Difference between revisions of "Lcmaps-plugins-robot"
(Initial wiki page for Robot plugins.) |
(Extra information on usage: grid-mapfile/dir example entries) |
||
Line 10: | Line 10: | ||
<pre> | <pre> | ||
+ | # Specify directory where LCMAPS modules are installed | ||
path = /usr/lib64/lcmaps | path = /usr/lib64/lcmaps | ||
− | # | + | # Module definitions |
verify_proxy = "lcmaps_verify_proxy.mod" | verify_proxy = "lcmaps_verify_proxy.mod" | ||
" -certdir /etc/grid-security/certificates/" | " -certdir /etc/grid-security/certificates/" | ||
Line 21: | Line 22: | ||
"-banmapfile /etc/grid-security/ban_users.db" | "-banmapfile /etc/grid-security/ban_users.db" | ||
− | # | + | # Per-User Sub-Proxy banning module |
robot_ban_dn = "lcmaps_robot_ban_dn.mod" | robot_ban_dn = "lcmaps_robot_ban_dn.mod" | ||
"-banmapfile /etc/grid-security/ban_users.db" | "-banmapfile /etc/grid-security/ban_users.db" | ||
+ | # Per-User Sub-Proxy DN to localaccount mapping | ||
robot_local = "lcmaps_robot_localaccount.mod" | robot_local = "lcmaps_robot_localaccount.mod" | ||
"-gridmapfile /etc/grid-security/grid-mapfile" | "-gridmapfile /etc/grid-security/grid-mapfile" | ||
+ | # Per-User Sub-Proxy DN to poolaccount mapping | ||
robot_pool = "lcmaps_robot_poolaccount.mod" | robot_pool = "lcmaps_robot_poolaccount.mod" | ||
"-gridmapfile /etc/grid-security/grid-mapfile" | "-gridmapfile /etc/grid-security/grid-mapfile" | ||
Line 44: | Line 47: | ||
verify_proxy -> robot_local | verify_proxy -> robot_local | ||
</pre> | </pre> | ||
+ | |||
+ | For the localaccount plugin, the <tt>grid-mapfile</tt> should contain entries such as | ||
+ | "/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:johndoe" nobody | ||
+ | "/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:janedoe" anybody | ||
+ | while for the poolaccount plugin, it should typically contain entries such as | ||
+ | "/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:*" .robotpool | ||
+ | and the gridmapdir should then be populated with names of LDAP or localaccounts | ||
+ | robotpool001 | ||
+ | robotpool002 | ||
+ | ... | ||
+ | |||
In combination with [[gLExec]], this would allow to do user-switching based on individual Per-User Sub-Proxy DNs. | In combination with [[gLExec]], this would allow to do user-switching based on individual Per-User Sub-Proxy DNs. |
Revision as of 10:31, 13 February 2015
Introduction
The LCMAPS-plugins-robot package has been developed for EGIs Long Tail of Science pilot project. Unlike the normal LCMAPS plugins, it uses a so-called Per-User Sub-Proxy (PUSP) as input. These proxies are RFC3820 compliant proxy delegations from robot certificates, containing (anonymised) identifying information about the actual user in the added proxy CN field, they are typically generated inside a webportal for users logging in via a SSO system. Hence the different LCMAPS-plugins-robot modules use the first proxy DN instead of the EEC DN for their mapping or banning decisions. The plugin treats the proxy as a valid PUSP if it satisfies:
- the proxy is a valid RFC3820 proxy
- its EEC is a robot-type certificate:
- it either contains the robot OID 1.2.840.113612.5.2.3.3.1
- or its DN matches the regular expression ".*/CN=[rR]obot[^[:alnum:]]+" according to section 3 in https://www.eugridpma.org/guidelines/robot/
Usage
An typical example lcmaps.db showing the different plugins plus two policies, one for pool-account based mappings, the other for local-account based mappings:
# Specify directory where LCMAPS modules are installed path = /usr/lib64/lcmaps # Module definitions verify_proxy = "lcmaps_verify_proxy.mod" " -certdir /etc/grid-security/certificates/" " --allow-limited-proxy" # Normal banning module: e.g. for robot EEC ban_dn = "lcmaps_ban_dn.mod" "-banmapfile /etc/grid-security/ban_users.db" # Per-User Sub-Proxy banning module robot_ban_dn = "lcmaps_robot_ban_dn.mod" "-banmapfile /etc/grid-security/ban_users.db" # Per-User Sub-Proxy DN to localaccount mapping robot_local = "lcmaps_robot_localaccount.mod" "-gridmapfile /etc/grid-security/grid-mapfile" # Per-User Sub-Proxy DN to poolaccount mapping robot_pool = "lcmaps_robot_poolaccount.mod" "-gridmapfile /etc/grid-security/grid-mapfile" "-gridmapdir /etc/grid-security/gridmapdir/" # Different policies pool_mapping: ban_dn -> robot_ban_dn robot_ban_dn -> verify_proxy verify_proxy -> robot_pool local_mapping: ban_dn -> robot_ban_dn robot_ban_dn -> verify_proxy verify_proxy -> robot_local
For the localaccount plugin, the grid-mapfile should contain entries such as
"/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:johndoe" nobody "/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:janedoe" anybody
while for the poolaccount plugin, it should typically contain entries such as
"/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:*" .robotpool
and the gridmapdir should then be populated with names of LDAP or localaccounts
robotpool001 robotpool002 ...
In combination with gLExec, this would allow to do user-switching based on individual Per-User Sub-Proxy DNs.
Further reading
General information on gLExec and LCMAPS can be found on the gLExec wiki pages.
man pages
Each plugin comes with its own man page. Online version can be found here: