Difference between revisions of "How to ban users with quattor"
From PDP/Grid Wiki
Jump to navigationJump to search| (5 intermediate revisions by one other user not shown) | |||
| Line 2: | Line 2: | ||
Enter Quattor, and via a single list of banned users we can manage the ban lists on the various node types. | Enter Quattor, and via a single list of banned users we can manage the ban lists on the various node types. | ||
| − | + | ||
| + | == How to add a user to the ban list? == | ||
| + | |||
The template $L/cfg/sites/ndpf/site/banlist.tpl define a Pan variable GLOBAL_BANNED_USER_LIST, which is a list() containing the certificate DNs that should be banned. Adding a user to this list is simply a matter of adding one line with the DN (enclosed in double quotes and a comma after the second quote): | The template $L/cfg/sites/ndpf/site/banlist.tpl define a Pan variable GLOBAL_BANNED_USER_LIST, which is a list() containing the certificate DNs that should be banned. Adding a user to this list is simply a matter of adding one line with the DN (enclosed in double quotes and a comma after the second quote): | ||
| Line 14: | Line 16: | ||
Don't forget to give the date and reason for banning the user! | Don't forget to give the date and reason for banning the user! | ||
| − | Below is the summary of services and the method of banning | + | |
| + | == Implementation == | ||
| + | |||
| + | Services that support user banning can define a variable BANNED_USER_CONFIG which points to a template that implements the formatting of the appropriate files (see "Background Information" below). These files process the data from GLOBAL_BANNED_USER_LIST and put it in the expected format. | ||
| + | |||
| + | Currently implemented methods: | ||
| + | * lcas, used by the lcg-CE. Implementation in template | ||
| + | $L/cfg/grid/common/security/user-banning/lcas.tpl | ||
| + | * gridmap, used by the DPM server and disk. Implementation in template | ||
| + | $L/cfg/grid/common/security/user-banning/gridmap.tpl | ||
| + | * gacl, used by the WMS. Implementation in template | ||
| + | $L/cfg/grid/common/security/user-banning/gacl.tpl | ||
| + | |||
| + | == Background Information == | ||
| + | |||
| + | Below is the summary of services and the method of banning: | ||
* lcg-CE, classic-SE: the banned user DNs need to be stored in /opt/edg/etc/lcas/ban_users.db and /opt/glite/etc/lcas/ban_users.db. | * lcg-CE, classic-SE: the banned user DNs need to be stored in /opt/edg/etc/lcas/ban_users.db and /opt/glite/etc/lcas/ban_users.db. | ||
| − | * WMS: the banned used DNs have to be present in the | + | * WMS: the banned used DNs have to be present in the files: |
| + | ** /opt/glite/etc/glite_wms_wmproxy.gacl. | ||
| + | ** /etc/lcas/ban_users.db | ||
| + | |||
| + | * DPM: the banned user DNs need to be mapped to a non-existing Unix account in /opt/lcg/etc/lcgdm-mapfile-local and /opt/edg/etc/grid-mapfile-local. In addition, there is a script /usr/local/bin/dpns-update-banned-users which bans the users that are present in the local map file via dpns-modifyusrmap (and unbans the users that are no longer in this file but who are currently banned in DPNS). | ||
| − | * | + | * CreamCE: to be investigated |
* MyProxy (PX): To be completed | * MyProxy (PX): To be completed | ||
Latest revision as of 09:55, 10 September 2012
Unfortunately, there is no universal method to ban grid users from using gLite services. Enter Quattor, and via a single list of banned users we can manage the ban lists on the various node types.
How to add a user to the ban list?
The template $L/cfg/sites/ndpf/site/banlist.tpl define a Pan variable GLOBAL_BANNED_USER_LIST, which is a list() containing the certificate DNs that should be banned. Adding a user to this list is simply a matter of adding one line with the DN (enclosed in double quotes and a comma after the second quote):
variable GLOBAL_BANNED_USER_LIST ?= list( "/O=banned users/O=grid/CN=Evil User", # this is a comment line # use comments to relate the banned user DN to a date and reason "/O=some other org/O=whatever/CN=Compromised Account", );
Don't forget to give the date and reason for banning the user!
Implementation
Services that support user banning can define a variable BANNED_USER_CONFIG which points to a template that implements the formatting of the appropriate files (see "Background Information" below). These files process the data from GLOBAL_BANNED_USER_LIST and put it in the expected format.
Currently implemented methods:
- lcas, used by the lcg-CE. Implementation in template
$L/cfg/grid/common/security/user-banning/lcas.tpl
- gridmap, used by the DPM server and disk. Implementation in template
$L/cfg/grid/common/security/user-banning/gridmap.tpl
- gacl, used by the WMS. Implementation in template
$L/cfg/grid/common/security/user-banning/gacl.tpl
Background Information
Below is the summary of services and the method of banning:
- lcg-CE, classic-SE: the banned user DNs need to be stored in /opt/edg/etc/lcas/ban_users.db and /opt/glite/etc/lcas/ban_users.db.
- WMS: the banned used DNs have to be present in the files:
- /opt/glite/etc/glite_wms_wmproxy.gacl.
- /etc/lcas/ban_users.db
- DPM: the banned user DNs need to be mapped to a non-existing Unix account in /opt/lcg/etc/lcgdm-mapfile-local and /opt/edg/etc/grid-mapfile-local. In addition, there is a script /usr/local/bin/dpns-update-banned-users which bans the users that are present in the local map file via dpns-modifyusrmap (and unbans the users that are no longer in this file but who are currently banned in DPNS).
- CreamCE: to be investigated
- MyProxy (PX): To be completed
