Difference between revisions of "How to ban users with quattor"

From PDP/Grid Wiki
Jump to navigationJump to search
 
(6 intermediate revisions by one other user not shown)
Line 1: Line 1:
Unfortunately, there is no universal method to ban grid users from using gLite services. Below is the summary of services and the method of banning. Note that both the implementation and the documentation need to be improved!
+
Unfortunately, there is no universal method to ban grid users from using gLite services.  
 +
Enter Quattor, and via a single list of banned users we can manage the ban lists on the various node types.
  
* lcg-CE, classic-SE: the banned user DNs need to be stored in /opt/edg/etc/lcas/ban_users.db and /opt/glite/etc/lcas/ban_users.db. The template $L/cfg/sites/ndpf/site/banned_users.tpl takes care of this.
 
  
* WMS: the banned used DNs have to be present in the file /opt/glite/etc/glite_wms_wmproxy.gacl. The quattor template $L/cfg/sites/ndpf/site/users_gacl_wms.tpl takes care of this.
+
== How to add a user to the ban list? ==
  
* DPM: the banned user DNs need to be mapped to a non-existing Unix account in /opt/lcg/etc/lcgdm-mapfile-local. This cannot yet be accomplished via our quattor setup.
+
The template $L/cfg/sites/ndpf/site/banlist.tpl define a Pan variable GLOBAL_BANNED_USER_LIST, which is a list() containing the certificate DNs that should be banned. Adding a user to this list is simply a matter of adding one line with the DN (enclosed in double quotes and a comma after the second quote):
 +
 
 +
variable GLOBAL_BANNED_USER_LIST ?= list(
 +
  "/O=banned users/O=grid/CN=Evil User",
 +
  # this is a comment line
 +
  # use comments to relate the banned user DN to a date and reason
 +
  "/O=some other org/O=whatever/CN=Compromised Account",
 +
);
 +
 
 +
Don't forget to give the date and reason for banning the user!
 +
 
 +
 
 +
== Implementation ==
 +
 
 +
Services that support user banning can define a variable BANNED_USER_CONFIG which points to a template that implements the formatting of the appropriate files (see "Background Information" below). These files process the data from GLOBAL_BANNED_USER_LIST and put it in the expected format.
 +
 
 +
Currently implemented methods:
 +
* lcas, used by the lcg-CE. Implementation in template
 +
$L/cfg/grid/common/security/user-banning/lcas.tpl
 +
* gridmap, used by the DPM server and disk. Implementation in template
 +
$L/cfg/grid/common/security/user-banning/gridmap.tpl
 +
* gacl, used by the WMS. Implementation in template
 +
$L/cfg/grid/common/security/user-banning/gacl.tpl
 +
 
 +
== Background Information ==
 +
 
 +
Below is the summary of services and the method of banning:
 +
 
 +
* lcg-CE, classic-SE: the banned user DNs need to be stored in /opt/edg/etc/lcas/ban_users.db and /opt/glite/etc/lcas/ban_users.db.
 +
 
 +
* WMS: the banned used DNs have to be present in the files:
 +
**  /opt/glite/etc/glite_wms_wmproxy.gacl.
 +
** /etc/lcas/ban_users.db
 +
 
 +
* DPM: the banned user DNs need to be mapped to a non-existing Unix account in /opt/lcg/etc/lcgdm-mapfile-local and /opt/edg/etc/grid-mapfile-local. In addition, there is a script /usr/local/bin/dpns-update-banned-users which bans the users that are present in the local map file via dpns-modifyusrmap (and unbans the users that are no longer in this file but who are currently banned in DPNS).
 +
 
 +
* CreamCE: to be investigated
  
 
* MyProxy (PX): To be completed
 
* MyProxy (PX): To be completed

Latest revision as of 09:55, 10 September 2012

Unfortunately, there is no universal method to ban grid users from using gLite services. Enter Quattor, and via a single list of banned users we can manage the ban lists on the various node types.


How to add a user to the ban list?

The template $L/cfg/sites/ndpf/site/banlist.tpl define a Pan variable GLOBAL_BANNED_USER_LIST, which is a list() containing the certificate DNs that should be banned. Adding a user to this list is simply a matter of adding one line with the DN (enclosed in double quotes and a comma after the second quote): 

variable GLOBAL_BANNED_USER_LIST ?= list(
 "/O=banned users/O=grid/CN=Evil User",
 # this is a comment line
 # use comments to relate the banned user DN to a date and reason
 "/O=some other org/O=whatever/CN=Compromised Account",
);

Don't forget to give the date and reason for banning the user!


Implementation

Services that support user banning can define a variable BANNED_USER_CONFIG which points to a template that implements the formatting of the appropriate files (see "Background Information" below). These files process the data from GLOBAL_BANNED_USER_LIST and put it in the expected format.

Currently implemented methods:

  • lcas, used by the lcg-CE. Implementation in template
$L/cfg/grid/common/security/user-banning/lcas.tpl
  • gridmap, used by the DPM server and disk. Implementation in template
$L/cfg/grid/common/security/user-banning/gridmap.tpl
  • gacl, used by the WMS. Implementation in template
$L/cfg/grid/common/security/user-banning/gacl.tpl

Background Information

Below is the summary of services and the method of banning:

  • lcg-CE, classic-SE: the banned user DNs need to be stored in /opt/edg/etc/lcas/ban_users.db and /opt/glite/etc/lcas/ban_users.db.
  • WMS: the banned used DNs have to be present in the files:
    • /opt/glite/etc/glite_wms_wmproxy.gacl.
    • /etc/lcas/ban_users.db
  • DPM: the banned user DNs need to be mapped to a non-existing Unix account in /opt/lcg/etc/lcgdm-mapfile-local and /opt/edg/etc/grid-mapfile-local. In addition, there is a script /usr/local/bin/dpns-update-banned-users which bans the users that are present in the local map file via dpns-modifyusrmap (and unbans the users that are no longer in this file but who are currently banned in DPNS).
  • CreamCE: to be investigated
  • MyProxy (PX): To be completed
Retrieved from "https://wiki.nikhef.nl/grid/index.php?title=How_to_ban_users_with_quattor&oldid=8460"