Difference between revisions of "LCAS and LCMAPS installation for gLExec and (GT4) gatekeepers"

From PDP/Grid Wiki
Jump to navigationJump to search
Line 79: Line 79:
  
 
GLExec will read the glexec.conf file to determine how it should call and execute LCAS and LCMAPS. It also determines the run-time mode of glexec and which (set of) users are authorized to execute gLExec.
 
GLExec will read the glexec.conf file to determine how it should call and execute LCAS and LCMAPS. It also determines the run-time mode of glexec and which (set of) users are authorized to execute gLExec.
 +
 +
 +
/opt/glite/etc/glexec.conf:
 +
#
 +
#  Glexec
 +
#
 +
[glexec]
 +
lcmaps_db_file              = /opt/glite/etc/lcmaps/lcmaps-suexec.db
 +
lcmaps_log_file              = /var/log/glexec/lcas_lcmaps.log
 +
lcmaps_debug_level          = 5
 +
lcmaps_log_level            = 5
 +
lcmaps_get_account_policy    = glexec_get_account
 +
lcmaps_verify_account_policy = glexec_verify_account
 +
 +
lcas_db_file                = /opt/glite/etc/lcas/lcas-suexec.db
 +
lcas_log_file                = /var/log/glexec/lcas_lcmaps.log
 +
# lcas_debug_level            = 1
 +
linger                      = yes
 +
 +
silent_logging              = no
 +
log_level                    = 1
 +
 +
user_white_list              = glexec*, venekamp, root, okoeroo, uschwick
 +
preserve_env_variables      = MY_BULLSHIT_ENV
 +
 +
#
 +
#  LCMAPS configuration space
 +
#
 +
[lcmaps]
 +
 +
#
 +
#  LCAS configuration space
 +
#
 +
[lcas]

Revision as of 14:53, 28 November 2007

-- This page is under developement and will be updated to add more fine grained information -- It will contain information on the installation and configuration details to install glexec, edg-gatekeeper, edg-gridftpd, gt4 gatekeeper and gt4 gridftpd.



Needed packages

This is the list of packages that is needed to get started


External / other packages

vdt-globus-essentials
glite-security-voms-api-c-1.7.11
gridsite-1.1.15-1.i386.rpm


LCAS

glite-security-lcas-1.3.7-1
glite-security-lcas-interface-1.3.6-1
glite-security-lcas-plugins-basic-1.3.2-2
glite-security-lcas-plugins-voms-1.3.3-1
glite-security-lcas-plugins-check-executable-1.2.0-1

LCMAPS

glite-security-lcmaps-1.4.2-1
glite-security-lcmaps-plugins-basic-1.3.7-1
glite-security-lcmaps-plugins-voms-1.3.7-1
glite-security-lcmaps-plugins-verify-proxy-1.2.8-1

For glexec

glite-security-glexec-0.5.23-3


For edg-gatekeepers and edg-gridftpd

edg-gatekeeper package
edg-gridftpd package


For Globus Toolkit 4.0.x Gatekeeper and/or gridftpd

This package implements the GT4.0.x mapping_and_authz interface, which is used to invoke LCAS and LCMAPS.

lcas-lcmaps-gt4-interface-0.0.13-1



Installation

gLExec installation notes

Set library paths correctly for the libs

After having successfully installed all the packages. You'll need to perform a check with

ldconfig

to see if all the packages can find all that is needed on the system.

Potentially you'lle need to add directories to the /etc/ld.so.conf or LD_LIBRARY_PATH. In this sense I can think of /opt/globus/lib and /opt/glite/lib(64).


The setup of gLExec

Create the compile-time set logdirectory:

mkdir /var/log/glexec/

If wished to gain the identity separation by mapping real user job to the target identity, then you should set the sticky bit of glexec on root:

chmod 4755 /opt/glite/sbin/glexec

Add a user 'glexec' with the group 'glexec' to the system. This account is used to read glexec.conf with lower-privileges.

Also members of the glexec group may execute glexec. All other users need to be whitelisted in the glexec.conf file.


The glexec.conf file

GLExec will read the glexec.conf file to determine how it should call and execute LCAS and LCMAPS. It also determines the run-time mode of glexec and which (set of) users are authorized to execute gLExec.


/opt/glite/etc/glexec.conf:

#
#  Glexec
#
[glexec]
lcmaps_db_file               = /opt/glite/etc/lcmaps/lcmaps-suexec.db
lcmaps_log_file              = /var/log/glexec/lcas_lcmaps.log
lcmaps_debug_level           = 5
lcmaps_log_level             = 5
lcmaps_get_account_policy    = glexec_get_account
lcmaps_verify_account_policy = glexec_verify_account
lcas_db_file                 = /opt/glite/etc/lcas/lcas-suexec.db
lcas_log_file                = /var/log/glexec/lcas_lcmaps.log
# lcas_debug_level             = 1
linger                       = yes
silent_logging               = no
log_level                    = 1
user_white_list              = glexec*, venekamp, root, okoeroo, uschwick
preserve_env_variables       = MY_BULLSHIT_ENV
#
#  LCMAPS configuration space
#
[lcmaps]
#
#  LCAS configuration space
#
[lcas]