EMI-1 gLExec release test report

From PDP/Grid Wiki
Jump to navigationJump to search

This test plan is following the EMI SA2 template.

gLExec Test Plan

Service Description

gLExec is a program that acts as a light-weight 'gatekeeper'. gLExec takes Grid credentials as input. gLExec takes the local site policy into account to authenticate and authorize the credentials. gLExec will switch to a new execution sandbox and execute the given command as the switched identity. gLExec is also capable of functioning as a light-weight control point which offers a binary yes/no result called the logging-only mode.

More information on gLExec.

Yum Installation

To install gLExec configure the YUM-based EPEL repository and the YUM repository which hold our the EMI packages. In addition a CA distribution, like that of the [htts://www.igtf.net IGTF] or your own homebrew local CAs need to be installed. The IGTF distribution can also be done through a YUM-based repository, including the FetchCRL3 utility to refresh the CA CRLs.

GLExec depends directly on:

  • LCAS
  • LCMAPS
  • (g)libc

GLExec therefore inherits dependencies on:

  • VOMS, in particular the voms-api
  • Globus libraries
  • OpenSSL

GLExec requires LCMAPS plugins to be installed and optionally also LCAS plugins. Expected (inherited) dependencies are:

  • GridSite
  • Arguc PEP C

Install gLExec by performing: yum install emi-glexec_wn This will install the meta package emi-glexec_wn-1.0.0-1.sl5 which will pull in the following packages:

  • glexec
  • glexec-wrapper-scripts
  • mkgltempdir
  • lcas
  • lcas-plugins-basic
  • lcas-plugins-check-executable
  • lcas-plugins-voms
  • lcmaps
  • lcmaps-plugins-basic
  • lcmaps-plugins-c-pep
  • lcmaps-plugins-scas-client
  • lcmaps-plugins-tracking-groupid
  • lcmaps-plugins-verify-proxy
  • lcmaps-plugins-voms
  • saml2-xacml2-c-lib

And our required dependencies:

  • argus-pep-api-c
  • edg-mkgridmap
  • emi-version
  • emi.sac.GLEXEC_wn
  • glite-yaim-core
  • gridsite-shared
  • voms
  • yaim-glexec-wn

This is the first release of gLExec, LCAS, LCMAPS, and the LCMAPS-plugins-C-PEP in EMI. There is nothing to upgrade from.

System tests

Test setup

First we install and setup the system for testing. This means to prepare the system taking a clean CentOS 5 or Scientific Linux 5 machine as a baseline.

yum install emi-glexec_wn
yum install ca_policy_igtf-classic ca_policy_igtf-mics ca_policy_igtf-slcs fetch-crl3
ntpdate ntp.xs4all.nl
fetch-crl3 

The base installation is now done. Moving forward to more system specific steps:

chmod 4111 /usr/sbin/glexec
useradd glexec

Populate a useable VOMSDIR with .lsc files:

scp -r okoeroo@span:vomsdir/vomsdir/* /etc/grid-security/vomsdir/


Test setup (manual test)

gLExec preparation

The installation default of the /etc/glexec.conf file will work fine, but you'll need to whitelist yourself to authorize your account to use gLExec.

Whitelist yourself in the /etc/glexec.conf:

user_white_list              = okoeroo

LCAS preparation

Configure gLExec to use LCAS and to use the specified lcas.db. Here is a glexec.conf snippet:

use_lcas                     = yes
lcas_db_file                 = /etc/lcas/lcas-testing.db
lcas_log_file                = /var/log/glexec/lcas_lcmaps.log
lcas_debug_level             = 5

The /etc/lcas/lcas-testing.db would then look like:

# LCAS policy file/plugin definition
pluginname=/usr/lib64/modules/lcas_userban.mod,pluginargs=/etc/lcas/userban.db

Touch the file /etc/lcas/userban.db, otherwise the LCAS UserBan module will fail on the inability to read the userban.db file.

LCMAPS preparation

lcmaps_db_file               = /etc/lcmaps/lcmaps-testing.db
lcmaps_get_account_policy    = test_policy
lcmaps_log_file              = /var/log/glexec/lcas_lcmaps.log
lcmaps_debug_level           = 5

The /etc/lcmaps/lcmaps-testing.db would then look like:

# LCMAPS policy file/plugin definition
# default path for the modules
path = /usr/lib64/modules/
# Plugin definitions:
good             = "lcmaps_dummy_good.mod"
                   " --dummy-username nobody"
                   " --dummy-group nobody"
                   " --dummy-sec-group nobody"
posix_enf        = "lcmaps_posix_enf.mod"
                   " -maxuid 1"
                   " -maxpgid 1"
                   " -maxsgid 32"
verifyproxy = "lcmaps_verify_proxy.mod"
              " -certdir /etc/grid-security/certificates"
# Policies:
test_policy:
verifyproxy -> good
good -> posix_enf 

Basic functionality tests (manual)

Have proxy certificate on the test system, here located at $HOME/mkproxy-x509-voms. Using the following gLExec script to activate gLExec with your own user certificate:

#!/bin/sh

GLEXEC_BIN="/usr/sbin/glexec"
if [ ! -f ${GLEXEC_BIN} ]; then
    GLEXEC_BIN="${GLEXEC_LOCATION}/sbin/glexec"
    if [ ! -f ${GLEXEC_BIN} ]; then
        echo "No glexec found"
        exit 1
    fi
fi

if [ "${X509_USER_PROXY}" = "" ]; then
    export X509_USER_PROXY=$HOME/mkproxy-x509-voms
fi

export GLEXEC_CLIENT_CERT=${X509_USER_PROXY}
export GLEXEC_SOURCE_PROXY=${X509_USER_PROXY}

#echo "------------"
cmd="${GLEXEC_BIN} /usr/bin/id -a"

$cmd
echo $?
exit 0

Run the test script and the following result is expected:

[okoeroo@localhost ~]$ ./test-glexec.sh 
uid=99(nobody) gid=99(nobody) groups=99(nobody)
0

Test setup (automated)

Download the gLExec (and LCAS/LCMAPS) compound test script. The SVN revision number 15284 of the compound test script was used.


WARNING: The script will rewrite the glexec.conf file multiple times to test all possible permutations of the configuration file. Also the LCAS and LCMAPS configuration files will be rewritten (in lcas-testing.db and lcmaps-testing.db files) to work.


Edit the script to configure it. Here is what was used for this certification:

#################
# Setup options #
#################
CONTINUEONERROR=no

TEST_ACCOUNT="okoeroo"

GLEXEC_EXEC="/usr/sbin/glexec"
GLEXEC_OWNERSHIP_SETUID="root.root"
GLEXEC_FILE_PERM_SETUID="6555"
GLEXEC_OWNERSHIP_NON_SETUID="root.root"
GLEXEC_FILE_PERM_NON_SETUID="0555"

CONF_OWNERSHIP_SETUID="glexec.glexec"
CONF_FILE_PERM_SETUID="0440"
CONF_OWNERSHIP_NON_SETUID="root.root"
CONF_FILE_PERM_NON_SETUID="0444"

test_glexec_conf="/etc/glexec.conf"
test_lcas_db="/etc/lcas/lcas-testing.db"
test_lcas_db_path="/usr/lib64/modules/"
test_lcas_log_file="/var/log/glexec/lcas_lcmaps.log"
test_lcas_userban_file="/etc/lcas/userban.db"
test_lcas_debug_level="0"

test_lcmaps_db="/etc/lcmaps/lcmaps-testing.db"
test_lcmaps_db_path="/usr/lib64/modules/"
test_lcmaps_log_file="/var/log/glexec/lcas_lcmaps.log"
test_lcmaps_debug_level="0"

priv_sep_file="/tmp/glexec_priv_sep_test.sh"
CAPATH="/etc/grid-security/certificates"
SCAS_ENDPOINT="https://graszaad.nikhef.nl:8443"
PEPD_ENDPOINT="https://argus.testbed:8154/authz"
GLEXEC_TEST_GRID_MAPFILE="/tmp/glexec-test-grid-mapfile"

LOCALACCOUNT_TEST_MAP_USER="$TEST_ACCOUNT"
#LOCALACCOUNT_TEST_MAP_USER="pool001"
POOLACCOUNT_TEST_MAP_USER=".pool"

### Test selection ###
USE_SCAS="yes"
USE_SCAS=""

#################
# Setup proxies #
#################
CLIENT_CERT="/home/okoeroo/mkproxy-x509-voms"
USER_PROXY="$CLIENT_CERT"
SOURCE_PROXY="$CLIENT_CERT"
TARGET_PROXY="/tmp/target_proxy"

Basic functionality tests (automated)

Execute the script as root.

sh glexec-lcas-lcmaps-compound-test.sh

Output:

http://www.nikhef.nl/grid/ndpf/files/EMI_1_SAC_documentation/certification_output/glexec-lcas-lcmaps-compound-test.28-april-2011.out

Regression tests