Difference between revisions of "Security middleware deployment planning"
From PDP/Grid Wiki
Jump to navigationJump to search| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | TODO TODO TODO Don't read this!!! | ||
| + | |||
| Deciding which security middleware to deploy at your site depends on the | Deciding which security middleware to deploy at your site depends on the | ||
| scenario you need to implement. | scenario you need to implement. | ||
| − | * Is your site part of the EGEE/EGI grid? | + | == gLExec on worker nodes == | 
| − | * Do you use YAIM (and nothing else) to configure your site? | + | |
| − | * Do you let YAIM create user accounts on every node? | + | The gLExec on worker node scenario has been heavily discussed and debated (TODO: insert link here) in the context of Multi-user pilot jobs. In order to help you set this up on your site, check if the following statements apply. | 
| − | * Do you need to install gLExec on WN? | + | |
| + | * My site is part of the EGEE/EGI grid | ||
| + | * I use YAIM to manage all my nodes | ||
| + | * I let YAIM create all my user accounts (variable: CONFIG_USERS=yes) | ||
| + | |||
| + | If all statements apply, install Argus and let GLEXEC_wn use that. But be aware of the following | ||
| + | |||
| + | *Is your site part of the EGEE/EGI grid? | ||
| + | : [[#Sites part of EGEE/EGI|Yes]]/[[Other Grids|No]]. | ||
| + | |||
| + | |||
| + | === Sites part of EGEE/EGI === | ||
| + | |||
| + | * Do you use [https://twiki.cern.ch/twiki/bin/view/EGEE/YAIM YAIM] (and nothing else) to configure your site? [[#YAIM managed sites|Yes]]/[[Deployment on sites without YAIM|No]] | ||
| + | |||
| + | === YAIM managed sites === | ||
| + | |||
| + | * Do you let [https://twiki.cern.ch/twiki/bin/view/EGEE/YAIM YAIM] create user accounts on every node? [[#YAIM user management|Yes]]/[[#YAIM no user management|No]] | ||
| + | |||
| + | === YAIM user management === | ||
| + | |||
| + | * Do you need to install gLExec on WN? [[Configuration of gLExec with Argus|Yes]]/[[Node local configuration|No]] | ||
| − | |||
| − | |||
Latest revision as of 14:36, 23 April 2010
TODO TODO TODO Don't read this!!!
Deciding which security middleware to deploy at your site depends on the scenario you need to implement.
gLExec on worker nodes
The gLExec on worker node scenario has been heavily discussed and debated (TODO: insert link here) in the context of Multi-user pilot jobs. In order to help you set this up on your site, check if the following statements apply.
- My site is part of the EGEE/EGI grid
- I use YAIM to manage all my nodes
- I let YAIM create all my user accounts (variable: CONFIG_USERS=yes)
If all statements apply, install Argus and let GLEXEC_wn use that. But be aware of the following
- Is your site part of the EGEE/EGI grid?
Sites part of EGEE/EGI
YAIM managed sites
YAIM user management
Summary: normally you should install Argus for central authorization and mapping, but a few special cases apply. Alternatively, SCAS may be used.
See if any of the following statements apply.
- I would like to do policy management, user mapping and user banning all from one place
- The default choice is to set up Argus[1], and configure your resources to use it (see below).
- I use dynamic secondary group mappings which require LDAP updates
- In this case, you need to use the LDAP enforcement plugin for LCMAPS. This cannot be used in conjunction with Argus; use SCAS as the default alternative.
- My cluster is set up to do local mappings to match users to job slots
- This is a special case, which can be handled by setting up LCMAPS without a central authorization service (i.e. node-local).
- I'm using 3rd party plugins for LCMAPS
- We can't say in general if a plugin will or will not work with either Argus or SCAS in this case. You should try Argus first, SCAS next, and node-local setups finally.
- I've tried Argus and it didn't work; now what?
- Open a support ticket in GGUS[2] for Argus and get it fixed. In the meantime, try to use SCAS as an alternative.
- I don't want/need central policy management, mapping or banning
- You should set up LCMAPS independently per resource, possibly with a shared NFS gridmapdir to keep consistency between mappings.
