Lcmaps-plugins-robot
Introduction
The LCMAPS-plugins-robot package has been developed for EGIs Long Tail of Science pilot project. Unlike the normal LCMAPS plugins, it uses a so-called Per-User Sub-Proxy (PUSP) as input. These proxies are RFC3820 compliant proxy delegations from robot certificates, containing (anonymised) identifying information about the actual user in the added proxy CN field, they are typically generated inside a webportal for users logging in via a SSO system. Hence the different LCMAPS-plugins-robot modules use the first proxy DN instead of the End Entity Certificate (EEC) DN for their mapping or banning decisions. The plugin treats the proxy as a valid PUSP if it satisfies:
- the proxy is a valid RFC3820 proxy
- its EEC is a robot-type certificate:
- it either contains the robot OID 1.2.840.113612.5.2.3.3.1
- or its DN matches the regular expression "/CN=[rR]obot[^/[:alnum:]]" according to section 3 in https://www.eugridpma.org/guidelines/robot/
Usage
LCMAPS db file
A typical example lcmaps.db showing the different plugins plus two policies, one for pool-account based mappings, the other for local-account based mappings:
# Specify directory where LCMAPS modules are installed
path = /usr/lib64/lcmaps
# Module definitions
verify_proxy = "lcmaps_verify_proxy.mod"
" -certdir /etc/grid-security/certificates/"
" --allow-limited-proxy" # REMOVE FOR CREAM-CE !
# Normal banning module: e.g. for robot EEC
ban_dn = "lcmaps_ban_dn.mod"
"-banmapfile /etc/grid-security/ban_users.db"
# Per-User Sub-Proxy banning module
robot_ban_dn = "lcmaps_robot_ban_dn.mod"
"-banmapfile /etc/grid-security/ban_users.db"
# Per-User Sub-Proxy DN to localaccount mapping
robot_local = "lcmaps_robot_localaccount.mod"
"-gridmapfile /etc/grid-security/grid-mapfile"
# Per-User Sub-Proxy DN to poolaccount mapping
robot_pool = "lcmaps_robot_poolaccount.mod"
"-gridmapfile /etc/grid-security/grid-mapfile"
"-gridmapdir /etc/grid-security/gridmapdir/"
# Different policies
pool_mapping:
ban_dn -> robot_ban_dn
robot_ban_dn -> verify_proxy
verify_proxy -> robot_pool
local_mapping:
ban_dn -> robot_ban_dn
robot_ban_dn -> verify_proxy
verify_proxy -> robot_local
In combination with gLExec, such an LCMAPS configuration would allow to do user-switching based on individual Per-User Sub-Proxy DNs.
mapfiles and mapdir
For the localaccount plugin, the grid-mapfile should contain entries such as
"/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:johndoe" nobody "/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:janedoe" anybody
while for the poolaccount plugin, it should typically contain entries such as
"/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:*" .robotpool
and the gridmapdir should then be populated with names of LDAP- and/or local-accounts by creating empty files with their names:
robotpool001 robotpool002 ...
The ban-mapfile (ban_users.db in the example DB file) could contain all kinds of different DNs and can be the same for the 'normal' lcmaps_ban_dn and the 'special' lcmaps_robot_ban_dn modules. For example, to ban both the robot certificate itself and the user janedoe, one would have
"/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin" "/DC=org/DC=terena/DC=tcs/O=Nikhef/OU=Robot/CN=Robot - Marvin/CN=user:janedoe"
where the 'normal' plugin would trigger on the first, and the robot plugin on the second.
Further reading
General information on gLExec and LCMAPS can be found on the gLExec wiki pages.
man pages
Each plugin comes with its own man page. Online version can be found here:
Software
The current version is 0.0.3-1
- lcmaps-plugins-robot release tar-balls
- Nikhef RPMs lcmaps-plugins-robot are currently in testing repo.
- lcmaps-plugins-robot Debian packages
