Difference between revisions of "How to ban users with quattor"
m (→Implementation) |
|||
| Line 37: | Line 37: | ||
* WMS: the banned used DNs have to be present in the file /opt/glite/etc/glite_wms_wmproxy.gacl. | * WMS: the banned used DNs have to be present in the file /opt/glite/etc/glite_wms_wmproxy.gacl. | ||
| − | * DPM: the banned user DNs need to be mapped to a non-existing Unix account in /opt/lcg/etc/lcgdm-mapfile-local. | + | * DPM: the banned user DNs need to be mapped to a non-existing Unix account in /opt/lcg/etc/lcgdm-mapfile-local and /opt/edg/etc/grid-mapfile-local. |
* CreamCE: to be investigated | * CreamCE: to be investigated | ||
* MyProxy (PX): To be completed | * MyProxy (PX): To be completed | ||
Revision as of 15:18, 25 February 2010
Unfortunately, there is no universal method to ban grid users from using gLite services. Enter Quattor, and via a single list of banned users we can manage the ban lists on the various node types.
How to add a user to the ban list?
The template $L/cfg/sites/ndpf/site/banlist.tpl define a Pan variable GLOBAL_BANNED_USER_LIST, which is a list() containing the certificate DNs that should be banned. Adding a user to this list is simply a matter of adding one line with the DN (enclosed in double quotes and a comma after the second quote):
variable GLOBAL_BANNED_USER_LIST ?= list( "/O=banned users/O=grid/CN=Evil User", # this is a comment line # use comments to relate the banned user DN to a date and reason "/O=some other org/O=whatever/CN=Compromised Account", );
Don't forget to give the date and reason for banning the user!
Implementation
Services that support user banning can define a variable BANNED_USER_CONFIG which points to a template that implements the formatting of the appropriate files (see "Background Information" below). These files process the data from GLOBAL_BANNED_USER_LIST and put it in the expected format.
Currently implemented methods:
- lcas, used by the lcg-CE. Implementation in template
$L/cfg/grid/common/security/user-banning/lcas.tpl
- gridmap, used by the DPM server and disk. Implementation in template
$L/cfg/grid/common/security/user-banning/gridmap.tpl
- gacl, used by the WMS. Implementation in template
$L/cfg/grid/common/security/user-banning/gacl.tpl
Background Information
Below is the summary of services and the method of banning:
- lcg-CE, classic-SE: the banned user DNs need to be stored in /opt/edg/etc/lcas/ban_users.db and /opt/glite/etc/lcas/ban_users.db.
- WMS: the banned used DNs have to be present in the file /opt/glite/etc/glite_wms_wmproxy.gacl.
- DPM: the banned user DNs need to be mapped to a non-existing Unix account in /opt/lcg/etc/lcgdm-mapfile-local and /opt/edg/etc/grid-mapfile-local.
- CreamCE: to be investigated
- MyProxy (PX): To be completed
