Security middleware deployment planning
From PDP/Grid Wiki
Revision as of 09:16, 23 April 2010 by Dennisvd@nikhef.nl (talk | contribs)
Deciding which security middleware to deploy at your site depends on the scenario you need to implement.
- Is your site part of the EGEE/EGI grid?
- Do you use YAIM (and nothing else) to configure your site?
- Do you let YAIM create user accounts on every node?
- Do you need to install gLExec on WN?
If the answer to all of the above is yes, then you are advised to install Argus as a central authorization service, and to configure YAIM with Argus.
If you want to set up gLExec on Worker Nodes, you need to install Argus.
- user authorization
- who is allowed
Summary: normally you should install Argus for central authorization and mapping, but a few special cases apply. Alternatively, SCAS may be used.
See if any of the following statements apply.
- I would like to do policy management, user mapping and user banning all from one place
- The default choice is to set up Argus[1], and configure your resources to use it (see below).
- I use dynamic secondary group mappings which require LDAP updates
- In this case, you need to use the LDAP enforcement plugin for LCMAPS. This cannot be used in conjunction with Argus; use SCAS as the default alternative.
- My cluster is set up to do local mappings to match users to job slots
- This is a special case, which can be handled by setting up LCMAPS without a central authorization service (i.e. node-local).
- I'm using 3rd party plugins for LCMAPS
- We can't say in general if a plugin will or will not work with either Argus or SCAS in this case. You should try Argus first, SCAS next, and node-local setups finally.
- I've tried Argus and it didn't work; now what?
- Open a support ticket in GGUS[2] for Argus and get it fixed. In the meantime, try to use SCAS as an alternative.
- I don't want/need central policy management, mapping or banning
- You should set up LCMAPS independently per resource, possibly with a shared NFS gridmapdir to keep consistency between mappings.
