Difference between revisions of "EMI-1 gLExec release test report"
Line 226: | Line 226: | ||
=== Basic functionality tests (automated) === | === Basic functionality tests (automated) === | ||
− | Execute the script as '''root'''. | + | Execute the script as '''root''' after properly configuring the script. See previous section for details: |
sh glexec-lcas-lcmaps-compound-test.sh | sh glexec-lcas-lcmaps-compound-test.sh | ||
Revision as of 14:13, 28 April 2011
This test plan is following the EMI SA2 template.
gLExec Test Plan
Service Description
gLExec is a program that acts as a light-weight 'gatekeeper'. gLExec takes Grid credentials as input. gLExec takes the local site policy into account to authenticate and authorize the credentials. gLExec will switch to a new execution sandbox and execute the given command as the switched identity. gLExec is also capable of functioning as a light-weight control point which offers a binary yes/no result called the logging-only mode.
More information on gLExec.
Yum Installation
To install gLExec configure the YUM-based EPEL repository and the YUM repository which hold our the EMI packages. In addition a CA distribution, like that of the [htts://www.igtf.net IGTF] or your own homebrew local CAs need to be installed. The IGTF distribution can also be done through a YUM-based repository, including the FetchCRL3 utility to refresh the CA CRLs.
GLExec depends directly on:
- LCAS
- LCMAPS
- (g)libc
GLExec therefore inherits dependencies on:
- VOMS, in particular the voms-api
- Globus libraries
- OpenSSL
GLExec requires LCMAPS plugins to be installed and optionally also LCAS plugins. Expected (inherited) dependencies are:
- GridSite
- Arguc PEP C
Install gLExec by performing: yum install emi-glexec_wn This will install the meta package emi-glexec_wn-1.0.0-1.sl5 which will pull in the following packages:
- glexec
- glexec-wrapper-scripts
- mkgltempdir
- lcas
- lcas-plugins-basic
- lcas-plugins-check-executable
- lcas-plugins-voms
- lcmaps
- lcmaps-plugins-basic
- lcmaps-plugins-c-pep
- lcmaps-plugins-scas-client
- lcmaps-plugins-tracking-groupid
- lcmaps-plugins-verify-proxy
- lcmaps-plugins-voms
- saml2-xacml2-c-lib
And our required dependencies:
- argus-pep-api-c
- edg-mkgridmap
- emi-version
- emi.sac.GLEXEC_wn
- glite-yaim-core
- gridsite-shared
- voms
- yaim-glexec-wn
This is the first release of gLExec, LCAS, LCMAPS, and the LCMAPS-plugins-C-PEP in EMI. There is nothing to upgrade from.
System tests
Test setup
First we install and setup the system for testing. This means to prepare the system taking a clean CentOS 5 or Scientific Linux 5 machine as a baseline.
yum install emi-glexec_wn yum install ca_policy_igtf-classic ca_policy_igtf-mics ca_policy_igtf-slcs fetch-crl3 ntpdate ntp.xs4all.nl fetch-crl3
The base installation is now done. Moving forward to more system specific steps:
chmod 4111 /usr/sbin/glexec useradd glexec
Populate a useable VOMSDIR with .lsc files:
scp -r okoeroo@span:vomsdir/vomsdir/* /etc/grid-security/vomsdir/
Test setup (manual test)
gLExec preparation
The installation default of the /etc/glexec.conf file will work fine, but you'll need to whitelist yourself to authorize your account to use gLExec.
Whitelist yourself in the /etc/glexec.conf:
user_white_list = okoeroo
LCAS preparation
Configure gLExec to use LCAS and to use the specified lcas.db. Here is a glexec.conf snippet:
use_lcas = yes lcas_db_file = /etc/lcas/lcas-testing.db lcas_log_file = /var/log/glexec/lcas_lcmaps.log lcas_debug_level = 5
The /etc/lcas/lcas-testing.db would then look like:
# LCAS policy file/plugin definition pluginname=/usr/lib64/modules/lcas_userban.mod,pluginargs=/etc/lcas/userban.db
Touch the file /etc/lcas/userban.db, otherwise the LCAS UserBan module will fail on the inability to read the userban.db file.
LCMAPS preparation
lcmaps_db_file = /etc/lcmaps/lcmaps-testing.db lcmaps_get_account_policy = test_policy lcmaps_log_file = /var/log/glexec/lcas_lcmaps.log lcmaps_debug_level = 5
The /etc/lcmaps/lcmaps-testing.db would then look like:
# LCMAPS policy file/plugin definition
# default path for the modules path = /usr/lib64/modules/
# Plugin definitions: good = "lcmaps_dummy_good.mod" " --dummy-username nobody" " --dummy-group nobody" " --dummy-sec-group nobody"
posix_enf = "lcmaps_posix_enf.mod" " -maxuid 1" " -maxpgid 1" " -maxsgid 32"
verifyproxy = "lcmaps_verify_proxy.mod" " -certdir /etc/grid-security/certificates"
# Policies: test_policy: verifyproxy -> good good -> posix_enf
Basic functionality tests (manual)
Have proxy certificate on the test system, here located at $HOME/mkproxy-x509-voms. Using the following gLExec script to activate gLExec with your own user certificate:
#!/bin/sh GLEXEC_BIN="/usr/sbin/glexec" if [ ! -f ${GLEXEC_BIN} ]; then GLEXEC_BIN="${GLEXEC_LOCATION}/sbin/glexec" if [ ! -f ${GLEXEC_BIN} ]; then echo "No glexec found" exit 1 fi fi if [ "${X509_USER_PROXY}" = "" ]; then export X509_USER_PROXY=$HOME/mkproxy-x509-voms fi export GLEXEC_CLIENT_CERT=${X509_USER_PROXY} export GLEXEC_SOURCE_PROXY=${X509_USER_PROXY} #echo "------------" cmd="${GLEXEC_BIN} /usr/bin/id -a" $cmd echo $? exit 0
Run the test script and the following result is expected:
[okoeroo@localhost ~]$ ./test-glexec.sh uid=99(nobody) gid=99(nobody) groups=99(nobody) 0
Test setup (automated)
Download the gLExec (and LCAS/LCMAPS) compound test script. The SVN revision number 15284 of the compound test script was used.
WARNING: The script will rewrite the glexec.conf file multiple times to test all possible permutations of the configuration file. Also the LCAS and LCMAPS configuration files will be rewritten (in lcas-testing.db and lcmaps-testing.db files) to work.
Edit the script to configure it. Here is what was used for this certification:
################# # Setup options # ################# CONTINUEONERROR=no TEST_ACCOUNT="okoeroo" GLEXEC_EXEC="/usr/sbin/glexec" GLEXEC_OWNERSHIP_SETUID="root.root" GLEXEC_FILE_PERM_SETUID="6555" GLEXEC_OWNERSHIP_NON_SETUID="root.root" GLEXEC_FILE_PERM_NON_SETUID="0555" CONF_OWNERSHIP_SETUID="glexec.glexec" CONF_FILE_PERM_SETUID="0440" CONF_OWNERSHIP_NON_SETUID="root.root" CONF_FILE_PERM_NON_SETUID="0444" test_glexec_conf="/etc/glexec.conf" test_lcas_db="/etc/lcas/lcas-testing.db" test_lcas_db_path="/usr/lib64/modules/" test_lcas_log_file="/var/log/glexec/lcas_lcmaps.log" test_lcas_userban_file="/etc/lcas/userban.db" test_lcas_debug_level="0" test_lcmaps_db="/etc/lcmaps/lcmaps-testing.db" test_lcmaps_db_path="/usr/lib64/modules/" test_lcmaps_log_file="/var/log/glexec/lcas_lcmaps.log" test_lcmaps_debug_level="0" priv_sep_file="/tmp/glexec_priv_sep_test.sh" CAPATH="/etc/grid-security/certificates" SCAS_ENDPOINT="https://graszaad.nikhef.nl:8443" PEPD_ENDPOINT="https://argus.testbed:8154/authz" GLEXEC_TEST_GRID_MAPFILE="/tmp/glexec-test-grid-mapfile" LOCALACCOUNT_TEST_MAP_USER="$TEST_ACCOUNT" #LOCALACCOUNT_TEST_MAP_USER="pool001" POOLACCOUNT_TEST_MAP_USER=".pool" ### Test selection ### USE_SCAS="yes" USE_SCAS="" ################# # Setup proxies # ################# CLIENT_CERT="/home/okoeroo/mkproxy-x509-voms" USER_PROXY="$CLIENT_CERT" SOURCE_PROXY="$CLIENT_CERT" TARGET_PROXY="/tmp/target_proxy"
Basic functionality tests (automated)
Execute the script as root after properly configuring the script. See previous section for details:
sh glexec-lcas-lcmaps-compound-test.sh
Output:
http://www.nikhef.nl/grid/ndpf/files/EMI_1_SAC_documentation/certification_output/glexec-lcas-lcmaps-compound-test.28-april-2011.out