Security middleware deployment planning
From PDP/Grid Wiki
Revision as of 14:36, 23 April 2010 by Dennisvd@nikhef.nl (talk | contribs)
TODO TODO TODO Don't read this!!!
Deciding which security middleware to deploy at your site depends on the scenario you need to implement.
gLExec on worker nodes
The gLExec on worker node scenario has been heavily discussed and debated (TODO: insert link here) in the context of Multi-user pilot jobs. In order to help you set this up on your site, check if the following statements apply.
- My site is part of the EGEE/EGI grid
- I use YAIM to manage all my nodes
- I let YAIM create all my user accounts (variable: CONFIG_USERS=yes)
If all statements apply, install Argus and let GLEXEC_wn use that. But be aware of the following
- Is your site part of the EGEE/EGI grid?
Sites part of EGEE/EGI
YAIM managed sites
YAIM user management
Summary: normally you should install Argus for central authorization and mapping, but a few special cases apply. Alternatively, SCAS may be used.
See if any of the following statements apply.
- I would like to do policy management, user mapping and user banning all from one place
- The default choice is to set up Argus[1], and configure your resources to use it (see below).
- I use dynamic secondary group mappings which require LDAP updates
- In this case, you need to use the LDAP enforcement plugin for LCMAPS. This cannot be used in conjunction with Argus; use SCAS as the default alternative.
- My cluster is set up to do local mappings to match users to job slots
- This is a special case, which can be handled by setting up LCMAPS without a central authorization service (i.e. node-local).
- I'm using 3rd party plugins for LCMAPS
- We can't say in general if a plugin will or will not work with either Argus or SCAS in this case. You should try Argus first, SCAS next, and node-local setups finally.
- I've tried Argus and it didn't work; now what?
- Open a support ticket in GGUS[2] for Argus and get it fixed. In the meantime, try to use SCAS as an alternative.
- I don't want/need central policy management, mapping or banning
- You should set up LCMAPS independently per resource, possibly with a shared NFS gridmapdir to keep consistency between mappings.