Difference between revisions of "GLExec Argus Quick Installation Guide"

From PDP/Grid Wiki
Jump to navigationJump to search
Line 36: Line 36:
 
* yaim-glexec-wn
 
* yaim-glexec-wn
  
== gLExec with Argus ==
+
Create UNIX user and group '''glexec'''.
  
GLExec will interact with Argus using an LCMAPS plug-in which uses the PEP-C library to communicate to it. The plug-in calls out to the [https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework#Policy_Enforcement_Point Argus PEP Daemon]. The response from the Argus PEP Daemon is extracted and used to deny or fulfill the mapping request to the resource.
+
== Configuration ==
 
 
=== Authorization and Mapping ===
 
 
 
Based on the Grid credentials, LCMAPS C PEP plug-in will send an XACML request to the Argus PEP Daemon, and then parse the XACML response decision to authorize the user and the obligations to map him to a local account which will effectively switch the active Unix account of the running process.
 
  
=== XACML Request ===
+
As a minimum, gLExec and LCMAPS configuration files need to be configured.
 +
For use with Argus, something along the lines of the following gLExec and LCMAPS configuration files suffice:
  
The gLExec LCMAPS PEP plug-in sends an XACML request to the PEP Daemon with the following elements by default (The previously used XACML attribute profile can still be selected, but this needs to be explicitly configured).
+
==== /etc/glexec.conf ====
  
* XACML subject with the attribute element:
 
** AttributeId: urn:oasis:names:tc:xacml:1.0:subject:key-info
 
** Value: The PEM encoded Grid credentials provided by the calling process, fetched from the file content located by the environment variable $GLEXEC_USER_CERT. The location to the proxy file of the pilot job payload owner (e.g. the end user) must be set by this variable in order for gLExec to pass it on. The mapping will be based on this information.
 
* XACML resource with the attribute element:
 
** AttributeId: urn:oasis:names:tc:xacml:1.0:resource:resource-id
 
** Value: The type of resource of the node and service from where the request originated (e.g. SE, CE, WN or RB/WMS).
 
* XACML action with the attribute element:
 
** AttributeId: urn:oasis:names:tc:xacml:1.0:action:action-id
 
** Value: The type of action to be taken on the node from where the request originated (e.g. access-file, queue, execute-now).
 
* XACML environment with the attribute element:
 
** AttributeId: urn:oasis:names:tc:xacml:1.0:subject:key-info
 
** Value: The PEM encoded Grid credentials provided by the calling process, fetched from the file content located by the environment variable $X509_USER_PROXY. The location to the proxy file of the pilot job executor or pilot job framework manager must be set by this variable in case of a pilot job framework scenario.
 
 
=== XACML Response ===
 
 
The PEP Daemon sends back a XACML response to the gLExec LCMAPS PEP plug-in. The following XACML response elements are parsed to authorize and map the user:
 
* XACML decision element: Contains the '''authorization decision''' ''Permit'', ''Deny'', ''Indeterminate'' or ''NotApplicable''
 
* XACML obligation, ObligationId: ''http://glite.org/xacml/obligation/local-environment-map/posix'', with the three possible attribute assignment elements:
 
** AttributeId: ''http://glite.org/xacml/attribute/user-id''
 
** Value: Contains the '''Unix User ID''' of the mapped user account in a string format.
 
** AttributeId: ''http://glite.org/xacml/attribute/group-id/primary''
 
** Value: Contains the '''Unix Group ID''' of the mapped primary group in a string format.
 
** AttributeId: ''http://glite.org/xacml/attribute/group-id''
 
** Value: Contains the '''Unix Secondary Group ID''' of the mapped group in a string format.
 
The local identity mapping will only succeed if the authorization decision is '''Permit'''.
 
 
== Configuration ==
 
 
As a minimum, gLExec and LCMAPS need to be configured. For use with Argus, something along the lines of the following gLExec and LCMAPS configurations suffice:
 
 
glexec.conf:
 
 
  #  Glexec configuration file
 
  #  Glexec configuration file
 
  #
 
  #
Line 91: Line 57:
 
  #lcas_debug_level            = 0
 
  #lcas_debug_level            = 0
  
See the [[Man pages of gLExec]] for full information on all the configuration options.
+
Edit at least the user whitelist. See the [[Man pages of gLExec]] for full information on all the configuration options.
 +
 
 +
Make sure the glexec.conf file is only writable for user root and/or glexec. In the preferred ''switching mode'', the preferred installation of glexec binary and config files are:
 +
-rws--x--x  1  root  root  12345  2010-02-29  12:34  /usr/sbin/glexec
 +
-r--------  1  glexec root    123  2010-02-29  12:34  /etc/glexec.conf
 +
 
 +
==== /etc/lcmaps/lcmaps-glexec.db for use with Argus ====
  
/etc/lcmaps/lcmaps-glexec.db:
 
 
  # LCMAPS config file for glexec
 
  # LCMAPS config file for glexec
 
  #
 
  #
Line 114: Line 85:
 
  glexec_get_account:
 
  glexec_get_account:
 
  verify_proxy -> pepc
 
  verify_proxy -> pepc
 +
 +
Edit at least the pep-daemon-endpoint-url, to point to the correct Argus PEPd server.
 +
 +
== gLExec with Argus ==
 +
 +
GLExec will interact with Argus using an LCMAPS plug-in which uses the Argus PEP-C library to communicate to it. The plug-in calls out to the [https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework#Policy_Enforcement_Point Argus PEP Daemon]. The response from the Argus PEP Daemon is extracted and used to deny or fulfill the mapping request to the resource.
 +
 +
===  Authorization and Mapping ===
 +
 +
Based on the Grid credentials, LCMAPS C PEP plug-in will send an XACML request to the Argus PEP Daemon, and then parse the XACML response decision to authorize the user and the obligations to map him to a local account which will effectively switch the active Unix account of the running process.
 +
 +
=== XACML Request ===
 +
 +
The gLExec LCMAPS PEP plug-in sends an XACML request to the PEP Daemon with the following elements by default (The previously used XACML attribute profile can still be selected, but this needs to be explicitly configured).
 +
 +
* XACML subject with the attribute element:
 +
** AttributeId: urn:oasis:names:tc:xacml:1.0:subject:key-info
 +
** Value: The PEM encoded Grid credentials provided by the calling process, fetched from the file content located by the environment variable $GLEXEC_USER_CERT. The location to the proxy file of the pilot job payload owner (e.g. the end user) must be set by this variable in order for gLExec to pass it on. The mapping will be based on this information.
 +
* XACML resource with the attribute element:
 +
** AttributeId: urn:oasis:names:tc:xacml:1.0:resource:resource-id
 +
** Value: The type of resource of the node and service from where the request originated (e.g. SE, CE, WN or RB/WMS).
 +
* XACML action with the attribute element:
 +
** AttributeId: urn:oasis:names:tc:xacml:1.0:action:action-id
 +
** Value: The type of action to be taken on the node from where the request originated (e.g. access-file, queue, execute-now).
 +
* XACML environment with the attribute element:
 +
** AttributeId: urn:oasis:names:tc:xacml:1.0:subject:key-info
 +
** Value: The PEM encoded Grid credentials provided by the calling process, fetched from the file content located by the environment variable $X509_USER_PROXY. The location to the proxy file of the pilot job executor or pilot job framework manager must be set by this variable in case of a pilot job framework scenario.
 +
 +
=== XACML Response ===
 +
 +
The PEP Daemon sends back a XACML response to the gLExec LCMAPS PEP plug-in. The following XACML response elements are parsed to authorize and map the user:
 +
* XACML decision element: Contains the '''authorization decision''' ''Permit'', ''Deny'', ''Indeterminate'' or ''NotApplicable''
 +
* XACML obligation, ObligationId: ''http://glite.org/xacml/obligation/local-environment-map/posix'', with the three possible attribute assignment elements:
 +
** AttributeId: ''http://glite.org/xacml/attribute/user-id''
 +
** Value: Contains the '''Unix User ID''' of the mapped user account in a string format.
 +
** AttributeId: ''http://glite.org/xacml/attribute/group-id/primary''
 +
** Value: Contains the '''Unix Group ID''' of the mapped primary group in a string format.
 +
** AttributeId: ''http://glite.org/xacml/attribute/group-id''
 +
** Value: Contains the '''Unix Secondary Group ID''' of the mapped group in a string format.
 +
The local identity mapping will only succeed if the authorization decision is '''Permit'''.

Revision as of 11:14, 27 August 2012

Introduction

gLExec is a program to make the required mapping between the grid world and the Unix notion of users and groups, and has the capacity to enforce that mapping by modifying the uid and gids of running processes. Based on LCAS and LCMAPS, it can both act as a light-weight 'gatekeeper' replacement, and even be used on the worker node in late-binding (pilot job) scenarios.

The gLExec uses the LCMAPS framework to abstract different implementations and techniques that can be implemented through the use of specialized plug-ins. The plug-ins do the actual work (e.g. extensive credentials, procuring an account locally or through a central authorization service, like Argus).

Package installation

Enable the correct UMD or EMI repository.

Install either the emi-glexec_wn metapackage or do a manual yum install of the following list of packages:

  • glexec
  • lcmaps
  • lcmaps-plugins-basic
  • lcmaps-plugins-c-pep
  • lcmaps-plugins-tracking-groupid
  • lcmaps-plugins-verify-proxy
  • lcmaps-plugins-voms

You optionally can also install LCAS:

  • lcas
  • lcas-plugins-basic
  • lcas-plugins-check-executable
  • lcas-plugins-voms

the gLExec wrapper scripts:

  • glexec-wrapper-scripts

the MkGlTempDir utility:

  • mkgltempdir

the gLExec nagios plugin:

  • nagios-plugins-emi.glexec

and the YAIM configuration module for the gLExec workernode:

  • yaim-glexec-wn

Create UNIX user and group glexec.

Configuration

As a minimum, gLExec and LCMAPS configuration files need to be configured. For use with Argus, something along the lines of the following gLExec and LCMAPS configuration files suffice:

/etc/glexec.conf

#  Glexec configuration file
#
[glexec]
user_white_list              = batman,superman,spiderman
log_level                    = 3
lcmaps_db_file               = /etc/lcmaps/lcmaps-glexec.db
lcmaps_debug_level           = 3
lcmaps_get_account_policy    = glexec_get_account
#use_lcas                     = no
#lcas_db_file                 = /etc/lcas/lcas-glexec.db
#lcas_debug_level             = 0

Edit at least the user whitelist. See the Man pages of gLExec for full information on all the configuration options.

Make sure the glexec.conf file is only writable for user root and/or glexec. In the preferred switching mode, the preferred installation of glexec binary and config files are:

-rws--x--x   1   root   root   12345   2010-02-29  12:34   /usr/sbin/glexec
-r--------   1   glexec root     123   2010-02-29  12:34   /etc/glexec.conf

/etc/lcmaps/lcmaps-glexec.db for use with Argus

# LCMAPS config file for glexec
#

# where to look for modules
path = /usr/lib64/lcmaps

# module definitions
verify_proxy = "lcmaps_verify_proxy.mod" 
               " -certdir /etc/grid-security/certificates/"
               " --allow-limited-proxy"

pepc        = "lcmaps_c_pep.mod"
              "--pep-daemon-endpoint-url https://argus.testbed:8154/authz"
              " -resourceid wn"
              " -actionid http://glite.org/xacml/action/execute"
              " -capath /etc/grid-security/certificates/"
              " -pep-certificate-mode implicit"

glexec_get_account:
verify_proxy -> pepc

Edit at least the pep-daemon-endpoint-url, to point to the correct Argus PEPd server.

gLExec with Argus

GLExec will interact with Argus using an LCMAPS plug-in which uses the Argus PEP-C library to communicate to it. The plug-in calls out to the Argus PEP Daemon. The response from the Argus PEP Daemon is extracted and used to deny or fulfill the mapping request to the resource.

Authorization and Mapping

Based on the Grid credentials, LCMAPS C PEP plug-in will send an XACML request to the Argus PEP Daemon, and then parse the XACML response decision to authorize the user and the obligations to map him to a local account which will effectively switch the active Unix account of the running process.

XACML Request

The gLExec LCMAPS PEP plug-in sends an XACML request to the PEP Daemon with the following elements by default (The previously used XACML attribute profile can still be selected, but this needs to be explicitly configured).

  • XACML subject with the attribute element:
    • AttributeId: urn:oasis:names:tc:xacml:1.0:subject:key-info
    • Value: The PEM encoded Grid credentials provided by the calling process, fetched from the file content located by the environment variable $GLEXEC_USER_CERT. The location to the proxy file of the pilot job payload owner (e.g. the end user) must be set by this variable in order for gLExec to pass it on. The mapping will be based on this information.
  • XACML resource with the attribute element:
  • XACML action with the attribute element:
  • XACML environment with the attribute element:
    • AttributeId: urn:oasis:names:tc:xacml:1.0:subject:key-info
    • Value: The PEM encoded Grid credentials provided by the calling process, fetched from the file content located by the environment variable $X509_USER_PROXY. The location to the proxy file of the pilot job executor or pilot job framework manager must be set by this variable in case of a pilot job framework scenario.

XACML Response

The PEP Daemon sends back a XACML response to the gLExec LCMAPS PEP plug-in. The following XACML response elements are parsed to authorize and map the user:

The local identity mapping will only succeed if the authorization decision is Permit.