Difference between revisions of "GLExec WN EMI 2 release notes"

From PDP/Grid Wiki
Jump to navigationJump to search
 
(18 intermediate revisions by the same user not shown)
Line 43: Line 43:
  
 
New functionality
 
New functionality
* epilogue functionality:
+
<UL>
** When a absolute path to a root-trusted file is specified as epilogue in the config file, it will be run after the payload has finished.
+
<LI> epilogue functionality:<BR>
** It can optionally run as a different user and/or group which then are also trusted concerning the binary writability.
+
<UL>
** It runs for a maximum time of epilogue_timeout (default 300 seconds) after which it is send a SIGTERM.
+
<LI> When a absolute path to a root-trusted file is specified as epilogue in the config file, it will be run after the payload has finished.
** It will have /dev/null as stdin, stdout and stderr. It is for the epilogue itself to take care of its logging.
+
<LI> It can optionally run as a different user and/or group which then are also trusted concerning the binary writability.
** The epilogue process will run with the target environment.
+
<LI> It runs for a maximum time of epilogue_timeout (default 300 seconds) after which it is send a SIGTERM.
** In addition it will have a number of special other variables named GLEXEC_EPILOG_* which contain information about the payload process, calling account and target account is put in the environment for the epilogue process: {| class="wikitable"
+
<LI> It will have /dev/null as stdin, stdout and stderr. It is for the epilogue itself to take care of its logging.
 +
<LI> The epilogue process will run with the target environment.
 +
<LI> In addition it will have a number of special other variables named GLEXEC_EPILOG_* which contain information about the payload process, calling account and target account is put in the environment for the epilogue process:
 +
{| class="wikitable"
 
|GLEXEC_EPILOG_GLEXEC_CWD  || startup directory of gLExec
 
|GLEXEC_EPILOG_GLEXEC_CWD  || startup directory of gLExec
 
|-
 
|-
Line 88: Line 91:
 
|GLEXEC_EPILOG_TARGET_RC    || payload exit code
 
|GLEXEC_EPILOG_TARGET_RC    || payload exit code
 
|}
 
|}
** When using process groups (default, use_setpgid=yes) both payload and epilogue will run in a separate process group equal to their PID.
+
<LI> When using process groups (default, use_setpgid=yes) both payload and epilogue will run in a separate process group equal to their PID.
** A non-zero exit status of the epilogue will always result in a gLExec exit code of 202.
+
<LI> A non-zero exit status of the epilogue will always result in a gLExec exit code of 202.
** new options related to epilogue, see man glexec.conf(5)
+
<LI> new options related to epilogue, see man glexec.conf(5)
 
{| class="wikitable"
 
{| class="wikitable"
 
|epilogue   || (empty: no epilogue)
 
|epilogue   || (empty: no epilogue)
Line 101: Line 104:
 
|}
 
|}
 
in addition, also the sighandling options influence the epilogue.
 
in addition, also the sighandling options influence the epilogue.
 
+
</UL>
* implementing signal handling:
+
<LI> implementing signal handling:
** most signals, are forwarded to payload or epilogue (when present).
+
<UL>
** SIGINT, TERM etc. will gracefully terminate the payload/epilogue by first sending a SIGTERM to the child process (group) and allowing a gracetime of term_delay before sending a SIGKILL. After the SIGKILL a second gracetime of kill_delay allows logging of the exit status. Note that since the lingering gLExec runs as root after the payload finishes, only root can forward signals to the epilogue.
+
<LI> most signals, are forwarded to payload or epilogue (when present).
** handlers for SIGBUS, SIGFPE, SIGILL and SIGSEGV (and optionally SIGSTKFLT which normally should be unused) which only act when the signal comes from the kernel. They send a SIGTERM to the payload or epilogue process (group) and quit. No gracetime is wanted here. Similar behaviour happens for SIGABRT and SIGSYS except that these are typically not coming from the kernel and hence provide different information.
+
<LI> SIGINT, TERM etc. will gracefully terminate the payload/epilogue by first sending a SIGTERM to the child process (group) and allowing a gracetime of term_delay before sending a SIGKILL. After the SIGKILL a second gracetime of kill_delay allows logging of the exit status. Note that since the lingering gLExec runs as root after the payload finishes, only root can forward signals to the epilogue.
** SIGPIPE is logged and ignored, SIGTTOU and SIGTTIN are directly ignored in order to allow jobcontrol.
+
<LI> handlers for SIGBUS, SIGFPE, SIGILL and SIGSEGV (and optionally SIGSTKFLT which normally should be unused) which only act when the signal comes from the kernel. They send a SIGTERM to the payload or epilogue process (group) and quit. No gracetime is wanted here. Similar behaviour happens for SIGABRT and SIGSYS except that these are typically not coming from the kernel and hence provide different information.
** gLExec is doing job-control on the payload: normally the payload will run in the foreground: When the payload suspends, gLExec will take back the tty. When the job resumes, the tty is returned to it. The payload can be forced to run in the background by either the -b cmdline option or the force_payload_background config option. SIGINT and SIGTSTP (typically ctrl-c and ctrl-z) give feedback on stderr.
+
<LI> SIGPIPE is logged and ignored, SIGTTOU and SIGTTIN are directly ignored in order to allow jobcontrol.
** gLExec normally will also forward the 'debug' signals SIGTRAP, SIGEMT, SIGVTALRM and SIGPROF, and additionally the realtime signals SIGRTMIN till SIGRTMAX, unless the extra_sighandlers option is set to no. Note that many modern debuggers including gdb work around the problem and seem to work fine even when installing sighandlers for SIGTRAP etc. Some of the realtime signals are used by valgrind, which prevents it from installing handler.
+
<LI> gLExec is doing job-control on the payload: normally the payload will run in the foreground: When the payload suspends, gLExec will take back the tty. When the job resumes, the tty is returned to it. The payload can be forced to run in the background by either the -b cmdline option or the force_payload_background config option. SIGINT and SIGTSTP (typically ctrl-c and ctrl-z) give feedback on stderr.
** new options related to sighandling, see man glexec.conf(5)
+
<LI> gLExec normally will also forward the 'debug' signals SIGTRAP, SIGEMT, SIGVTALRM and SIGPROF, and additionally the realtime signals SIGRTMIN till SIGRTMAX, unless the extra_sighandlers option is set to no. Note that many modern debuggers including gdb work around the problem and seem to work fine even when installing sighandlers for SIGTRAP etc. Some of the realtime signals are used by valgrind, which prevents it from installing handler.
force_payload_background   (default off)
+
<LI> new options related to sighandling, see man glexec.conf(5)
term_delay     (default 5 seconds)
+
{|class="wikitable"
kill_delay     (default 1 second)
+
|force_payload_background ||(default off)
use_setpgid     (default yes)
+
|-
extra_sighandlers     (default yes)
+
|term_delay   ||(default 5 seconds)
 
+
|-
* use of separate process group for the payload: this allows gLExec to signal the entire process group (e.g. SIGTERM). Signals will only be '''forwarded''' to the child itself. The feature can be disabled using the use_setpgid option.
+
|kill_delay   ||(default 1 second)
 
+
|-
* Closing of all open file descriptors in lingering gLExec process. This can be prevented by setting close_fds to 'no' in the config file.
+
|use_setpgid   ||(default yes)
 
+
|-
* Calling user can disable writing/setting of payload proxy by setting
+
|extra_sighandlers   ||(default yes)
 +
|}
 +
</UL>
 +
<LI> use of separate process group for the payload: this allows gLExec to signal the entire process group (e.g. SIGTERM). Signals will only be '''forwarded''' to the child itself. The feature can be disabled using the use_setpgid option.
 +
<LI> Closing of all open file descriptors in lingering gLExec process. This can be prevented by setting close_fds to 'no' in the config file.
 +
<LI> Calling user can disable writing/setting of payload proxy by setting
 
   GLEXEC_TARGET_PROXY to /dev/null (the sysadmin could already do this via the
 
   GLEXEC_TARGET_PROXY to /dev/null (the sysadmin could already do this via the
 
   create_target_proxy option)
 
   create_target_proxy option)
 +
</UL>
  
 
Several defaults are changed, the old behaviour is still configurable:
 
Several defaults are changed, the old behaviour is still configurable:
Line 156: Line 165:
  
 
Bugfix:
 
Bugfix:
- lcas_findfile() was fixed for plugins, but also used for db file in
+
* lcas_findfile() was fixed for plugins, but also used for db file in lcas-plugins-basic. Functionality is now split
  lcas-plugins-basic. Functionality is now split
 
  
 
=== Version 1.3.16 ===
 
=== Version 1.3.16 ===
  
 
Bugfix:
 
Bugfix:
- Fix gsi handling code to prevent clash with globus symbols.
+
* Fix gsi handling code to prevent clash with globus symbols.
  
 
=== Version 1.3.15 ===
 
=== Version 1.3.15 ===
  
 
Run time feature:
 
Run time feature:
- New plugin search code, similar to the LCMAPS approach.
+
<UL><LI> New plugin search code, similar to the LCMAPS approach.
    1. Try to set get the environment variable LCAS_MODULES_DIR.
+
# Try to set get the environment variable LCAS_MODULES_DIR.
    2. On success: check if the provided plugin filename has an absolute path
+
# On success: check if the provided plugin filename has an absolute path already, if not, prepend the $LCAS_MODULES_DIR value to the plugin and check if the file exists. If no file exists continue with 3.  On failure: goto 3.
        already, if not, prepend the $LCAS_MODULES_DIR value to the plugin and
+
# Check if the provided plugin filename has an absolute path already, if not, prepend the LCAS_MOD_HOME #define value to the plugin path and check if the file exists. Use the LCAS_MOD_HOME #define. The defined value originates from the configure script and could be set there to the default or the --with-lcas-moduledir=DIR option. If this keeps failing, exit and trigger an LCAS initialization error.
        check if the file exists. if no file exists continue with 3.  On
+
A new log line is printed in the log file to indicate what the LCAS plugin search paths are.
        failure: goto 3.
+
</UL>
    3. Check if the provided plugin filename has an absolute path already,
 
        if not, prepend the LCAS_MOD_HOME #define value to the plugin path and
 
        check if the file exists. Use the LCAS_MOD_HOME #define. The
 
        defined value originates from the configure script and could be set
 
        there to the default or the --with-lcas-moduledir=DIR option. if
 
        this keeps failing, exit and trigger an LCAS initialization error.
 
   
 
    A new log line is printed in the log file to indicate what the LCAS plugin
 
    search paths are.
 
  
 
Build time feature:
 
Build time feature:
- New configure option: --with-lcas-moduledir=DIR
+
* New configure option: --with-lcas-moduledir=DIR <br>Sets the default search directory for LCAS modules to this value. Without the setting the default is relative to the (build) systems $libdir value: /usr/local/lib/lcas
  Sets the default search directory for LCAS modules to this value.
 
  Without the setting the default is relative to the (build) systems $libdir
 
  value: /usr/local/lib/lcas
 
  
 
=== Version 1.3.13 ===
 
=== Version 1.3.13 ===
  
 
This version of LCAS and the related LCAS plugins introduces the following new features:
 
This version of LCAS and the related LCAS plugins introduces the following new features:
- fix a few minor segfault situations.
+
* fix a few minor segfault situations.
- Log file output is cleaned up a bit
+
* Log file output is cleaned up a bit
  
- The LCAS framework and LCAS-Interface components are now integrated in each other
+
* The LCAS framework and LCAS-Interface components are now integrated in each other
- adjusted to be able to use EPEL, EMI and gLite packages
+
* adjusted to be able to use EPEL, EMI and gLite packages
 
AS_MOD_HOME
 
AS_MOD_HOME
 
  
 
== LCAS-PLUGINS-CHECK-EXECUTABLE ==
 
== LCAS-PLUGINS-CHECK-EXECUTABLE ==
Line 205: Line 200:
  
 
Bugfixes:
 
Bugfixes:
- splitList() function used sprintf in unsafe way, rewriting function.
+
* splitList() function used sprintf in unsafe way, rewriting function.
 
 
  
 
== LCMAPS ==
 
== LCMAPS ==
Line 213: Line 207:
  
 
Bug fixes:
 
Bug fixes:
Unbalanced quotes triggered an 'out of memory' error instead of an
+
* Unbalanced quotes triggered an 'out of memory' error instead of an 'unbalanced quotes'.
    'unbalanced quotes'.
 
  
 
=== Version 1.5.3 ===
 
=== Version 1.5.3 ===
  
Replace unprintable characters in logging strings with a '?'
+
* Replace unprintable characters in logging strings with a '?'
  
 
Bug fixes:
 
Bug fixes:
Fix a SEGV or ABRT in some interfaces due to incorrect storing of DN, which
+
* Fix a SEGV or ABRT in some interfaces due to incorrect storing of DN, which leads to freeing stack memory. Triggered in the lcmaps-without-gsi interface.
    leads to freeing stack memory. Triggered in the lcmaps-without-gsi
+
* Fix numerous unsafe constructions in logging, also fixes a SEGV
    interface.
 
Fix numerous unsafe constructions in logging, also fixes a SEGV
 
  
 
=== Version 1.5.2 ===
 
=== Version 1.5.2 ===
Line 233: Line 224:
 
=== Version 1.5.1 ===
 
=== Version 1.5.1 ===
  
Log messages that are sent to Syslog with the priority equal to LOG_EMERG,
+
* Log messages that are sent to Syslog with the priority equal to LOG_EMERG, LOG_ALERT or LOG_CRIT will be downplayed as LOG_ERR. Old LCMAPS plug-ins used a numerical range of 0-5 and this basically means that they are able to cast an error message of type LOG_EMERG, while universally the LOG_ERR is meant of even less significant then a LOG_ERR. A warning will be written at LOG_WARNING to upgrade your plug-ins.
    LOG_ALERT or LOG_CRIT will be downplayed as LOG_ERR. Old LCMAPS plug-ins
 
    used a numerical range of 0-5 and this basically means that they are able
 
    to cast an error message of type LOG_EMERG, while universally the LOG_ERR
 
    is meant of even less significant then a LOG_ERR.
 
    A warning will be written at LOG_WARNING to upgrade your plug-ins.
 
 
 
  
 
=== Version 1.5.0 ===
 
=== Version 1.5.0 ===
  
Changing all log messages to match the logging method used in Syslog
+
* Changing all log messages to match the logging method used in Syslog and especially the log priority/levels.
    and especially the log priority/levels.
+
* Fixed a problem when the "poolindex" was requested. It triggered a segmentation fault in two of the LCMAPS interface:
Fixed a problem when the "poolindex" was requested. It triggered a
+
** lcmaps_run_and_return_poolindex
    segmentation fault in two of the LCMAPS interface:
+
** lcmaps_run_with_pem_and_return_account
    -- lcmaps_run_and_return_poolindex
+
* Harmonized logging via the lcmaps_log(), lcmaps_log_debug(), lcmaps_log_time(), lcmaps_log_a_string() and lcmaps_log_a_string_debug() functions for both log file writing and syslog writing.
    -- lcmaps_run_with_pem_and_return_account
+
* Changed #define name DEBUG_LEVEL to CONF_LCMAPS_DEBUG_LEVEL
Harmonized logging via the lcmaps_log(), lcmaps_log_debug(),
+
* Changed the default value for CONF_LCMAPS_DEBUG_LEVEL from 0 (LOG_ERR) to 4 (LOG_INFO).
    lcmaps_log_time(), lcmaps_log_a_string() and
+
* Harmonized the log line writing cut-off feature of log message between Syslog logging and logging to a file. This is based on the build in default and the LCMAPS_DEBUG_LEVEL environment variable value.  Message that are cut-off are not even offered to Syslog anymore which speeds up the LCMAPS execution when the Syslog demon is hammered with info.
    lcmaps_log_a_string_debug() functions for both log file writing and
+
* The log line output is changed to show the environment value of LCMAPS_LOG_IDENT in each line. The LCMAPS_LOG_IDENT value is meant to be set by programs like gLExec to indicate that they are running LCMAPS. This is default in Syslog, but missing in logging to file.
    syslog writing.
+
* Log lines that log to file are prepended by the Syslog priority name. <br>This allows easy filtering when needed.
Changed #define name DEBUG_LEVEL to CONF_LCMAPS_DEBUG_LEVEL
+
* Harmonized the credential handling for all the external LCMAPS interfaces.<br>The small functional differences between the different credential input differences are now gone. Interfaces used by gLExec (PEM based), GT4/5 GSI-Authz based, X.509 based and even string input handling are now equalized. This reenabled the verify-proxy plug-in to work from a GT4/GT5 service and enabled the Xrootd interface to work with more easier interfaces, and the PEM string interface from gLExec will now regain its full potential for VOMS handling.
Changed the default value for CONF_LCMAPS_DEBUG_LEVEL from 0 (LOG_ERR)
+
    Example: {input credential} -> {stored to use by plugins}<br>
    to 4 (LOG_INFO).
+
    Globus gss_cred_id_t object in -> X.509 stuff(*) + VOMS structs + DN
Harmonized the log line writing cut-off feature of log message between
+
    PEM string -> X.509 stuff + VOMS structs(**) + DN
    Syslog logging and logging to a file. This is based on the build in
+
    X.509 -> VOMS struct(**) + DN
    default and the LCMAPS_DEBUG_LEVEL environment variable value.  Message
+
    Other string based input -> string based input stored<br>
    that are cut-off are not even offered to Syslog anymore which speeds up
+
    (*) is new.
    the LCMAPS execution when the Syslog demon is hammered with info.
+
    (**) differed in a detailed usage pattern.
The log line output is changed to show the environment value of
+
* When the VOMS verification was disabled, either at run-time or after the build-in default is changed, i.e. --enabled-osg, the VOMS Generic Attributes were not successfully extracted. This is now fixed and plug-ins can use them also when the VOMS AC verification is disabled.
    LCMAPS_LOG_IDENT in each line. The LCMAPS_LOG_IDENT value is meant to
 
    be set by programs like gLExec to indicate that they are running
 
    LCMAPS. This is default in Syslog, but missing in logging to file.
 
Log lines that log to file are prepended by the Syslog priority name.
 
    This allows easy filtering when needed.
 
Harmonized the credential handling for all the external LCMAPS interfaces.
 
    The small functional differences between the different credential input
 
    differences are now gone. Interfaces used by gLExec (PEM based), GT4/5
 
    GSI-Authz based, X.509 based and even string input handling are now  
 
    equalized. This reenabled the verify-proxy plug-in to work from a GT4/GT5  
 
    service and enabled the Xrootd interface to work with more easier  
 
    interfaces, and the PEM string interface from gLExec will now regain its  
 
    full potential for VOMS handling.
 
        Example: {input credential} -> {stored to use by plugins}
 
 
 
        Globus gss_cred_id_t object in -> X.509 stuff(*) + VOMS structs + DN
 
        PEM string -> X.509 stuff + VOMS structs(**) + DN
 
        X.509 -> VOMS struct(**) + DN
 
        Other string based input -> string based input stored
 
 
 
        (*) is new.
 
        (**) differed in a detailed usage pattern.
 
When the VOMS verification was disabled, either at run-time or after the
 
    build-in default is changed, i.e. --enabled-osg, the VOMS Generic
 
    Attributes were not successfully extracted. This is now fixed and plug-ins
 
    can use them also when the VOMS AC verification is disabled.
 
  
 
=== Version 1.4.34 ===
 
=== Version 1.4.34 ===
  
 
Changes in the logging facility:
 
Changes in the logging facility:
- All syslog() messages are lowered to LOG_CRIT or lower (and can't go below LOG_DEBUG)
+
* All syslog() messages are lowered to LOG_CRIT or lower (and can't go below LOG_DEBUG)
- Various log functions were logging on a high priority, including the debug messages. This is to be lowered simulating the syslog() messages when writing to file.
+
* Various log functions were logging on a high priority, including the debug messages. This is to be lowered simulating the syslog() messages when writing to file.
- Not being able to write to a file descriptor results now in a syslog() message on LOG_CRIT. This was on stderr.
+
* Not being able to write to a file descriptor results now in a syslog() message on LOG_CRIT. This was on stderr.
  
 
=== Version 1.4.31 ===
 
=== Version 1.4.31 ===
Line 307: Line 266:
  
 
LCMAPS framework:
 
LCMAPS framework:
- fixed a memory cleanup problem when using VOMS Generic Attributes.
+
* fixed a memory cleanup problem when using VOMS Generic Attributes.
- adds a SIGPIPE handler to print the caught signal, especially interesting when the VOMS api, SCAS-Client plugin or another plugin could trigger a SIGPIPE without handling it locally. The SIGPIPE handler will be set at the beginning of each run, and removed after each run, i.e. not in the initialization or terminate sequences.
+
* adds a SIGPIPE handler to print the caught signal, especially interesting when the VOMS api, SCAS-Client plugin or another plugin could trigger a SIGPIPE without handling it locally. The SIGPIPE handler will be set at the beginning of each run, and removed after each run, i.e. not in the initialization or terminate sequences.
- Fixed signed and unsigned conflicts in parsing routines when fullfilling rules and policys and recursion issues. This problem was hard to exploit, but a bug nontheless (unless somebody went beyond 2^31 plugins and policies)
+
* Fixed signed and unsigned conflicts in parsing routines when fullfilling rules and policys and recursion issues. This problem was hard to exploit, but a bug nontheless (unless somebody went beyond 2^31 plugins and policies)
- Fixed the poolindex interface to LCMAPS. A symbol would not have been resolved during run-time as it has been depricated last year. Only used by the Globus DAS/Workspace Service interfacing (to the best of our knowledge).
+
* Fixed the poolindex interface to LCMAPS. A symbol would not have been resolved during run-time as it has been depricated last year. Only used by the Globus DAS/Workspace Service interfacing (to the best of our knowledge).
- Fixed a problem in the logging facility during the initialization phase. The value was always overridden by the next call. I've removed the previous overridden call, which might call for bug Savannah bug #61772.
+
* Fixed a problem in the logging facility during the initialization phase. The value was always overridden by the next call. I've removed the previous overridden call, which might call for bug Savannah bug #61772.
- Found a more generic location for the printCredData function to log the credential data that has lead to a particular mapping decision mapping.
+
* Found a more generic location for the printCredData function to log the credential data that has lead to a particular mapping decision mapping.
  
- (almost) all public functions are now prefixed with with "lcmaps_" to avoid symbol clashes
+
* (almost) all public functions are now prefixed with with "lcmaps_" to avoid symbol clashes
- Update for single lcmaps-interface for both lcmaps types.
+
* Update for single lcmaps-interface for both lcmaps types.
- use enable_gsi_mode directly instead of lcmaps_gsi_mode
+
* use enable_gsi_mode directly instead of lcmaps_gsi_mode
- Default paths in LCMAPS are set at build time. All hardcoded paths into /opt/glite or (in some places) /opt/edg are removed.
+
* Default paths in LCMAPS are set at build time. All hardcoded paths into /opt/glite or (in some places) /opt/edg are removed.
- /etc/lcmaps/lcmaps.db will be the new default path to a lcmaps.db file. Use ${LCMAPS_DB_FILE} to override or the ./configure options.  
+
* /etc/lcmaps/lcmaps.db will be the new default path to a lcmaps.db file. Use ${LCMAPS_DB_FILE} to override or the ./configure options.  
- Building lcmaps-without-gsi doesn't require Globus libraries during the build and linking of this LCMAPS flavor.
+
* Building lcmaps-without-gsi doesn't require Globus libraries during the build and linking of this LCMAPS flavor.
- LCMAPS ./configure new option --with-voms-prefix instead of --with-glite-location, no glite.m4 necessary, it's done using --libdir and system defaults
+
* LCMAPS ./configure new option --with-voms-prefix instead of --with-glite-location, no glite.m4 necessary, it's done using --libdir and system defaults
  
- API extentions:
+
* API extentions:
Function:    int lcmaps_get_major_version (void);
+
{| class="wikitable"
Function:    int lcmaps_get_minor_version (void);
+
!Function !! Description
Function:    int lcmaps_get_patch_version (void);
+
|-
Function:    lcmaps_disable_voms_attributes_verification
+
|int lcmaps_get_major_version (void);
    Description: Disables the verification in the VOMS API
+
|-
Function:    lcmaps_enable_voms_attributes_verification
+
|int lcmaps_get_minor_version (void);
    Description: Enables the verification in the VOMS API (default)
+
|-
Function:    lcmaps_is_set_to_verify_voms_attributes
+
|int lcmaps_get_patch_version (void);
    Description: Will return the current setting to enable or disable the
+
|-
                verification of the VOMS credentials by the VOMS API
+
|lcmaps_disable_voms_attributes_verification
Function:    lcmaps_run_with_stack_of_x509_and_return_account
+
|Disables the verification in the VOMS API
    Description: LCMAPS runs receiving a certificate chain, containing at least
+
|-
                  an End-Entity Certificate. A list of policies may be provided.  
+
|lcmaps_enable_voms_attributes_verification
                  The allocated uid, gids and the poolindex will be returned to  
+
|Enables the verification in the VOMS API (default)
                  the calling application.
+
|-
 +
|lcmaps_is_set_to_verify_voms_attributes
 +
|Will return the current setting to enable or disable the verification of the VOMS credentials by the VOMS API
 +
|- valign="top"
 +
| lcmaps_run_with_stack_of_x509_and_return_account
 +
|LCMAPS runs receiving a certificate chain, containing at least an End-Entity Certificate.<br>A list of policies may be provided.<br> The allocated uid, gids and the poolindex will be returned to the calling application.
 +
|}
  
 
== LCMAPS-PLUGINS-AFS ==
 
== LCMAPS-PLUGINS-AFS ==
  
 
=== Version 1.4.1 ===
 
=== Version 1.4.1 ===
- There is now a man page for the plug-in (copied from Debian packaging).
+
* There is now a man page for the plug-in (copied from Debian packaging).
  
 
=== Version 1.4.0 ===
 
=== Version 1.4.0 ===
- Changing the log messages to match the logging method used in LCMAPS version
+
* Changing the log messages to match the logging method used in LCMAPS version 1.5.0, which will be using the Syslog native log priority/levels.
  1.5.0, which will be using the Syslog native log priority/levels.
 
  
 
== LCMAPS-PLUGINS-BASIC ==
 
== LCMAPS-PLUGINS-BASIC ==
  
 
=== Version 1.5.0 ===
 
=== Version 1.5.0 ===
    -  Changing the log messages to match the logging method used in LCMAPS version
+
* Changing the log messages to match the logging method used in LCMAPS version 1.5.0, which will be using the Syslog native log priority/levels.
        1.5.0, which will be using the Syslog native log priority/levels.
 
  
    -  Fixed an error message that mentioned a gridmapdir was not available, while
+
* Fixed an error message that mentioned a gridmapdir was not available, while the grid-mapfile couldn't be found
        the grid-mapfile couldn't be found
 
  
 
== LCMAPS-PLUGINS-C-PEP ==
 
== LCMAPS-PLUGINS-C-PEP ==
Line 361: Line 323:
 
=== Version 1.2.2 ===
 
=== Version 1.2.2 ===
  
New configuration option:
+
<UL><LI> New configuration option:
        --use-pilot-proxy-as-cafile
+
<pre>--use-pilot-proxy-as-cafile</pre>
    With this new option the pilot proxy file in X509_USER_PROXY will also be
+
With this new option the pilot proxy file in X509_USER_PROXY will also be used as if specified with the --cafile option. This is necessary for implementations using NSS for the SSL.
    used as if specified with the --cafile option. This is necessary for
+
<LI> New configure option --with-ssl-cipher-list=<cipherlist> to set the cipher list to be used for the SSL session. When unset no #define is passed.
    implementations using NSS for the SSL.
+
<LI> New configuration option:
New configure option --with-ssl-cipher-list=<cipherlist> to set the cipher
+
<pre>--ssl-cipher-list <cipherlist></pre>
    list to be used for the SSL session. When unset no #define is passed.
+
With this new option a sysadmin can specify the cipher list to be used for the SSL session.  This feature is required to be used on systems that are forced to use a libcurl build against libnss, i.e. Red Hat Enterprise Linux 6 (and derivatives) and Fedora 12 and up. The same holds true on installations have choosen the libcurl dynmically linked to libnss. A build-in default is used when this option it not set. The default setting is known to be compatible with OpenSSL 0.9.7 though 1.0.x. and GnuTLS. When unset, no explicit cipher list is passed to libargus-pep-c (which is
New configuration option:
+
pushed to the SSL library used by libcurl)
        --ssl-cipher-list <cipherlist>
+
</UL>
    With this new option a sysadmin can specify the cipher list to be used for
 
    the SSL session.  This feature is required to be used on systems that are
 
    forced to use a libcurl build against libnss, i.e. Red Hat Enterprise Linux
 
    6 (and derivatives) and Fedora 12 and up. The same holds true on
 
    installations have choosen the libcurl dynmically linked to libnss. A
 
    build-in default is used when this option it not set. The default setting
 
    is known to be compatible with OpenSSL 0.9.7 though 1.0.x. and GnuTLS.
 
    When unset, no explicit cipher list is passed to libargus-pep-c (which is
 
    pushed to the SSL library used by libcurl)
 
  
 
=== Version 1.2.1 ===
 
=== Version 1.2.1 ===
  
It is now supported to run this plug-in from an SSL- or GSS-based interface
+
* It is now supported to run this plug-in from an SSL- or GSS-based interface through LCMAPS. This included Xrootd, Globus gatekeepers, gridftpd and gsi-opensshd
    through LCMAPS. This included Xrootd, Globus gatekeepers, gridftpd and
 
    gsi-opensshd
 
  
 
=== Version 1.2.0 ===
 
=== Version 1.2.0 ===
  
Changing the log messages to match the logging method used in LCMAPS version
+
* Changing the log messages to match the logging method used in LCMAPS version 1.5.0, which will be using the Syslog native log priority/levels.
    1.5.0, which will be using the Syslog native log priority/levels.
 
  
 
=== Version 1.1.6 ===
 
=== Version 1.1.6 ===
  
- Fixed and verified: GGUS ticket: 72752. The correct error message is no
+
* Fixed and verified: GGUS ticket: 72752. The correct error message is no displayed in the log file: "Error: assert failed: setoptions for implicit ssl needs X509_USER_PROXY set"
  displayed in the log file: "Error: assert failed: setoptions for implicit ssl
 
  needs X509_USER_PROXY set"
 
  
 
Build methods and install details:
 
Build methods and install details:
- Rename lcmaps_config.h into lcmaps_c_pep_config.h and update
+
* Rename lcmaps_config.h into lcmaps_c_pep_config.h and update AC_LCMAPS_INTERFACE to new-style. Still compatible with older LCMAPS apis.
  AC_LCMAPS_INTERFACE to new-style. Still compatible with older LCMAPS apis.
+
* The new default install location for the module is $libdir/lcmaps, this was $libdir/modules.
- The new default install location for the module is $libdir/lcmaps, this was
 
  $libdir/modules.
 
  
 
To be tested to function properly:
 
To be tested to function properly:
- Argus support for GSS/GSI and STACK_OF(X509)/X509 * LCMAPS interface users,
+
* Argus support for GSS/GSI and STACK_OF(X509)/X509 * LCMAPS interface users, like gatekeepers, gridftpd and gsi-opensshd on request by IGE. GGUS: 75568
  like gatekeepers, gridftpd and gsi-opensshd on request by IGE. GGUS: 75568
 
 
 
  
 
== LCMAPS-PLUGINS-TRACKING-GROUPID ==
 
== LCMAPS-PLUGINS-TRACKING-GROUPID ==
  
 
=== Version 0.1.0 ===
 
=== Version 0.1.0 ===
Changing the log messages to match the logging method used in LCMAPS version
+
* Changing the log messages to match the logging method used in LCMAPS version 1.5.0, which will be using the Syslog native log priority/levels.
    1.5.0, which will be using the Syslog native log priority/levels.
 
  
Fixed the initialization checks for the MINGID and MAXGID values to be a
+
* Fixed the initialization checks for the MINGID and MAXGID values to be a proper number. This was done by adding extra checks around strtol().
    proper number. This was done by adding extra checks around strtol().
 
  
 
Plugin lcmaps-plugins-tracking-groupid (NEW) - GGUS ticket #69159:
 
Plugin lcmaps-plugins-tracking-groupid (NEW) - GGUS ticket #69159:
 +
 
The goal of this new LCMAPS plugin is to preserve Batch System (like SGE and Condor) issued Tracking Group IDs and preserve them between the Pilot Job and Payload context in a Multi User Pilot Job environment. Especially useful for batch system that use the Tracking Group ID feature in Condor and Sun Grid Engine / Oracle Grid Engine batch systems.
 
The goal of this new LCMAPS plugin is to preserve Batch System (like SGE and Condor) issued Tracking Group IDs and preserve them between the Pilot Job and Payload context in a Multi User Pilot Job environment. Especially useful for batch system that use the Tracking Group ID feature in Condor and Sun Grid Engine / Oracle Grid Engine batch systems.
  
tracking_groupid = "lcmaps_tracking_groupid.mod"
+
tracking_groupid = "lcmaps_tracking_groupid.mod"
                  "--tracking-groupid-min MINGID"
+
                    "--tracking-groupid-min MINGID"
                  "--tracking-groupid-max MAXGID"
+
                    "--tracking-groupid-max MAXGID"
  
 
== LCMAPS-PLUGINS-VERIFY-PROXY ==
 
== LCMAPS-PLUGINS-VERIFY-PROXY ==
Line 428: Line 371:
 
=== Version 1.5.2 ===
 
=== Version 1.5.2 ===
  
An internally restructured verify-proxy plugin fixing several memory
+
* An internally restructured verify-proxy plugin fixing several memory handling problem. It solved several memory leakages and quite a lot potential segmentation fault situation. <br>There should be no noticable change, besides the lowered memory leakage proper checking.
    handling problem. It solved several memory leakages and quite a lot
 
    potential segmentation fault situation.
 
    There should be no noticable change, besides the lowered memory leakage
 
    proper checking.
 
  
 
=== Version 1.5.1 ===
 
=== Version 1.5.1 ===
Line 440: Line 379:
 
=== Version 1.5.0 ===
 
=== Version 1.5.0 ===
  
Changing the log messages to match the logging method used in LCMAPS
+
* Changing the log messages to match the logging method used in LCMAPS version 1.5.0, which will be using the Syslog native log priority/levels.
    version 1.5.0, which will be using the Syslog native log priority/levels.
+
* The plugin will fail to initialize when the configured -cadir or -certdir directory does not exist. This was a run-time error.
The plugin will fail to initialize when the configured -cadir or -certdir
+
* Fixed the ability to use the plugin for life-time checking from a GT4 or GT5 service. The requirement for a private key MUST be explicitly disabled with either the configuration of "--only-enforce-lifetime-checks" or "--discard_private_key_absence". The internally used environment variable $VERIFY_PROXY_DISCARD_PRIVATE_KEY_ABSENCE is equivalent to the setting of "--discard_private_key_absence". The environment variable can be    countered/muted by "--never_discard_private_key_absence".
    directory does not exist. This was a run-time error.
+
* New feature to be able to REQUIRE the final certificate in a chain to be a LIMITED proxy. Enable the option "--require-limited-proxy" to enforce this. <br>This version '''''DOES NOT WORK''''' with RFC3820 limited proxy. This will be added in an update.
Fixed the ability to use the plugin for life-time checking from a GT4 or
+
* Man page is now packaged with the source.
    GT5 service. The requirement for a private key MUST be explicitly disabled
 
    with either the configuration of "--only-enforce-lifetime-checks" or
 
    "--discard_private_key_absence". The internally used environment variable
 
    $VERIFY_PROXY_DISCARD_PRIVATE_KEY_ABSENCE is equivalent to the setting of
 
    "--discard_private_key_absence". The environment variable can be
 
     countered/muted by "--never_discard_private_key_absence".
 
New feature to be able to REQUIRE the final certificate in a chain to be a
 
    LIMITED proxy. Enable the option "--require-limited-proxy" to enforce
 
    this.
 
    This version DOES NOT WORK with RFC3820 limited proxy. This will be added
 
    in an update.
 
Man page is now packaged with the source.
 
  
 
=== Version 1.4.12 ===
 
=== Version 1.4.12 ===
  
The new certificate type detection function makes it possible to detect the
+
* The new certificate type detection function makes it possible to detect the proxy certificate type more cleanly and now properly distinghuishes RFC 3820 and old-style certificates reliable. A wrongly constructed chain is a rare occurance, but is now properly detected and will result in an X509_V_ERR_CERT_REJECTED or "certificate rejected" error code.
proxy certificate type more cleanly and now properly distinghuishes RFC 3820
 
and old-style certificates reliable. A wrongly constructed chain is a rare
 
occurance, but is now properly detected and will result in an
 
X509_V_ERR_CERT_REJECTED or "certificate rejected" error code.
 
  
The certificate rejection is only triggered when the following #define is
+
* The certificate rejection is only triggered when the following #define is enabled: USE_STRICT_PATH_VALIDATION. Without it, the condition will be treated as a warning only seen on a verbose loglevel.
enabled: USE_STRICT_PATH_VALIDATION. Without it, the condition will be treated
 
as a warning only seen on a verbose loglevel.
 
  
Also, the grid_verifyPathLenConstraints() function is now called when the
+
* Also, the grid_verifyPathLenConstraints() function is now called when the X509_verify() reaches the final certificate in the chain in its verification cycle. This will dysect the certificate chain properly and trigger on the right errors.
X509_verify() reaches the final certificate in the chain in its verification
 
cycle. This will dysect the certificate chain properly and trigger on the right
 
errors.
 
  
A bunch of useless debugging messages are no longer visable in the log file.
+
* A bunch of useless debugging messages are no longer visable in the log file. They can be revived when you upgrade the loglevel for more verbosity.
They can be revived when you upgrade the loglevel for more verbosity.
 
  
 
=== Version 1.4.11 ===
 
=== Version 1.4.11 ===
  
Implemented my own Path Length Constraint check that is capable of checking
+
* Implemented my own Path Length Constraint check that is capable of checking both the Path Length Constraint in CA certificates and RFC proxy certificates.<br>Fixing GGUS ticket 67040 - https://ggus.eu/ws/ticket_info.php?ticket=67040
both the Path Length Constraint in CA certificates and RFC proxy certificates.
 
Fixing GGUS ticket 67040 - https://ggus.eu/ws/ticket_info.php?ticket=67040
 
  
 
=== Version: 1.4.10 ===
 
=== Version: 1.4.10 ===
  
 
Plugin lcmaps-plugins-verify-proxy:
 
Plugin lcmaps-plugins-verify-proxy:
- Fixing path length constraint problem for TERENA eScience Peronsal CA users.
+
* Fixing path length constraint problem for TERENA eScience Peronsal CA users.
  
 
=== Version: 1.4.9 ===
 
=== Version: 1.4.9 ===
  
 
Plugin lcmaps-plugins-verify-proxy:
 
Plugin lcmaps-plugins-verify-proxy:
- Fixed the Proxy Life Time Policy enforcement functionality.
+
<ul><li> Fixed the Proxy Life Time Policy enforcement functionality.
- Fixed the VOMS Life Time Policy enforcement functionality.
+
<li> Fixed the VOMS Life Time Policy enforcement functionality.
- To cope with Subordinate CAs we have to extend the verification depth to be
+
<li> To cope with Subordinate CAs we have to extend the verification depth to be able to hold the certificate chain (could contain a lot of delegations) and all the CA certificate, which might not be added to the certificate chain itself but would still be lingering in the X509 CA directory lookup functions. OpenSSL uses a default depth of 9.
  able to hold the certificate chain (could contain a lot of delegations) and
 
  all the CA certificate, which might not be added to the certificate chain
 
  itself but would still be lingering in the X509 CA directory lookup
 
  functions. OpenSSL uses a default depth of 9.
 
  
Resurrected an option with a different name:
+
<li> Resurrected an option with a different name:
--only-enforce-lifetime-checks
+
<pre>--only-enforce-lifetime-checks</pre>
 
+
When this option is set the verification routines are skipped to enforce the proxy and/or VOMS lifetime policies only. This is interesting for GT4/5 tools like GridFTPd and the Gatekeeper as they already perform full authentication on the SSL layer. In gLExec this plug-in MUST run in full mode.
When this option is set the verification routines are skipped to enforce the
+
</ul>
proxy and/or VOMS lifetime policies only. This is interesting for GT4/5 tools
 
like GridFTPd and the Gatekeeper as they already perform full authentication on
 
the SSL layer. In gLExec this plug-in MUST run in full mode.
 
  
 
== LCMPAPS-PLUGINS-VOMS ==
 
== LCMPAPS-PLUGINS-VOMS ==
Line 512: Line 420:
 
=== Version 1.5.3 ===
 
=== Version 1.5.3 ===
  
Added manpages for the lcmaps_voms, lcmaps_voms_localaccount,
+
* Added manpages for the lcmaps_voms, lcmaps_voms_localaccount, lcmaps_voms_poolaccount, lcmaps_voms_poolgroup and lcmaps_localgroup plug-ins.
    lcmaps_voms_poolaccount, lcmaps_voms_poolgroup and lcmaps_localgroup
+
* Fix an 'invalid read' in valgrind (seems a bug in the gnu implementation of strspn())
    plug-ins.
 
Fix an 'invalid read' in valgrind (seems a bug in the gnu implementation of
 
    strspn())
 
  
 
=== Version 1.5.2 ===
 
=== Version 1.5.2 ===
  
Fixed a bug when the option -do_not_use_secondary_gids is set and no other
+
* Fixed a bug when the option -do_not_use_secondary_gids is set and no other is set. This was discovered during an upgrade on a CREAM CE by Massimo Sgaravatto.. The check was intented to cast an error when mutually exclusive settings where configured. In this case the settings were not mutually exclusive and falsely failed the initialization of the plug-in. The check has been removed.
    is set. This was discovered during an upgrade on a CREAM CE by Massimo
 
    Sgaravatto.. The check was intented to cast an error when mutually
 
    exclusive settings where configured. In this case the settings were not
 
    mutually exclusive and falsely failed the initialization of the plug-in.
 
    The check has been removed.
 
  
 
=== Version 1.5.1 ===
 
=== Version 1.5.1 ===
  
Removed the gss_cred_id_t to X.509 conversion. The LCMAPS framework
+
* Removed the gss_cred_id_t to X.509 conversion. The LCMAPS framework reliably takes care of this and taking the X.509 as a base (exclusive for the lcmaps_voms.mod, not the mapping plug-ins).
    reliably takes care of this and taking the X.509 as a base (exclusive for
 
    the lcmaps_voms.mod, not the mapping plug-ins).
 
  
 
=== Version 1.5.0 ===
 
=== Version 1.5.0 ===
  
Changing the log messages to match the logging method used in LCMAPS
+
<ul>
    version 1.5.0, which will be using the Syslog native log priority/levels.
+
<li>Changing the log messages to match the logging method used in LCMAPS version 1.5.0, which will be using the Syslog native log priority/levels.
Added an initialization check to the voms localaccount plugin. The
+
<li>Added an initialization check to the voms localaccount plugin. The grid-mapfile must be stat()-able, otherwise trigger an initialization failure. Previously a run-time error would have been triggered.
    grid-mapfile must be stat()-able, otherwise trigger an initialization
+
<li>Added initialization checks to the voms poolgroup plugin. The groupmapfile and groupmapdir stat()-able, otherwise trigger an initialization failure.<br> Previously a run-time error would have been triggered.
    failure. Previously a run-time error would have been triggered.
+
 
Added initialization checks to the voms poolgroup plugin. The groupmapfile
+
<li>A new option to the plugins "voms_localgroup" and "voms_poolgroup":
    and groupmapdir stat()-able, otherwise trigger an initialization failure.
+
<pre>--map-to-secondary-groups</pre>
    Previously a run-time error would have been triggered.
+
When set all the VOMS FQAN to Unix Group ID mappings will be stored as secondary Unix group IDs. By default the first mapping will be stored as a primary Unix Group ID
  
-  A new option to the plugins "voms_localgroup" and "voms_poolgroup":
+
<li>New options to the plugins "voms_localaccount" and "voms_poolaccount":
        --map-to-secondary-groups:
+
<pre>--add-primary-gid-from-mapped-account</pre>
            When set all the VOMS FQAN to Unix Group ID mappings will be
+
When set the primary Unix ID will come from the mapped local/pool
            stored as secondary Unix group IDs. By default the first mapping
+
account based on 'passwd' information on the account.
            will be stored as a primary Unix Group ID
+
<pre>--do-not-add-primary-gid-from-mapped-account</pre>
 +
When set the primary Unix ID will NOT come from the account and is
 +
expected to be set by another plug-in prior. The voms_poolaccount
 +
plug-in expects (by default) a primary Unix group id to be
 +
provided. The voms_localaccount could function without the primary
 +
Unix group id set. It is thereby advised to run a plug-in that will
 +
provided this information prior to these two plug-ins.
 +
Note for the voms_localaccount::
 +
This feature is equivalent to setting -use_voms_gid or
 +
--use-voms-gid
 +
<pre>--add-secondary-gids-from-mapped-account</pre>
 +
When set the secondary Unix group IDs of the mapped account are
 +
added as mapped secondary Unix group ID results
 +
<pre>--add-primary-gid-as-secondary-gid-from-mapped-account</pre>
 +
The mapped pool/local account is looked up for its 'passwd'
 +
information and the associated primary Unix group ID is added to
 +
the mapping result as a secondary Unix group ID.<br>
  
-  A new option to the plugins "voms_localaccount" and "voms_poolaccount":
+
The following combination of options is mutually exclusive:
        --add-primary-gid-from-mapped-account
+
--do-not-map-primary-gid and --match-primary-gid-to-mapped-account<br>
            When set the primary Unix ID will come from the mapped local/pool
+
--use-voms-gid and --do-not-map-primary-gid<br>
            account based on 'passwd' information on the account.
+
--use-voms-gid and --match-primary-gid-to-mapped-account<br>
        --do-not-add-primary-gid-from-mapped-account
+
--use-voms-gid and --add-secondary-gids-from-mapped-account<br>
            When set the primary Unix ID will NOT come from the account and is
 
            expected to be set by another plug-in prior. The voms_poolaccount
 
            plug-in expects (by default) a primary Unix group id to be
 
            provided. The voms_localaccount could function without the primary
 
            Unix group id set. It is thereby advised to run a plug-in that will
 
            provided this information prior to these two plug-ins.
 
            Note for the voms_localaccount::
 
                This feature is equivalent to setting -use_voms_gid or
 
                --use-voms-gid
 
        --add-secondary-gids-from-mapped-account:
 
            When set the secondary Unix group IDs of the mapped account are
 
            added as mapped secondary Unix group ID results
 
        --add-primary-gid-as-secondary-gid-from-mapped-account
 
            The mapped pool/local account is looked up for its 'passwd'
 
            information and the associated primary Unix group ID is added to
 
            the mapping result as a secondary Unix group ID.
 
        The following combination of options is mutually exclusive:
 
            --do-not-map-primary-gid and --match-primary-gid-to-mapped-account
 
            --use-voms-gid and --do-not-map-primary-gid
 
            --use-voms-gid and --match-primary-gid-to-mapped-account
 
            --use-voms-gid and --add-secondary-gids-from-mapped-account
 
  
New option to "voms_poolaccount":
+
<li>New option to "voms_poolaccount":
        --require-primary-gid:
+
<pre>--require-primary-gid</pre>
            This was the old default. The voms_poolaccount plugin expects to
+
This was the old default. The voms_poolaccount plugin expects to have access to an already mapped primary Unix group ID from a previously executed plug-in. The primary Unix group ID and the secondary Unix group IDs were used to form the poolindex entry for in the gridmapdir and poolaccount procurement process.
            have access to an already mapped primary Unix group ID from a
+
<pre>--do-not-require-primary-gid</pre>
            previously executed plug-in. The primary Unix group ID and the
+
The new DEFAULT. The voms_poolaccount plugin does not expect a primary Unix group ID to be set by another plug-in. At the time of the poolindex construction and account procurement process from the gridmapdir the primary Unix group ID is *NOT* used when not yet set. If another plugin did set a primary Unix group ID, then this is going to be used too.<br> Applying this setting provides the opportunity to us the "--map-to-secondary-groups" option to the "voms_localaccount" and "voms_poolaccount" and let the primary Unix group ID from the "--add-primary-gid-from-mapped-account" work as advertised.
            secondary Unix group IDs were used to form the poolindex entry for
+
</ul>
            in the gridmapdir and poolaccount procurement process.
 
        --do-not-require-primary-gid:
 
            The new DEFAULT. The voms_poolaccount plugin does not expect a
 
            primary Unix group ID to be set by another plug-in. At the time of
 
            the poolindex construction and account procurement process from the
 
            gridmapdir the primary Unix group ID is *NOT* used when not yet
 
            set. If another plugin did set a primary Unix group ID, then this
 
            is going to be used too.
 
            Applying this setting provides the opportunity to us the
 
            "--map-to-secondary-groups" option to the "voms_localaccount" and
 
            "voms_poolaccount" and let the primary Unix group ID from the
 
            "--add-primary-gid-from-mapped-account" work as advertised.
 
  
 
=== Version 1.4.6 ===
 
=== Version 1.4.6 ===
  
 
Moving the debug message more to the background into the debug stream.
 
Moving the debug message more to the background into the debug stream.

Latest revision as of 13:59, 23 May 2012

gLExec

Version 0.9.6

Bugfixes:

  • umask was not reverted in non-linger mode.

Version 0.9.5

Bugfixes:

  • Fix broken lcmaps-glexec.db produced by glexec-configure.sh script

Improvements:

  • lower loglevel when homedir of payload does not exist from warning to info

Version 0.9.4

Bugfixes:

  • specifying preserve_env_variables in the glexec.conf caused a segfault.

Improvements:

  • Update location of wiki pages in man pages.

Version 0.9.2

Bugfixes:

  • When either stdin, stdout or stderr is closed, a directory or opened in the wrong mode (readonly for out or writeonly for in) then gLExec (re)opens /dev/null instead.

Improvements:

  • Install also manpage for glexec-configure

Version 0.9.1

Bugfixes:

  • Signal handling code is greatly improved to prevent lockups.

Version 0.9.0

This version introduces several new features. The preferred and advised run-mode is linger mode with gLExec doing the userswitch. This is the most secure, simple and versatile run-mode. It means that LCMAPS should NOT run the posix_enf plugin.

New functionality

  • epilogue functionality:
    • When a absolute path to a root-trusted file is specified as epilogue in the config file, it will be run after the payload has finished.
    • It can optionally run as a different user and/or group which then are also trusted concerning the binary writability.
    • It runs for a maximum time of epilogue_timeout (default 300 seconds) after which it is send a SIGTERM.
    • It will have /dev/null as stdin, stdout and stderr. It is for the epilogue itself to take care of its logging.
    • The epilogue process will run with the target environment.
    • In addition it will have a number of special other variables named GLEXEC_EPILOG_* which contain information about the payload process, calling account and target account is put in the environment for the epilogue process:
      GLEXEC_EPILOG_GLEXEC_CWD startup directory of gLExec
      GLEXEC_EPILOG_GLEXEC_USER calling username
      GLEXEC_EPILOG_GLEXEC_GROUP calling primary groupname
      GLEXEC_EPILOG_TARGET_USER target username
      GLEXEC_EPILOG_TARGET_GROUP target primary groupname
      GLEXEC_EPILOG_GLEXEC_PID gLExec process ID
      GLEXEC_EPILOG_GLEXEC_SID gLExec session
      GLEXEC_EPILOG_GLEXEC_PGID gLExec process group
      GLEXEC_EPILOG_GLEXEC_UID calling user's uid
      GLEXEC_EPILOG_GLEXEC_GID calling user's primary gid
      GLEXEC_EPILOG_GLEXEC_SGIDS calling user's secondary gids, colon separated
      GLEXEC_EPILOG_TARGET_UID target user's uid
      GLEXEC_EPILOG_TARGET_GID target user's primary gid
      GLEXEC_EPILOG_TARGET_SGIDS target user's secondary gids, colon separated
      GLEXEC_EPILOG_ARGC argc of payload
      GLEXEC_EPILOG_ARGV<N> argv of payload
      GLEXEC_EPILOG_TARGET_PID payload process ID
      GLEXEC_EPILOG_TARGET_PGID payload process group
      GLEXEC_EPILOG_TARGET_RC payload exit code
    • When using process groups (default, use_setpgid=yes) both payload and epilogue will run in a separate process group equal to their PID.
    • A non-zero exit status of the epilogue will always result in a gLExec exit code of 202.
    • new options related to epilogue, see man glexec.conf(5)
      epilogue (empty: no epilogue)
      epilogue_user (default root)
      epilogue_group (default root)
      epilogue_timeout (default 300 seconds)

      in addition, also the sighandling options influence the epilogue.

  • implementing signal handling:
    • most signals, are forwarded to payload or epilogue (when present).
    • SIGINT, TERM etc. will gracefully terminate the payload/epilogue by first sending a SIGTERM to the child process (group) and allowing a gracetime of term_delay before sending a SIGKILL. After the SIGKILL a second gracetime of kill_delay allows logging of the exit status. Note that since the lingering gLExec runs as root after the payload finishes, only root can forward signals to the epilogue.
    • handlers for SIGBUS, SIGFPE, SIGILL and SIGSEGV (and optionally SIGSTKFLT which normally should be unused) which only act when the signal comes from the kernel. They send a SIGTERM to the payload or epilogue process (group) and quit. No gracetime is wanted here. Similar behaviour happens for SIGABRT and SIGSYS except that these are typically not coming from the kernel and hence provide different information.
    • SIGPIPE is logged and ignored, SIGTTOU and SIGTTIN are directly ignored in order to allow jobcontrol.
    • gLExec is doing job-control on the payload: normally the payload will run in the foreground: When the payload suspends, gLExec will take back the tty. When the job resumes, the tty is returned to it. The payload can be forced to run in the background by either the -b cmdline option or the force_payload_background config option. SIGINT and SIGTSTP (typically ctrl-c and ctrl-z) give feedback on stderr.
    • gLExec normally will also forward the 'debug' signals SIGTRAP, SIGEMT, SIGVTALRM and SIGPROF, and additionally the realtime signals SIGRTMIN till SIGRTMAX, unless the extra_sighandlers option is set to no. Note that many modern debuggers including gdb work around the problem and seem to work fine even when installing sighandlers for SIGTRAP etc. Some of the realtime signals are used by valgrind, which prevents it from installing handler.
    • new options related to sighandling, see man glexec.conf(5)
      force_payload_background (default off)
      term_delay (default 5 seconds)
      kill_delay (default 1 second)
      use_setpgid (default yes)
      extra_sighandlers (default yes)
  • use of separate process group for the payload: this allows gLExec to signal the entire process group (e.g. SIGTERM). Signals will only be forwarded to the child itself. The feature can be disabled using the use_setpgid option.
  • Closing of all open file descriptors in lingering gLExec process. This can be prevented by setting close_fds to 'no' in the config file.
  • Calling user can disable writing/setting of payload proxy by setting GLEXEC_TARGET_PROXY to /dev/null (the sysadmin could already do this via the create_target_proxy option)

Several defaults are changed, the old behaviour is still configurable:

  • When gLExec is doing the userswitch (advised and default setting) gLExec will run as calling user until the payload starts. At that moment, the payload will run as the target user, while the lingering gLExec will keep running as calling user. This allows the pilot user to send signals to the running gLExec. As soon as the payload finishes or a terminating signal is received, the lingering gLExec will become root and group 0.
    When really needed, the lingering gLExec can run as the target user (pre 0.9 behaviour) using the linger_as_payload option. This is not considered a safe setting and is strongly advised against.
  • Logging defaults:
    • all (gLExec, LCAS, LCMAPS) builtin default loglevels are 4
    • a number of log messages are lowered in loglevel while improving the information in others.
    • gLExec now by default uses different syslog levels (diff_syslog_levels=yes).
    • LCMAPS logging in version 1.5 is much reduced and also split over syslog levels. Hence the builtin default of 4 allows reducing logoutput via syslog's own mechanism.
    • at the time of this release LCAS logging is not yet reorganized, hence it is advised to set the lcas_debug_loglevel to 0 (old default).
  • LCAS/LCMAPS modules: when the {lcas,lcmaps}_libdir is set, gLExec now sets the {LCAS,LCMAPS}_MODULES_DIR variables to that libdir followed by /lcas or /lcmaps, in line with the EPEL standards. This suffix can be set in the config file using the lcas_moduledir_sfx and the lcmaps_moduledir_sfx.

Bugfixes:

  • Lookup/use of lcmaps/lcas libdir only when existing absolute dir.
  • When the config file is untrusted, gLExec reverts to builtin defaults, which often lead to a 'not-whitelisted' error to the user. The stderr message now mentions that it might be due to a permission issue of the config file.
  • In addition to disabling voms checking, it can be enabled. This is needed when LCMAPS is build with a default set to no-voms-checking.

Build-time changes:

  • default directories for LCMAPS and LCAS modules are now $libdir/lcmaps and $libdir/lcas. This can be overridden using the --with-lcmaps-moduledir-sfx (and likewise for LCAS) flags.

Installation & Configuration:

Known issues: None

LCAS

Version 1.3.17

Bugfix:

  • lcas_findfile() was fixed for plugins, but also used for db file in lcas-plugins-basic. Functionality is now split

Version 1.3.16

Bugfix:

  • Fix gsi handling code to prevent clash with globus symbols.

Version 1.3.15

Run time feature:

  • New plugin search code, similar to the LCMAPS approach.
    1. Try to set get the environment variable LCAS_MODULES_DIR.
    2. On success: check if the provided plugin filename has an absolute path already, if not, prepend the $LCAS_MODULES_DIR value to the plugin and check if the file exists. If no file exists continue with 3. On failure: goto 3.
    3. Check if the provided plugin filename has an absolute path already, if not, prepend the LCAS_MOD_HOME #define value to the plugin path and check if the file exists. Use the LCAS_MOD_HOME #define. The defined value originates from the configure script and could be set there to the default or the --with-lcas-moduledir=DIR option. If this keeps failing, exit and trigger an LCAS initialization error.
    A new log line is printed in the log file to indicate what the LCAS plugin search paths are.

Build time feature:

  • New configure option: --with-lcas-moduledir=DIR
    Sets the default search directory for LCAS modules to this value. Without the setting the default is relative to the (build) systems $libdir value: /usr/local/lib/lcas

Version 1.3.13

This version of LCAS and the related LCAS plugins introduces the following new features:

  • fix a few minor segfault situations.
  • Log file output is cleaned up a bit
  • The LCAS framework and LCAS-Interface components are now integrated in each other
  • adjusted to be able to use EPEL, EMI and gLite packages

AS_MOD_HOME

LCAS-PLUGINS-CHECK-EXECUTABLE

Version 1.2.4

Bugfixes:

  • splitList() function used sprintf in unsafe way, rewriting function.

LCMAPS

Version 1.5.4

Bug fixes:

  • Unbalanced quotes triggered an 'out of memory' error instead of an 'unbalanced quotes'.

Version 1.5.3

  • Replace unprintable characters in logging strings with a '?'

Bug fixes:

  • Fix a SEGV or ABRT in some interfaces due to incorrect storing of DN, which leads to freeing stack memory. Triggered in the lcmaps-without-gsi interface.
  • Fix numerous unsafe constructions in logging, also fixes a SEGV

Version 1.5.2

Added a compile option in the Makefile.am to scope the externals of the library. This feature is mandatory for Debian.

Version 1.5.1

  • Log messages that are sent to Syslog with the priority equal to LOG_EMERG, LOG_ALERT or LOG_CRIT will be downplayed as LOG_ERR. Old LCMAPS plug-ins used a numerical range of 0-5 and this basically means that they are able to cast an error message of type LOG_EMERG, while universally the LOG_ERR is meant of even less significant then a LOG_ERR. A warning will be written at LOG_WARNING to upgrade your plug-ins.

Version 1.5.0

  • Changing all log messages to match the logging method used in Syslog and especially the log priority/levels.
  • Fixed a problem when the "poolindex" was requested. It triggered a segmentation fault in two of the LCMAPS interface:
    • lcmaps_run_and_return_poolindex
    • lcmaps_run_with_pem_and_return_account
  • Harmonized logging via the lcmaps_log(), lcmaps_log_debug(), lcmaps_log_time(), lcmaps_log_a_string() and lcmaps_log_a_string_debug() functions for both log file writing and syslog writing.
  • Changed #define name DEBUG_LEVEL to CONF_LCMAPS_DEBUG_LEVEL
  • Changed the default value for CONF_LCMAPS_DEBUG_LEVEL from 0 (LOG_ERR) to 4 (LOG_INFO).
  • Harmonized the log line writing cut-off feature of log message between Syslog logging and logging to a file. This is based on the build in default and the LCMAPS_DEBUG_LEVEL environment variable value. Message that are cut-off are not even offered to Syslog anymore which speeds up the LCMAPS execution when the Syslog demon is hammered with info.
  • The log line output is changed to show the environment value of LCMAPS_LOG_IDENT in each line. The LCMAPS_LOG_IDENT value is meant to be set by programs like gLExec to indicate that they are running LCMAPS. This is default in Syslog, but missing in logging to file.
  • Log lines that log to file are prepended by the Syslog priority name.
    This allows easy filtering when needed.
  • Harmonized the credential handling for all the external LCMAPS interfaces.
    The small functional differences between the different credential input differences are now gone. Interfaces used by gLExec (PEM based), GT4/5 GSI-Authz based, X.509 based and even string input handling are now equalized. This reenabled the verify-proxy plug-in to work from a GT4/GT5 service and enabled the Xrootd interface to work with more easier interfaces, and the PEM string interface from gLExec will now regain its full potential for VOMS handling.
   Example: {input credential} -> {stored to use by plugins}
Globus gss_cred_id_t object in -> X.509 stuff(*) + VOMS structs + DN PEM string -> X.509 stuff + VOMS structs(**) + DN X.509 -> VOMS struct(**) + DN Other string based input -> string based input stored
(*) is new. (**) differed in a detailed usage pattern.
  • When the VOMS verification was disabled, either at run-time or after the build-in default is changed, i.e. --enabled-osg, the VOMS Generic Attributes were not successfully extracted. This is now fixed and plug-ins can use them also when the VOMS AC verification is disabled.

Version 1.4.34

Changes in the logging facility:

  • All syslog() messages are lowered to LOG_CRIT or lower (and can't go below LOG_DEBUG)
  • Various log functions were logging on a high priority, including the debug messages. This is to be lowered simulating the syslog() messages when writing to file.
  • Not being able to write to a file descriptor results now in a syslog() message on LOG_CRIT. This was on stderr.

Version 1.4.31

Moved a lot more useless debugging output behind the LCMAPS_DEBUG option. Mostly because people who try to debug LCMAPS are not LCMAPS developers.

Version 1.4.30

Add the LCMAPS_DEBUG #define to be used to build a developer debugging version of LCMAPS. The released version will not expose the amount of pedantic logging output, even in LCMAPS_DEBUG_LEVEL = 5.

Version 1.4.27

LCMAPS framework:

  • fixed a memory cleanup problem when using VOMS Generic Attributes.
  • adds a SIGPIPE handler to print the caught signal, especially interesting when the VOMS api, SCAS-Client plugin or another plugin could trigger a SIGPIPE without handling it locally. The SIGPIPE handler will be set at the beginning of each run, and removed after each run, i.e. not in the initialization or terminate sequences.
  • Fixed signed and unsigned conflicts in parsing routines when fullfilling rules and policys and recursion issues. This problem was hard to exploit, but a bug nontheless (unless somebody went beyond 2^31 plugins and policies)
  • Fixed the poolindex interface to LCMAPS. A symbol would not have been resolved during run-time as it has been depricated last year. Only used by the Globus DAS/Workspace Service interfacing (to the best of our knowledge).
  • Fixed a problem in the logging facility during the initialization phase. The value was always overridden by the next call. I've removed the previous overridden call, which might call for bug Savannah bug #61772.
  • Found a more generic location for the printCredData function to log the credential data that has lead to a particular mapping decision mapping.
  • (almost) all public functions are now prefixed with with "lcmaps_" to avoid symbol clashes
  • Update for single lcmaps-interface for both lcmaps types.
  • use enable_gsi_mode directly instead of lcmaps_gsi_mode
  • Default paths in LCMAPS are set at build time. All hardcoded paths into /opt/glite or (in some places) /opt/edg are removed.
  • /etc/lcmaps/lcmaps.db will be the new default path to a lcmaps.db file. Use ${LCMAPS_DB_FILE} to override or the ./configure options.
  • Building lcmaps-without-gsi doesn't require Globus libraries during the build and linking of this LCMAPS flavor.
  • LCMAPS ./configure new option --with-voms-prefix instead of --with-glite-location, no glite.m4 necessary, it's done using --libdir and system defaults
  • API extentions:
Function Description
int lcmaps_get_major_version (void);
int lcmaps_get_minor_version (void);
int lcmaps_get_patch_version (void);
lcmaps_disable_voms_attributes_verification Disables the verification in the VOMS API
lcmaps_enable_voms_attributes_verification Enables the verification in the VOMS API (default)
lcmaps_is_set_to_verify_voms_attributes Will return the current setting to enable or disable the verification of the VOMS credentials by the VOMS API
lcmaps_run_with_stack_of_x509_and_return_account LCMAPS runs receiving a certificate chain, containing at least an End-Entity Certificate.
A list of policies may be provided.
The allocated uid, gids and the poolindex will be returned to the calling application.

LCMAPS-PLUGINS-AFS

Version 1.4.1

  • There is now a man page for the plug-in (copied from Debian packaging).

Version 1.4.0

  • Changing the log messages to match the logging method used in LCMAPS version 1.5.0, which will be using the Syslog native log priority/levels.

LCMAPS-PLUGINS-BASIC

Version 1.5.0

  • Changing the log messages to match the logging method used in LCMAPS version 1.5.0, which will be using the Syslog native log priority/levels.
  • Fixed an error message that mentioned a gridmapdir was not available, while the grid-mapfile couldn't be found

LCMAPS-PLUGINS-C-PEP

Version 1.2.2

  • New configuration option:
    --use-pilot-proxy-as-cafile

    With this new option the pilot proxy file in X509_USER_PROXY will also be used as if specified with the --cafile option. This is necessary for implementations using NSS for the SSL.

  • New configure option --with-ssl-cipher-list=<cipherlist> to set the cipher list to be used for the SSL session. When unset no #define is passed.
  • New configuration option:
    --ssl-cipher-list <cipherlist>

    With this new option a sysadmin can specify the cipher list to be used for the SSL session. This feature is required to be used on systems that are forced to use a libcurl build against libnss, i.e. Red Hat Enterprise Linux 6 (and derivatives) and Fedora 12 and up. The same holds true on installations have choosen the libcurl dynmically linked to libnss. A build-in default is used when this option it not set. The default setting is known to be compatible with OpenSSL 0.9.7 though 1.0.x. and GnuTLS. When unset, no explicit cipher list is passed to libargus-pep-c (which is pushed to the SSL library used by libcurl)

Version 1.2.1

  • It is now supported to run this plug-in from an SSL- or GSS-based interface through LCMAPS. This included Xrootd, Globus gatekeepers, gridftpd and gsi-opensshd

Version 1.2.0

  • Changing the log messages to match the logging method used in LCMAPS version 1.5.0, which will be using the Syslog native log priority/levels.

Version 1.1.6

  • Fixed and verified: GGUS ticket: 72752. The correct error message is no displayed in the log file: "Error: assert failed: setoptions for implicit ssl needs X509_USER_PROXY set"

Build methods and install details:

  • Rename lcmaps_config.h into lcmaps_c_pep_config.h and update AC_LCMAPS_INTERFACE to new-style. Still compatible with older LCMAPS apis.
  • The new default install location for the module is $libdir/lcmaps, this was $libdir/modules.

To be tested to function properly:

  • Argus support for GSS/GSI and STACK_OF(X509)/X509 * LCMAPS interface users, like gatekeepers, gridftpd and gsi-opensshd on request by IGE. GGUS: 75568

LCMAPS-PLUGINS-TRACKING-GROUPID

Version 0.1.0

  • Changing the log messages to match the logging method used in LCMAPS version 1.5.0, which will be using the Syslog native log priority/levels.
  • Fixed the initialization checks for the MINGID and MAXGID values to be a proper number. This was done by adding extra checks around strtol().

Plugin lcmaps-plugins-tracking-groupid (NEW) - GGUS ticket #69159:

The goal of this new LCMAPS plugin is to preserve Batch System (like SGE and Condor) issued Tracking Group IDs and preserve them between the Pilot Job and Payload context in a Multi User Pilot Job environment. Especially useful for batch system that use the Tracking Group ID feature in Condor and Sun Grid Engine / Oracle Grid Engine batch systems.

tracking_groupid = "lcmaps_tracking_groupid.mod"
                   "--tracking-groupid-min MINGID"
                   "--tracking-groupid-max MAXGID"

LCMAPS-PLUGINS-VERIFY-PROXY

Version 1.5.2

  • An internally restructured verify-proxy plugin fixing several memory handling problem. It solved several memory leakages and quite a lot potential segmentation fault situation.
    There should be no noticable change, besides the lowered memory leakage proper checking.

Version 1.5.1

No report

Version 1.5.0

  • Changing the log messages to match the logging method used in LCMAPS version 1.5.0, which will be using the Syslog native log priority/levels.
  • The plugin will fail to initialize when the configured -cadir or -certdir directory does not exist. This was a run-time error.
  • Fixed the ability to use the plugin for life-time checking from a GT4 or GT5 service. The requirement for a private key MUST be explicitly disabled with either the configuration of "--only-enforce-lifetime-checks" or "--discard_private_key_absence". The internally used environment variable $VERIFY_PROXY_DISCARD_PRIVATE_KEY_ABSENCE is equivalent to the setting of "--discard_private_key_absence". The environment variable can be countered/muted by "--never_discard_private_key_absence".
  • New feature to be able to REQUIRE the final certificate in a chain to be a LIMITED proxy. Enable the option "--require-limited-proxy" to enforce this.
    This version DOES NOT WORK with RFC3820 limited proxy. This will be added in an update.
  • Man page is now packaged with the source.

Version 1.4.12

  • The new certificate type detection function makes it possible to detect the proxy certificate type more cleanly and now properly distinghuishes RFC 3820 and old-style certificates reliable. A wrongly constructed chain is a rare occurance, but is now properly detected and will result in an X509_V_ERR_CERT_REJECTED or "certificate rejected" error code.
  • The certificate rejection is only triggered when the following #define is enabled: USE_STRICT_PATH_VALIDATION. Without it, the condition will be treated as a warning only seen on a verbose loglevel.
  • Also, the grid_verifyPathLenConstraints() function is now called when the X509_verify() reaches the final certificate in the chain in its verification cycle. This will dysect the certificate chain properly and trigger on the right errors.
  • A bunch of useless debugging messages are no longer visable in the log file. They can be revived when you upgrade the loglevel for more verbosity.

Version 1.4.11

Version: 1.4.10

Plugin lcmaps-plugins-verify-proxy:

  • Fixing path length constraint problem for TERENA eScience Peronsal CA users.

Version: 1.4.9

Plugin lcmaps-plugins-verify-proxy:

  • Fixed the Proxy Life Time Policy enforcement functionality.
  • Fixed the VOMS Life Time Policy enforcement functionality.
  • To cope with Subordinate CAs we have to extend the verification depth to be able to hold the certificate chain (could contain a lot of delegations) and all the CA certificate, which might not be added to the certificate chain itself but would still be lingering in the X509 CA directory lookup functions. OpenSSL uses a default depth of 9.
  • Resurrected an option with a different name:
    --only-enforce-lifetime-checks

    When this option is set the verification routines are skipped to enforce the proxy and/or VOMS lifetime policies only. This is interesting for GT4/5 tools like GridFTPd and the Gatekeeper as they already perform full authentication on the SSL layer. In gLExec this plug-in MUST run in full mode.

LCMPAPS-PLUGINS-VOMS

Version 1.5.3

  • Added manpages for the lcmaps_voms, lcmaps_voms_localaccount, lcmaps_voms_poolaccount, lcmaps_voms_poolgroup and lcmaps_localgroup plug-ins.
  • Fix an 'invalid read' in valgrind (seems a bug in the gnu implementation of strspn())

Version 1.5.2

  • Fixed a bug when the option -do_not_use_secondary_gids is set and no other is set. This was discovered during an upgrade on a CREAM CE by Massimo Sgaravatto.. The check was intented to cast an error when mutually exclusive settings where configured. In this case the settings were not mutually exclusive and falsely failed the initialization of the plug-in. The check has been removed.

Version 1.5.1

  • Removed the gss_cred_id_t to X.509 conversion. The LCMAPS framework reliably takes care of this and taking the X.509 as a base (exclusive for the lcmaps_voms.mod, not the mapping plug-ins).

Version 1.5.0

  • Changing the log messages to match the logging method used in LCMAPS version 1.5.0, which will be using the Syslog native log priority/levels.
  • Added an initialization check to the voms localaccount plugin. The grid-mapfile must be stat()-able, otherwise trigger an initialization failure. Previously a run-time error would have been triggered.
  • Added initialization checks to the voms poolgroup plugin. The groupmapfile and groupmapdir stat()-able, otherwise trigger an initialization failure.
    Previously a run-time error would have been triggered.
  • A new option to the plugins "voms_localgroup" and "voms_poolgroup":
    --map-to-secondary-groups

    When set all the VOMS FQAN to Unix Group ID mappings will be stored as secondary Unix group IDs. By default the first mapping will be stored as a primary Unix Group ID

  • New options to the plugins "voms_localaccount" and "voms_poolaccount":
    --add-primary-gid-from-mapped-account

    When set the primary Unix ID will come from the mapped local/pool account based on 'passwd' information on the account.

    --do-not-add-primary-gid-from-mapped-account

    When set the primary Unix ID will NOT come from the account and is expected to be set by another plug-in prior. The voms_poolaccount plug-in expects (by default) a primary Unix group id to be provided. The voms_localaccount could function without the primary Unix group id set. It is thereby advised to run a plug-in that will provided this information prior to these two plug-ins. Note for the voms_localaccount:: This feature is equivalent to setting -use_voms_gid or --use-voms-gid

    --add-secondary-gids-from-mapped-account

    When set the secondary Unix group IDs of the mapped account are added as mapped secondary Unix group ID results

    --add-primary-gid-as-secondary-gid-from-mapped-account

    The mapped pool/local account is looked up for its 'passwd' information and the associated primary Unix group ID is added to the mapping result as a secondary Unix group ID.

    The following combination of options is mutually exclusive: --do-not-map-primary-gid and --match-primary-gid-to-mapped-account
    --use-voms-gid and --do-not-map-primary-gid
    --use-voms-gid and --match-primary-gid-to-mapped-account
    --use-voms-gid and --add-secondary-gids-from-mapped-account

  • New option to "voms_poolaccount":
    --require-primary-gid

    This was the old default. The voms_poolaccount plugin expects to have access to an already mapped primary Unix group ID from a previously executed plug-in. The primary Unix group ID and the secondary Unix group IDs were used to form the poolindex entry for in the gridmapdir and poolaccount procurement process.

    --do-not-require-primary-gid

    The new DEFAULT. The voms_poolaccount plugin does not expect a primary Unix group ID to be set by another plug-in. At the time of the poolindex construction and account procurement process from the gridmapdir the primary Unix group ID is *NOT* used when not yet set. If another plugin did set a primary Unix group ID, then this is going to be used too.
    Applying this setting provides the opportunity to us the "--map-to-secondary-groups" option to the "voms_localaccount" and "voms_poolaccount" and let the primary Unix group ID from the "--add-primary-gid-from-mapped-account" work as advertised.

Version 1.4.6

Moving the debug message more to the background into the debug stream.