Difference between revisions of "How to ban users with quattor"

From PDP/Grid Wiki
Jump to navigationJump to search
 
 
(7 intermediate revisions by one other user not shown)
Line 1: Line 1:
Unfortunately, there is no universal method to ban grid users from using gLite services. Below is the summary (to be completed) of services and the method of banning:
+
Unfortunately, there is no universal method to ban grid users from using gLite services.  
 +
Enter Quattor, and via a single list of banned users we can manage the ban lists on the various node types.
  
* lcg-CE, classic-SE: the banned user DNs need to be stored in /opt/edg/etc/lcas/ban_users.db and /opt/glite/etc/lcas/ban_users.db. The template $L/cfg/sites/ndpf/site/banned_users.tpl takes care of this.
 
  
* WMS: To be completed
+
== How to add a user to the ban list? ==
  
* DPM: the banned user DNs need to be mapped to a non-existing Unix account in /opt/lcg/etc/lcgdm-mapfile-local. This cannot yet be accomplished via our quattor setup.
+
The template $L/cfg/sites/ndpf/site/banlist.tpl define a Pan variable GLOBAL_BANNED_USER_LIST, which is a list() containing the certificate DNs that should be banned. Adding a user to this list is simply a matter of adding one line with the DN (enclosed in double quotes and a comma after the second quote):
 +
 
 +
variable GLOBAL_BANNED_USER_LIST ?= list(
 +
  "/O=banned users/O=grid/CN=Evil User",
 +
  # this is a comment line
 +
  # use comments to relate the banned user DN to a date and reason
 +
  "/O=some other org/O=whatever/CN=Compromised Account",
 +
);
 +
 
 +
Don't forget to give the date and reason for banning the user!
 +
 
 +
 
 +
== Implementation ==
 +
 
 +
Services that support user banning can define a variable BANNED_USER_CONFIG which points to a template that implements the formatting of the appropriate files (see "Background Information" below). These files process the data from GLOBAL_BANNED_USER_LIST and put it in the expected format.
 +
 
 +
Currently implemented methods:
 +
* lcas, used by the lcg-CE. Implementation in template
 +
$L/cfg/grid/common/security/user-banning/lcas.tpl
 +
* gridmap, used by the DPM server and disk. Implementation in template
 +
$L/cfg/grid/common/security/user-banning/gridmap.tpl
 +
* gacl, used by the WMS. Implementation in template
 +
$L/cfg/grid/common/security/user-banning/gacl.tpl
 +
 
 +
== Background Information ==
 +
 
 +
Below is the summary of services and the method of banning:
 +
 
 +
* lcg-CE, classic-SE: the banned user DNs need to be stored in /opt/edg/etc/lcas/ban_users.db and /opt/glite/etc/lcas/ban_users.db.
 +
 
 +
* WMS: the banned used DNs have to be present in the files:
 +
**  /opt/glite/etc/glite_wms_wmproxy.gacl.
 +
** /etc/lcas/ban_users.db
 +
 
 +
* DPM: the banned user DNs need to be mapped to a non-existing Unix account in /opt/lcg/etc/lcgdm-mapfile-local and /opt/edg/etc/grid-mapfile-local. In addition, there is a script /usr/local/bin/dpns-update-banned-users which bans the users that are present in the local map file via dpns-modifyusrmap (and unbans the users that are no longer in this file but who are currently banned in DPNS).
 +
 
 +
* CreamCE: to be investigated
  
 
* MyProxy (PX): To be completed
 
* MyProxy (PX): To be completed

Latest revision as of 07:55, 10 September 2012

Unfortunately, there is no universal method to ban grid users from using gLite services. Enter Quattor, and via a single list of banned users we can manage the ban lists on the various node types.


How to add a user to the ban list?

The template $L/cfg/sites/ndpf/site/banlist.tpl define a Pan variable GLOBAL_BANNED_USER_LIST, which is a list() containing the certificate DNs that should be banned. Adding a user to this list is simply a matter of adding one line with the DN (enclosed in double quotes and a comma after the second quote):

variable GLOBAL_BANNED_USER_LIST ?= list(
 "/O=banned users/O=grid/CN=Evil User",
 # this is a comment line
 # use comments to relate the banned user DN to a date and reason
 "/O=some other org/O=whatever/CN=Compromised Account",
);

Don't forget to give the date and reason for banning the user!


Implementation

Services that support user banning can define a variable BANNED_USER_CONFIG which points to a template that implements the formatting of the appropriate files (see "Background Information" below). These files process the data from GLOBAL_BANNED_USER_LIST and put it in the expected format.

Currently implemented methods:

  • lcas, used by the lcg-CE. Implementation in template
$L/cfg/grid/common/security/user-banning/lcas.tpl
  • gridmap, used by the DPM server and disk. Implementation in template
$L/cfg/grid/common/security/user-banning/gridmap.tpl
  • gacl, used by the WMS. Implementation in template
$L/cfg/grid/common/security/user-banning/gacl.tpl

Background Information

Below is the summary of services and the method of banning:

  • lcg-CE, classic-SE: the banned user DNs need to be stored in /opt/edg/etc/lcas/ban_users.db and /opt/glite/etc/lcas/ban_users.db.
  • WMS: the banned used DNs have to be present in the files:
    • /opt/glite/etc/glite_wms_wmproxy.gacl.
    • /etc/lcas/ban_users.db
  • DPM: the banned user DNs need to be mapped to a non-existing Unix account in /opt/lcg/etc/lcgdm-mapfile-local and /opt/edg/etc/grid-mapfile-local. In addition, there is a script /usr/local/bin/dpns-update-banned-users which bans the users that are present in the local map file via dpns-modifyusrmap (and unbans the users that are no longer in this file but who are currently banned in DPNS).
  • CreamCE: to be investigated
  • MyProxy (PX): To be completed