Difference between revisions of "Lcmaps-plugins-robot"

From PDP/Grid Wiki
Jump to navigationJump to search
(Initial wiki page for Robot plugins.)
 
(Extra information on usage: grid-mapfile/dir example entries)
Line 10: Line 10:
  
 
<pre>
 
<pre>
 +
# Specify directory where LCMAPS modules are installed
 
path  = /usr/lib64/lcmaps
 
path  = /usr/lib64/lcmaps
 
   
 
   
# module definitions
+
# Module definitions
 
verify_proxy = "lcmaps_verify_proxy.mod"
 
verify_proxy = "lcmaps_verify_proxy.mod"
 
               " -certdir /etc/grid-security/certificates/"
 
               " -certdir /etc/grid-security/certificates/"
Line 21: Line 22:
 
         "-banmapfile /etc/grid-security/ban_users.db"
 
         "-banmapfile /etc/grid-security/ban_users.db"
  
# PUSP banning module
+
# Per-User Sub-Proxy banning module
 
robot_ban_dn = "lcmaps_robot_ban_dn.mod"
 
robot_ban_dn = "lcmaps_robot_ban_dn.mod"
 
               "-banmapfile /etc/grid-security/ban_users.db"
 
               "-banmapfile /etc/grid-security/ban_users.db"
  
 +
# Per-User Sub-Proxy DN to localaccount mapping
 
robot_local = "lcmaps_robot_localaccount.mod"
 
robot_local = "lcmaps_robot_localaccount.mod"
 
               "-gridmapfile /etc/grid-security/grid-mapfile"
 
               "-gridmapfile /etc/grid-security/grid-mapfile"
  
 +
# Per-User Sub-Proxy DN to poolaccount mapping
 
robot_pool = "lcmaps_robot_poolaccount.mod"
 
robot_pool = "lcmaps_robot_poolaccount.mod"
 
               "-gridmapfile /etc/grid-security/grid-mapfile"
 
               "-gridmapfile /etc/grid-security/grid-mapfile"
Line 44: Line 47:
 
verify_proxy -> robot_local
 
verify_proxy -> robot_local
 
</pre>
 
</pre>
 +
 +
For the localaccount plugin, the <tt>grid-mapfile</tt> should contain entries such as
 +
"/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:johndoe" nobody
 +
"/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:janedoe" anybody
 +
while for the poolaccount plugin, it should typically contain entries such as
 +
"/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:*" .robotpool
 +
and the gridmapdir should then be populated with names of LDAP or localaccounts
 +
robotpool001
 +
robotpool002
 +
...
 +
  
 
In combination with [[gLExec]], this would allow to do user-switching based on individual Per-User Sub-Proxy DNs.
 
In combination with [[gLExec]], this would allow to do user-switching based on individual Per-User Sub-Proxy DNs.

Revision as of 10:31, 13 February 2015

Introduction

The LCMAPS-plugins-robot package has been developed for EGIs Long Tail of Science pilot project. Unlike the normal LCMAPS plugins, it uses a so-called Per-User Sub-Proxy (PUSP) as input. These proxies are RFC3820 compliant proxy delegations from robot certificates, containing (anonymised) identifying information about the actual user in the added proxy CN field, they are typically generated inside a webportal for users logging in via a SSO system. Hence the different LCMAPS-plugins-robot modules use the first proxy DN instead of the EEC DN for their mapping or banning decisions. The plugin treats the proxy as a valid PUSP if it satisfies:

  1. the proxy is a valid RFC3820 proxy
  2. its EEC is a robot-type certificate:

Usage

An typical example lcmaps.db showing the different plugins plus two policies, one for pool-account based mappings, the other for local-account based mappings:

# Specify directory where LCMAPS modules are installed
path  = /usr/lib64/lcmaps
 
# Module definitions
verify_proxy = "lcmaps_verify_proxy.mod"
               " -certdir /etc/grid-security/certificates/"
               " --allow-limited-proxy"

# Normal banning module: e.g. for robot EEC
ban_dn = "lcmaps_ban_dn.mod"
         "-banmapfile /etc/grid-security/ban_users.db"

# Per-User Sub-Proxy banning module
robot_ban_dn = "lcmaps_robot_ban_dn.mod"
               "-banmapfile /etc/grid-security/ban_users.db"

# Per-User Sub-Proxy DN to localaccount mapping
robot_local = "lcmaps_robot_localaccount.mod"
              "-gridmapfile /etc/grid-security/grid-mapfile"

# Per-User Sub-Proxy DN to poolaccount mapping
robot_pool = "lcmaps_robot_poolaccount.mod"
              "-gridmapfile /etc/grid-security/grid-mapfile"
              "-gridmapdir /etc/grid-security/gridmapdir/"


# Different policies
pool_mapping:
ban_dn -> robot_ban_dn
robot_ban_dn -> verify_proxy
verify_proxy -> robot_pool

local_mapping:
ban_dn -> robot_ban_dn
robot_ban_dn -> verify_proxy
verify_proxy -> robot_local

For the localaccount plugin, the grid-mapfile should contain entries such as

"/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:johndoe" nobody
"/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:janedoe" anybody

while for the poolaccount plugin, it should typically contain entries such as

"/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:*" .robotpool

and the gridmapdir should then be populated with names of LDAP or localaccounts

robotpool001
robotpool002
...


In combination with gLExec, this would allow to do user-switching based on individual Per-User Sub-Proxy DNs.

Further reading

General information on gLExec and LCMAPS can be found on the gLExec wiki pages.

man pages

Each plugin comes with its own man page. Online version can be found here: