Difference between revisions of "Set up gLExec with SCAS"
Line 32: | Line 32: | ||
== Manual configuration == | == Manual configuration == | ||
+ | |||
+ | Simple configuration. The following assumes you have pool accounts that are expected to use gLExec named pilota001, pilota002, etc. and pilotb001, etc. | ||
+ | |||
+ | Edit /opt/glite/etc/glexec.conf as follows. Make sure the file's mode is | ||
+ | -rw-r----- 1 root glexec /opt/glite/etc/glexec.conf | ||
+ | |||
+ | [glexec] | ||
+ | silent_logging = no | ||
+ | log_level = 0 | ||
+ | user_white_list = .pilota,.pilotb | ||
+ | linger = yes | ||
+ | lcmaps_db_file = /opt/glite/etc/lcmaps/lcmaps-glexec.db | ||
+ | lcmaps_log_file = /var/log/glexec/lcas_lcmaps.log | ||
+ | lcmaps_debug_level = 0 | ||
+ | lcmaps_log_level = 1 | ||
+ | lcmaps_get_account_policy = glexec_get_account | ||
+ | lcmaps_verify_account_policy = glexec_verify_account | ||
+ | |||
+ | lcas_db_file = /opt/glite/etc/lcas/lcas-glexec.db | ||
+ | lcas_log_file = /var/log/glexec/lcas_lcmaps.log | ||
+ | lcas_debug_level = 0 | ||
+ | lcas_log_level = 1 | ||
+ | user_identity_switch_by = lcmaps | ||
+ | preserve_env_variables = no | ||
+ | log_destination = file | ||
+ | log_file = /var/log/glexec/glexec_log | ||
+ | |||
+ | Place this in /opt/glite/etc/lcas/lcas-glexec.db: | ||
+ | pluginname=/opt/glite/lib64/modules/lcas_userban.mod,pluginargs=/opt/glite/etc/lcas/ban_users.db | ||
+ | |||
+ | Place this in /opt/glite/etc/lcmaps/lcmaps-glexec.db: | ||
+ | path = /opt/glite/lib64/modules | ||
+ | verify_proxy = "lcmaps_verify_proxy.mod" | ||
+ | " -certdir /etc/grid-security/certificates/" | ||
+ | " --allow-limited-proxy" | ||
+ | |||
+ | posix_enf = "lcmaps_posix_enf.mod" | ||
+ | " -maxuid 1" | ||
+ | " -maxpgid 1" | ||
+ | " -maxsgid 32" | ||
+ | |||
+ | scasclient = "lcmaps_scas_client.mod" | ||
+ | " -capath /etc/grid-security/certificates/" | ||
+ | "--endpoint https://scas1.example.com:8443 --endpoint https://scas2.example.com:8443" | ||
+ | " -resourcetype wn" | ||
+ | " -actiontype execute-now" | ||
+ | |||
+ | glexec_get_account: | ||
+ | verify_proxy -> scasclient | ||
+ | scasclient -> posix_enf |
Revision as of 14:32, 29 April 2010
Setting up gLExec on the worker node to query SCAS for authorization decisions is preferably done through YAIM, but some set-ups require manual configuration as outlined below.
This page is part of the guide on HOWTO set up gLExec on the worker node.
Installation
For the installation and configuration of SCAS, see the gLite page on SCAS[1].
For the installation of gLExec on the worker node, see the release notes and the installation manual.
Typical gLite installation is done with
wget -O /etc/yum.repos.d/glite-GLEXEC_wn.repo http://grid-deployment.web.cern.ch/grid-deployment/glite/repos/3.2/glite-GLEXEC_wn.repo yum install glite-GLEXEC_wn
Configuration with YAIM
Please see the YAIM guide for general instructions on using YAIM, and the list of variables that need to be set in site-info.def, or services/glite-glexec_wn.
Important variables:
GLEXEC_WN_OPMODE=setuid GLEXEC_WN_SCAS_ENABLED=yes SCAS_ENDPOINTS="https://scas1.example.com:8443 https://scas2.example.com:8443"
In this example there are two endpoints, that gLExec will use in a randomized fashion to even the load. It will try all the endpoints in case the first one doesn't respond.
After setting the variables, running YAIM is usually done as follows:
/opt/glite/yaim/bin/yaim -c -s site-info.def -n TORQUE_client -n WN -n GLEXEC_wn
Manual configuration
Simple configuration. The following assumes you have pool accounts that are expected to use gLExec named pilota001, pilota002, etc. and pilotb001, etc.
Edit /opt/glite/etc/glexec.conf as follows. Make sure the file's mode is
-rw-r----- 1 root glexec /opt/glite/etc/glexec.conf
[glexec] silent_logging = no log_level = 0 user_white_list = .pilota,.pilotb linger = yes lcmaps_db_file = /opt/glite/etc/lcmaps/lcmaps-glexec.db lcmaps_log_file = /var/log/glexec/lcas_lcmaps.log lcmaps_debug_level = 0 lcmaps_log_level = 1 lcmaps_get_account_policy = glexec_get_account lcmaps_verify_account_policy = glexec_verify_account lcas_db_file = /opt/glite/etc/lcas/lcas-glexec.db lcas_log_file = /var/log/glexec/lcas_lcmaps.log lcas_debug_level = 0 lcas_log_level = 1 user_identity_switch_by = lcmaps preserve_env_variables = no log_destination = file log_file = /var/log/glexec/glexec_log
Place this in /opt/glite/etc/lcas/lcas-glexec.db:
pluginname=/opt/glite/lib64/modules/lcas_userban.mod,pluginargs=/opt/glite/etc/lcas/ban_users.db
Place this in /opt/glite/etc/lcmaps/lcmaps-glexec.db:
path = /opt/glite/lib64/modules verify_proxy = "lcmaps_verify_proxy.mod" " -certdir /etc/grid-security/certificates/" " --allow-limited-proxy" posix_enf = "lcmaps_posix_enf.mod" " -maxuid 1" " -maxpgid 1" " -maxsgid 32" scasclient = "lcmaps_scas_client.mod" " -capath /etc/grid-security/certificates/" "--endpoint https://scas1.example.com:8443 --endpoint https://scas2.example.com:8443" " -resourcetype wn" " -actiontype execute-now" glexec_get_account: verify_proxy -> scasclient scasclient -> posix_enf