LCAS and LCMAPS installation for gLExec and (GT4) gatekeepers
-- This page is under developement and will be updated to add more fine grained information -- It will contain information on the installation and configuration details to install glexec, edg-gatekeeper, edg-gridftpd, gt4 gatekeeper and gt4 gridftpd.
Needed packages
This is the list of packages that is needed to get started
External / other packages
vdt-globus-essentials glite-security-voms-api-c-1.7.11 gridsite-1.1.15-1.i386.rpm
LCAS
glite-security-lcas-1.3.7-1 glite-security-lcas-interface-1.3.6-1 glite-security-lcas-plugins-basic-1.3.2-2 glite-security-lcas-plugins-voms-1.3.3-1 glite-security-lcas-plugins-check-executable-1.2.0-1
LCMAPS
glite-security-lcmaps-1.4.2-1 glite-security-lcmaps-plugins-basic-1.3.7-1 glite-security-lcmaps-plugins-voms-1.3.7-1 glite-security-lcmaps-plugins-verify-proxy-1.2.8-1
For glexec
glite-security-glexec-0.5.23-3
For edg-gatekeepers and edg-gridftpd
edg-gatekeeper package edg-gridftpd package
For Globus Toolkit 4.0.x Gatekeeper and/or gridftpd
This package implements the GT4.0.x mapping_and_authz interface, which is used to invoke LCAS and LCMAPS.
lcas-lcmaps-gt4-interface-0.0.13-1
Installation
gLExec installation notes
Set library paths correctly for the libs
After having successfully installed all the packages. You'll need to perform a check with
ldconfig
to see if all the packages can find all that is needed on the system.
Potentially you'lle need to add directories to the /etc/ld.so.conf or LD_LIBRARY_PATH. In this sense I can think of /opt/globus/lib and /opt/glite/lib(64).
The setup of gLExec
Create the compile-time set logdirectory:
mkdir /var/log/glexec/
If wished to gain the identity separation by mapping real user job to the target identity, then you should set the sticky bit of glexec on root:
chmod 4755 /opt/glite/sbin/glexec
Add a user 'glexec' with the group 'glexec' to the system. This account is used to read glexec.conf with lower-privileges.
Also members of the glexec group may execute glexec. All other users need to be whitelisted in the glexec.conf file.
The glexec.conf file
GLExec will read the glexec.conf file to determine how it should call and execute LCAS and LCMAPS. It also determines the run-time mode of glexec and which (set of) users are authorized to execute gLExec.
/opt/glite/etc/glexec.conf:
# # Glexec # [glexec] lcmaps_db_file = /opt/glite/etc/lcmaps/lcmaps-suexec.db lcmaps_log_file = /var/log/glexec/lcas_lcmaps.log lcmaps_debug_level = 5 lcmaps_log_level = 5 lcmaps_get_account_policy = glexec_get_account lcmaps_verify_account_policy = glexec_verify_account
lcas_db_file = /opt/glite/etc/lcas/lcas-suexec.db lcas_log_file = /var/log/glexec/lcas_lcmaps.log # lcas_debug_level = 1 linger = yes
silent_logging = no log_level = 1
user_white_list = glexec*, venekamp, root, okoeroo, uschwick preserve_env_variables = MY_BULLSHIT_ENV
# # LCMAPS configuration space # [lcmaps]
# # LCAS configuration space # [lcas]