Difference between revisions of "EES installation instructions"

From PDP/Grid Wiki
Jump to navigationJump to search
 
(10 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
* Install the EES:
 
* Install the EES:
 
  yum install ees
 
  yum install ees
* Add a useraccount for the ees user:
+
* When needed, add a useraccount for the ees user (should be automatic by RPM):
 
  useradd -r -M ees
 
  useradd -r -M ees
 
* Update ees.conf for logging:
 
* Update ees.conf for logging:
Line 8: Line 8:
 
::comment-out the ''log='' line.
 
::comment-out the ''log='' line.
 
: ''file''
 
: ''file''
::update the logfile to a file writeable for the ees user
+
::when needed, update the logfile to a file writeable for the ees user
# custom log file
+
* enable the service
log = /usr/log/ees.log
+
  chkconfig ees on
::create logfile
 
  touch /var/log/ees.log && chown ees.root /var/log/ees.log
 
 
* start the ees
 
* start the ees
 
  /etc/init.d/ees start
 
  /etc/init.d/ees start
* You can use the [http://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/pdpsoft/trunk/nagios/ees/ EES nagios plugin] to test it is working correctly
+
* You can use the [http://software.nikhef.nl/security/nagios-plugins-ees/ EES nagios plugin] to test it is working correctly:
 +
yum install nagios-plugins-ees
 +
/usr/lib64/nagios/plugins/check_ees
  
 
== Installation of Argus Obligation Handler ==
 
== Installation of Argus Obligation Handler ==

Latest revision as of 14:20, 29 September 2014

Basic installation

  • Install the EES:
yum install ees
  • When needed, add a useraccount for the ees user (should be automatic by RPM):
useradd -r -M ees
  • Update ees.conf for logging:
syslog
comment-out the log= line.
file
when needed, update the logfile to a file writeable for the ees user
  • enable the service
chkconfig ees on
  • start the ees
/etc/init.d/ees start
yum install nagios-plugins-ees
/usr/lib64/nagios/plugins/check_ees

Installation of Argus Obligation Handler

  • On the host running the Argus PEPd run
yum install ees-pepd-oh
  • Create a symlink:
ln -s /usr/share/java/ees-pepd-oh.jar /var/lib/argus/pepd/lib/
  • Make sure there is a policy active in the Argus PAP that will trigger an EES run, e.g.:
resource "wn" {
    obligation "http://glite.org/xacml/obligation/local-environment-map" {}
    obligation "http://example.org/xacml/obligation/run-ees" {}
    action ".*" {
       rule permit {
          fqan = "/dteam"
       }
    }
 }
Don't forget to reload the policy in the PDP
/etc/init.d/argus-pdp reloadpolicy
  • Add a [EES_OH] section to /etc/argus/pepd/pepd.ini, containing the same obligation as inserted in the PAP policy. Also make sure the eesEndpoint is set correctly.
[EES_OH]
parserClass = org.glite.authz.pep.obligation.eesmap.EESObligationHandlerConfigurationParser
entityId = http://argus.example.org/pepd/ees
handledObligationId = http://example.org/xacml/obligation/run-ees
eesEndpoint = http://ees.example.org:6217/
  • Also add the EES_OH to the list of enabled obligationHandlers is the [SERVICE] section of the /etc/argus/pepd/pepd.ini:
[SERVICE]
...
obligationHandlers = EES_OH ACCOUNTMAPPER_OH
  • Restart the PEPd:
/etc/init.d/argus-pepd restart

It should now be possible to do a gLExec call-out to the Argus PEPd that triggers an EES run.