How to ban users with quattor
Unfortunately, there is no universal method to ban grid users from using gLite services. Enter Quattor, and via a single list of banned users we can manage the ban lists on the various node types.
How to add a user to the ban list?
The template $L/cfg/sites/ndpf/site/banlist.tpl define a Pan variable GLOBAL_BANNED_USER_LIST, which is a list() containing the certificate DNs that should be banned. Adding a user to this list is simply a matter of adding one line with the DN (enclosed in double quotes and a comma after the second quote):
variable GLOBAL_BANNED_USER_LIST ?= list( "/O=banned users/O=grid/CN=Evil User", # this is a comment line # use comments to relate the banned user DN to a date and reason "/O=some other org/O=whatever/CN=Compromised Account", );
Don't forget to give the date and reason for banning the user!
Implementation
Services that support user banning can define a variable BANNED_USER_CONFIG which points to a template that implements the formatting of the appropriate files (see "Background Information" below). These files process the data from GLOBAL_BANNED_USER_LIST and put it in the expected format.
Currently implemented methods:
- lcas, used by the lcg-CE. Implementation in template
$L/cfg/grid/common/security/user-banning/lcas.tpl
- gridmap, used by the DPM server and disk. Implementation in template
$L/cfg/grid/common/security/user-banning/gridmap.tpl
- gacl, used by the WMS. Implementation in template
$L/cfg/grid/common/security/user-banning/gacl.tpl
Background Information
Below is the summary of services and the method of banning:
- lcg-CE, classic-SE: the banned user DNs need to be stored in /opt/edg/etc/lcas/ban_users.db and /opt/glite/etc/lcas/ban_users.db.
- WMS: the banned used DNs have to be present in the file /opt/glite/etc/glite_wms_wmproxy.gacl.
- DPM: the banned user DNs need to be mapped to a non-existing Unix account in /opt/lcg/etc/lcgdm-mapfile-local.
- CreamCE: to be investigated
- MyProxy (PX): To be completed