote): | The template $L/cfg/sites/ndpf/site/banlist.tpl define a Pan variable GLOBAL_BANNED_USER_LIST, which is a list() containing the certificate DNs that should be banned. Adding a user to this list is simply a matter of adding one line with the DN (enclosed in double quotes and a comma after the second quote): | ||
| Line 14: | Line 16: | ||
Don't forget to give the date and reason for banning the user! | Don't forget to give the date and reason for banning the user! | ||
| − | Below is the summary of services and the method of banning | + | |
| + | == Implementation == | ||
| + | |||
| + | Services that support user banning can define a variable BANNED_USER_CONFIG which points to a template that implements the formatting of the appropriate files (see "Background Information" below). These files process the data from GLOBAL_BANNED_USER_LIST and put it in the expected format. | ||
| + | |||
| + | Currently implemented methods: | ||
| + | * lcas, used by the lcg-CE. Implementation in template | ||
| + | $L/cfg/grid/common/security/user-banning/lcas.tpl | ||
| + | * gridmap, used by the DPM server and disk. Implementation in template | ||
| + | $L/cfg/grid/common/security/user-banning/gridmap.tpl | ||
| + | * gacl, used by the WMS. Implementation in template | ||
| + | $L/cfg/grid/common/security/user-banning/gacl.tpl | ||
| + | |||
| + | == Background Information == | ||
| + | |||
| + | Below is the summary of services and the method of banning: | ||
* lcg-CE, classic-SE: the banned user DNs need to be stored in /opt/edg/etc/lcas/ban_users.db and /opt/glite/etc/lcas/ban_users.db. | * lcg-CE, classic-SE: the banned user DNs need to be stored in /opt/edg/etc/lcas/ban_users.db and /opt/glite/etc/lcas/ban_users.db. | ||
| Line 21: | Line 38: | ||
* DPM: the banned user DNs need to be mapped to a non-existing Unix account in /opt/lcg/etc/lcgdm-mapfile-local. | * DPM: the banned user DNs need to be mapped to a non-existing Unix account in /opt/lcg/etc/lcgdm-mapfile-local. | ||
| + | |||
| + | * CreamCE: to be investigated | ||
* MyProxy (PX): To be completed | * MyProxy (PX): To be completed | ||
Revision as of 15:16, 25 February 2010
Unfortunately, there is no universal method to ban grid users from using gLite services. Enter Quattor, and via a single list of banned users we can manage the ban lists on the various node types.
How to add a user to the ban list?
The template $L/cfg/sites/ndpf/site/banlist.tpl define a Pan variable GLOBAL_BANNED_USER_LIST, which is a list() containing the certificate DNs that should be banned. Adding a user to this list is simply a matter of adding one line with the DN (enclosed in double quotes and a comma after the second quote):
variable GLOBAL_BANNED_USER_LIST ?= list( "/O=banned users/O=grid/CN=Evil User", # this is a comment line # use comments to relate the banned user DN to a date and reason "/O=some other org/O=whatever/CN=Compromised Account", );
Don't forget to give the date and reason for banning the user!
Implementation
Services that support user banning can define a variable BANNED_USER_CONFIG which points to a template that implements the formatting of the appropriate files (see "Background Information" below). These files process the data from GLOBAL_BANNED_USER_LIST and put it in the expected format.
Currently implemented methods:
- lcas, used by the lcg-CE. Implementation in template
$L/cfg/grid/common/security/user-banning/lcas.tpl
- gridmap, used by the DPM server and disk. Implementation in template
$L/cfg/grid/common/security/user-banning/gridmap.tpl
- gacl, used by the WMS. Implementation in template
$L/cfg/grid/common/security/user-banning/gacl.tpl
Background Information
Below is the summary of services and the method of banning:
- lcg-CE, classic-SE: the banned user DNs need to be stored in /opt/edg/etc/lcas/ban_users.db and /opt/glite/etc/lcas/ban_users.db.
- WMS: the banned used DNs have to be present in the file /opt/glite/etc/glite_wms_wmproxy.gacl.
- DPM: the banned user DNs need to be mapped to a non-existing Unix account in /opt/lcg/etc/lcgdm-mapfile-local.
- CreamCE: to be investigated
- MyProxy (PX): To be completed
