Difference between revisions of "Security middleware deployment planning"
From PDP/Grid Wiki
Jump to navigationJump to searchm (deployment plan) |
m |
||
Line 3: | Line 3: | ||
Deciding which security middleware to deploy at your site depends on the | Deciding which security middleware to deploy at your site depends on the | ||
scenario you need to implement. | scenario you need to implement. | ||
+ | |||
+ | * Is your site part of the EGEE/EGI grid? | ||
+ | * Do you use YAIM (and nothing else) to configure your site? | ||
+ | * Do you let YAIM create user accounts on every node? | ||
+ | * Do you need to install gLExec on WN? | ||
+ | |||
+ | If the answer to all of the above is '''yes''', then you are advised to install | ||
+ | Argus as a central authorization service, and to configure YAIM with Argus. | ||
− | |||
− | |||
− | |||
If you want to set up gLExec on Worker Nodes, you need to install Argus. | If you want to set up gLExec on Worker Nodes, you need to install Argus. | ||
Line 14: | Line 19: | ||
; user authorization | ; user authorization | ||
: who is allowed | : who is allowed | ||
− | |||
− | |||
− | |||
Summary: normally you should install Argus for central authorization and mapping, but a few special cases apply. Alternatively, SCAS may be used. | Summary: normally you should install Argus for central authorization and mapping, but a few special cases apply. Alternatively, SCAS may be used. |
Revision as of 09:16, 23 April 2010
Deployment planning
Deciding which security middleware to deploy at your site depends on the scenario you need to implement.
- Is your site part of the EGEE/EGI grid?
- Do you use YAIM (and nothing else) to configure your site?
- Do you let YAIM create user accounts on every node?
- Do you need to install gLExec on WN?
If the answer to all of the above is yes, then you are advised to install Argus as a central authorization service, and to configure YAIM with Argus.
If you want to set up gLExec on Worker Nodes, you need to install Argus.
- user authorization
- who is allowed
Summary: normally you should install Argus for central authorization and mapping, but a few special cases apply. Alternatively, SCAS may be used.
See if any of the following statements apply.
- I would like to do policy management, user mapping and user banning all from one place
- The default choice is to set up Argus[1], and configure your resources to use it (see below).
- I use dynamic secondary group mappings which require LDAP updates
- In this case, you need to use the LDAP enforcement plugin for LCMAPS. This cannot be used in conjunction with Argus; use SCAS as the default alternative.
- My cluster is set up to do local mappings to match users to job slots
- This is a special case, which can be handled by setting up LCMAPS without a central authorization service (i.e. node-local).
- I'm using 3rd party plugins for LCMAPS
- We can't say in general if a plugin will or will not work with either Argus or SCAS in this case. You should try Argus first, SCAS next, and node-local setups finally.
- I've tried Argus and it didn't work; now what?
- Open a support ticket in GGUS[2] for Argus and get it fixed. In the meantime, try to use SCAS as an alternative.
- I don't want/need central policy management, mapping or banning
- You should set up LCMAPS independently per resource, possibly with a shared NFS gridmapdir to keep consistency between mappings.