Difference between revisions of "Using the SCAS"

From PDP/Grid Wiki
Jump to navigationJump to search
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
gLExec uses LCMAPS as its mapping back-end. It can be configured to use the [[SCAS]] client You can configure
+
The LCAS/LCMAPS GT4-interface for Globus GridFTPd, Gatekeeper and GSI-OpenSSHd and [[gLExec]] all share the [[LCMAPS]] framework as their mapping back-end. It can be configured to use the [[SCAS]] client LCMAPS plug-in. This will contact the SCAS service to trigger an authorization decision and, on a positive result, return a mapping result. This will then be input for the LCMAPS user mapping back-end of gLExec to continue.
  
If you prefer to use LCMAPS with the SCAS service, add the [http://etics-repository.cern.ch:8080/repository/download/registered/org.glite/org.glite.security.lcmaps-plugins-scas-client/0.2.8/ scas-client plugin] to the set of RPMs, and configure the SCAS client. You would add to <tt>/opt/glite/etc/lcmaps/lcmaps-glexec.db</tt>:
+
== Installation ==
 +
 
 +
Add the [http://etics-repository.cern.ch:8080/repository/download/registered/org.glite/org.glite.security.lcmaps-plugins-scas-client scas-client plugin] to the set of RPMs on your machine. The SCAS client LCMAPS plug-in has a requirement on the [http://etics-repository.cern.ch:8080/repository/download/registered/org.glite/org.glite.security.saml2-xacml2-c-lib SAML2-XACML2 C Library].
 +
 
 +
== Configuration ==
 +
 
 +
Configure the LCMAPS You would add to <tt>/opt/glite/etc/lcmaps/lcmaps.db</tt> or <tt>/opt/glite/etc/lcmaps/lcmaps-glexec.db</tt>:
  
 
  scasclient = "lcmaps_scas_client.mod"
 
  scasclient = "lcmaps_scas_client.mod"
Line 15: Line 21:
 
  verify_proxy  -> scasclient
 
  verify_proxy  -> scasclient
 
  scasclient -> posix_enf
 
  scasclient -> posix_enf
 +
 +
Note: This example assumes a verify_proxy and posix_enf plug-in to be configured in the same lcmaps.db file.
 +
 +
== More information ==
 +
 +
To test your setup then you can find more information on the page for [[Debugging hints]].

Latest revision as of 19:39, 5 February 2010

The LCAS/LCMAPS GT4-interface for Globus GridFTPd, Gatekeeper and GSI-OpenSSHd and gLExec all share the LCMAPS framework as their mapping back-end. It can be configured to use the SCAS client LCMAPS plug-in. This will contact the SCAS service to trigger an authorization decision and, on a positive result, return a mapping result. This will then be input for the LCMAPS user mapping back-end of gLExec to continue.

Installation

Add the scas-client plugin to the set of RPMs on your machine. The SCAS client LCMAPS plug-in has a requirement on the SAML2-XACML2 C Library.

Configuration

Configure the LCMAPS You would add to /opt/glite/etc/lcmaps/lcmaps.db or /opt/glite/etc/lcmaps/lcmaps-glexec.db:

scasclient = "lcmaps_scas_client.mod"
            " -capath /etc/grid-security/certificates/"
            " -endpoint https://graszaad.nikhef.nl:8443"
            " -resourcetype wn"
            " -actiontype execute-now"

and the following policy execution flow at the end:

# policies
glexec_get_account:
verify_proxy  -> scasclient
scasclient -> posix_enf

Note: This example assumes a verify_proxy and posix_enf plug-in to be configured in the same lcmaps.db file.

More information

To test your setup then you can find more information on the page for Debugging hints.