Difference between revisions of "GLExec Argus Quick Installation Guide"

From PDP/Grid Wiki
Jump to navigationJump to search
 
(6 intermediate revisions by the same user not shown)
Line 94: Line 94:
 
   
 
   
 
  pepc        = "lcmaps_c_pep.mod"
 
  pepc        = "lcmaps_c_pep.mod"
               "--pep-daemon-endpoint-url https://argus.testbed:8154/authz"
+
               "--pep-daemon-endpoint-url https://argus.example.org:8154/authz"
               " -resourceid wn"
+
               " -resourceid http://authz-interop.org/xacml/resource/resource-type/wn"
 
               " -actionid http://glite.org/xacml/action/execute"
 
               " -actionid http://glite.org/xacml/action/execute"
 
               " -capath /etc/grid-security/certificates/"
 
               " -capath /etc/grid-security/certificates/"
Line 104: Line 104:
 
  verify_proxy -> pepc
 
  verify_proxy -> pepc
  
Edit at least:
+
'''Edit at least:'''
 
<ol>
 
<ol>
 
<li>the <tt>pep-daemon-endpoint-url</tt>, to point to the correct Argus PEPd server.
 
<li>the <tt>pep-daemon-endpoint-url</tt>, to point to the correct Argus PEPd server.
Line 126: Line 126:
 
GLExec can be configured using YAIM, see the YAIM guide for details on using YAIM.
 
GLExec can be configured using YAIM, see the YAIM guide for details on using YAIM.
 
Typically a gLExec-with-Argus installation needs to set the following variables:
 
Typically a gLExec-with-Argus installation needs to set the following variables:
  ARGUS_PEPD_ENDPOINTS="https://argus.testbed:8154/authz"
+
# Change this to the correct endpoint
  GLEXEC_WN_PEPC_RESOURCEID="wn"
+
  ARGUS_PEPD_ENDPOINTS="https://argus.example.org:8154/authz"
 +
# Change this to the correct resource field in the PAP policy
 +
  GLEXEC_WN_PEPC_RESOURCEID="http://authz-interop.org/xacml/resource/resource-type/wn"
 +
# Change this to the correct action in the PAP policy
 
  GLEXEC_WN_PEPC_ACTIONID="http://glite.org/xacml/action/execute"
 
  GLEXEC_WN_PEPC_ACTIONID="http://glite.org/xacml/action/execute"
 +
 
  GLEXEC_WN_ARGUS_ENABLED=yes
 
  GLEXEC_WN_ARGUS_ENABLED=yes
 
  GLEXEC_WN_SCAS_ENABLED="no"
 
  GLEXEC_WN_SCAS_ENABLED="no"
 
   
 
   
 +
# Change this to the list of users that may run gLExec
 
  GLEXEC_EXTRA_WHITELIST="superman, batman, .atlp"
 
  GLEXEC_EXTRA_WHITELIST="superman, batman, .atlp"
 
   
 
   
Line 148: Line 153:
 
  GLEXEC_WN_TARGET_LOCK=flock
 
  GLEXEC_WN_TARGET_LOCK=flock
 
See for further details on the different options [https://twiki.cern.ch/twiki/bin/view/LCG/Site-info_configuration_variables#GLEXEC_wn https://twiki.cern.ch/twiki/bin/view/LCG/Site-info_configuration_variables#GLEXEC_wn].
 
See for further details on the different options [https://twiki.cern.ch/twiki/bin/view/LCG/Site-info_configuration_variables#GLEXEC_wn https://twiki.cern.ch/twiki/bin/view/LCG/Site-info_configuration_variables#GLEXEC_wn].
 +
 +
'''NOTE''': on RedHat 6 based systems running ''EMI-2'', one needs to add, by hand, the option <tt>--use-pilot-proxy-as-cafile</tt> to the pepc section in the <tt>lcmaps-glexec.db</tt> file. See the [[#.2Fetc.2Flcmaps.2Flcmaps-glexec.db_for_use_with_the_Argus_Authorization_Service|/etc/lcmaps/lcmaps-glexec.db file in the Manual configuration section]] above.
  
 
==  Authorization and Mapping ==
 
==  Authorization and Mapping ==
Line 204: Line 211:
 
  0
 
  0
  
== Debugging hints ==
+
== Debugging hints / Known Issues ==
 +
 
 +
Currently, for RedHat 6 based installations, YAIM does not provide the correct lcmaps-glexec.db, see the Note [[#Configuration using YAIM|Configuration using YAIM]] for details.
  
 
See [[Debugging hints]] and [[Exit codes of gLExec]].
 
See [[Debugging hints]] and [[Exit codes of gLExec]].

Latest revision as of 13:55, 9 July 2013

Introduction

gLExec is a program to make the required mapping between the grid world and the Unix notion of users and groups, and has the capacity to enforce that mapping by modifying the uid and gids of running processes. Based on LCAS and LCMAPS, it can both act as a light-weight 'gatekeeper' replacement, and even be used on the worker node in late-binding (pilot job) scenarios.

The gLExec uses the LCMAPS framework to abstract different implementations and techniques that can be implemented through the use of specialized plug-ins. The plug-ins do the actual work (e.g. extensive credentials, procuring an account locally or through a central authorization service, like Argus).

For information on the LCMAPS C PEP Plugin (the LCMAPS Argus callout plugin) see LCMAPS C PEP plugin for a list of valid options.

Package installation

  1. Enable the correct UMD or EMI repository and the EPEL repository.
  2. Install the correct CA distribution
  3. Install and run the fetch-crl utility.
  4. Install either the emi-glexec_wn metapackage or do a manual yum install of the following list of packages:
     glexec
     lcmaps
     lcmaps-plugins-basic
     lcmaps-plugins-c-pep
     lcmaps-plugins-tracking-groupid
     lcmaps-plugins-verify-proxy
     lcmaps-plugins-voms

    You optionally can also install LCAS:

     lcas
     lcas-plugins-basic
     lcas-plugins-check-executable
     lcas-plugins-voms
    

    the gLExec wrapper scripts:

     glexec-wrapper-scripts

    the MkGlTempDir utility:

     mkgltempdir

    the gLExec nagios plugin:

     nagios-plugins-emi.glexec

    and the YAIM configuration module for the gLExec workernode:

     yaim-glexec-wn
  5. Create UNIX user and group glexec if they haven't been created yet (gLExec versions ≥ 0.9 automatically create them). E.g.:
     groupadd -r glexec
     useradd -r -g glexec -d / -s /sbin/nologin -c "gLExec user account to be used with /usr/sbin/glexec" glexec
    

Manual configuration

As a minimum, gLExec and LCMAPS configuration files need to be configured. For use with Argus, something along the lines of the following gLExec and LCMAPS configuration files suffice:

/etc/glexec.conf

#  Glexec configuration file
#
[glexec]
user_white_list              = batman, superman, .woman
log_level                    = 3
#log_destination              = file
#log_file                     = /var/log/glexec/glexec.log

lcmaps_db_file               = /etc/lcmaps/lcmaps-glexec.db
lcmaps_debug_level           = 3
#lcmaps_log_file              = /var/log/glexec/lcas_lcmaps.log
lcmaps_get_account_policy    = glexec_get_account

#use_lcas                     = no
#lcas_db_file                 = /etc/lcas/lcas-glexec.db
#lcas_debug_level             = 0

Edit at least the user whitelist. See the Man pages of gLExec for full information on all the configuration options.

Make sure the glexec.conf file is only writable for user root and/or glexec. In the preferred switching mode, the preferred installation of glexec binary and config files are:

-rws--x--x   1   root   root   12345   2010-02-29  12:34   /usr/sbin/glexec
-r--------   1   glexec root     123   2010-02-29  12:34   /etc/glexec.conf

i.e. run

chown root.root /usr/sbin/glexec
chmod 4711 /usr/sbin/glexec
chown glexec.root /etc/glexec.conf
chmod 400 /etc/glexec.conf

/etc/lcmaps/lcmaps-glexec.db for use with the Argus Authorization Service

# LCMAPS config file for glexec
#

# where to look for modules
path = /usr/lib64/lcmaps

# module definitions
verify_proxy = "lcmaps_verify_proxy.mod" 
               " -certdir /etc/grid-security/certificates/"
               " --allow-limited-proxy"

pepc        = "lcmaps_c_pep.mod"
              "--pep-daemon-endpoint-url https://argus.example.org:8154/authz"
              " -resourceid http://authz-interop.org/xacml/resource/resource-type/wn"
              " -actionid http://glite.org/xacml/action/execute"
              " -capath /etc/grid-security/certificates/"
              " -pep-certificate-mode implicit"
              " --use-pilot-proxy-as-cafile" # Add this on RHEL 6 based systems

glexec_get_account:
verify_proxy -> pepc

Edit at least:

  1. the pep-daemon-endpoint-url, to point to the correct Argus PEPd server.
  2. the resourceid to match a resource in the active policy of the Argus PAP service (run pap-admin lp on the Argus server to check).
  3. the actionid to match the action in the resource in the active policy of Argus PAP service as mentioned under 2.
  4. add/remove the --use-pilot-proxy-as-cafile depending on architecture.

/etc/lcas/lcas.db

In case LCAS is used for e.g. user banning, one can use the following simple /etc/lcas/lcas.db file:

# LCAS policy file/plugin definition
# Written by: Oscar Koeroo - okoeroo * at * nikhef * dot * nl
pluginname=lcas_userban.mod,pluginargs=/etc/lcas/ban_users.db

Make sure to create an (empty) ban_users.db file:

touch /etc/lcas/ban_users.db

Configuration using YAIM

GLExec can be configured using YAIM, see the YAIM guide for details on using YAIM. Typically a gLExec-with-Argus installation needs to set the following variables:

# Change this to the correct endpoint
ARGUS_PEPD_ENDPOINTS="https://argus.example.org:8154/authz"
# Change this to the correct resource field in the PAP policy
GLEXEC_WN_PEPC_RESOURCEID="http://authz-interop.org/xacml/resource/resource-type/wn"
# Change this to the correct action in the PAP policy
GLEXEC_WN_PEPC_ACTIONID="http://glite.org/xacml/action/execute"

GLEXEC_WN_ARGUS_ENABLED=yes
GLEXEC_WN_SCAS_ENABLED="no"

# Change this to the list of users that may run gLExec 
GLEXEC_EXTRA_WHITELIST="superman, batman, .atlp"

GLEXEC_WN_OPMODE="setuid"
GLEXEC_WN_USE_LCAS="no"
#GLEXEC_WN_LCAS_DEBUG_LEVEL="0"

GLEXEC_WN_LOG_LEVEL=3
GLEXEC_WN_LCMAPS_DEBUG_LEVEL=3
GLEXEC_WN_LOG_DESTINATION=syslog
#GLEXEC_WN_LOG_DESTINATION=file
#GLEXEC_WN_LOG_FILE=/var/log/glexec/glexec.log
#GLEXEC_WN_LCASLCMAPS_LOG=/var/log/glexec/lcas_lcmaps.log

GLEXEC_WN_INPUT_LOCK=flock
GLEXEC_WN_TARGET_LOCK=flock

See for further details on the different options https://twiki.cern.ch/twiki/bin/view/LCG/Site-info_configuration_variables#GLEXEC_wn.

NOTE: on RedHat 6 based systems running EMI-2, one needs to add, by hand, the option --use-pilot-proxy-as-cafile to the pepc section in the lcmaps-glexec.db file. See the /etc/lcmaps/lcmaps-glexec.db file in the Manual configuration section above.

Authorization and Mapping

GLExec will interact with Argus using an LCMAPS plug-in which uses the Argus PEP-C library to call out to the Argus PEP Daemon. The response from the Argus PEP Daemon is extracted and used to deny or fulfill the mapping request to the resource.

Based on the Grid credentials, LCMAPS C PEP plug-in will send an XACML request to the Argus PEP Daemon, and then parse the XACML response decision to authorize the user and the obligations to map him to a local account which will effectively switch the active Unix account of the running process.

XACML Request

The gLExec LCMAPS PEP plug-in sends an XACML request to the PEP Daemon with the following elements by default (The previously used XACML attribute profile can still be selected, but this needs to be explicitly configured).

  • XACML subject with the attribute element:
    • AttributeId: urn:oasis:names:tc:xacml:1.0:subject:key-info
    • Value: The PEM encoded Grid credentials provided by the calling process, fetched from the file content located by the environment variable $GLEXEC_USER_CERT. The location to the proxy file of the pilot job payload owner (e.g. the end user) must be set by this variable in order for gLExec to pass it on. The mapping will be based on this information.
  • XACML resource with the attribute element:
  • XACML action with the attribute element:
  • XACML environment with the attribute element:
    • AttributeId: urn:oasis:names:tc:xacml:1.0:subject:key-info
    • Value: The PEM encoded Grid credentials provided by the calling process, fetched from the file content located by the environment variable $X509_USER_PROXY. The location to the proxy file of the pilot job executor or pilot job framework manager must be set by this variable in case of a pilot job framework scenario.

XACML Response

The PEP Daemon sends back a XACML response to the gLExec LCMAPS PEP plug-in. The following XACML response elements are parsed to authorize and map the user:

The local identity mapping will only succeed if the authorization decision is Permit.

Quick test

Two environment variables MUST be setup before trying gLExec:

  • X509_USER_PROXY : Contains the path to the proxy file of the gLExec calling identity. This is the pilot job executor identity.
  • GLEXEC_CLIENT_CERT : Contains the path to the proxy file of the identity that must get authorized and subsequently mapped by gLExec. This is the pilot job payload identity.

Run gLExec with the following command in order to perform a quick test:

export X509_USER_PROXY=${X509_USER_PROXY:-"/tmp/x509up_`id -u`"}
export GLEXEC_CLIENT_CERT=${GLEXEC_CLIENT_CERT:-$X509_USER_PROXY}

/usr/sbin/glexec /usr/bin/id -a; echo $?

The expected output is something like

uid=40205(testuseraccount) gid=2013(testusergroup)
0

Debugging hints / Known Issues

Currently, for RedHat 6 based installations, YAIM does not provide the correct lcmaps-glexec.db, see the Note Configuration using YAIM for details.

See Debugging hints and Exit codes of gLExec.