SCAS
What is the SCAS
The SCAS daemon will make authorization and mapping decision centrally. It uses HTTPS authentication to authenticate a client (as regular user or pilot job user) and present user credentials. The return message will contain a deny of permit decision, and when permitted Unix UID, primary GID and secondary GIDs will be returned. The primary client tool is gLExec, but the client is actually an LCMAPS plugin, so other tools like all the pre-WS GT4 gatekeepers, gridftpd and gsi-opensshd tools can also utilize this client server interaction.
Release notes
Installation guide
Prerequisite
The SCAS service will perform the credential mapping based on the SCAS client requests. The default result will be the Unix UID and Unix GIDs in their numeric form. The numeric form of the UIDs and GIDs are numbers found on the system of the SCAS service in the groups and passwd files. Therefor the UIDs and GIDs between the SCAS clients and SCAS service must be fully consistent.
What to install (latest version of)
glite-security-saml2-xacml2-c-lib glite-security-scas glite-security-lcas glite-security-lcas-interface glite-security-lcas-basic glite-security-lcas-voms glite-security-lcmaps glite-security-lcmaps-plugins-basic glite-security-lcmaps-plugins-voms
IMPORTANT: This installation does not use YAIM and is incompatible with an installation using YAIM. This is a how-to that will enable you to do it manually without the use of YAIM.
Setup
- add the user account named 'scas'. This will be the useraccount used to run the SCAS service with. This account doesn't require a shell.
- When installing add a symlink from /etc/init.d/scas to /opt/glite/etc/init.d/scas.init.d
- chkconfig --add scas
- mkdir /var/log/glite/
- touch /var/log/glite/scas.log
- chown scas:scas /var/log/glite/scas.log Note: the scas.log file must only be writeable for scas.
- cp /opt/glite/etc/logrotate.d/scas.logrotate.d to /etc/logrotate.d/scas.logrotate Note: The log of SCAS could grow very big quickly. Please consider to let logrotate run more frequent then daily (recommendation: hourly) and let it trigger on the size of the file, rather then the date.
- Add the /opt/glite/lib and /opt/globus/lib to the default path in /etc/ld.so.conf, a new file in the /etc/ld.so.conf.d/ dir or make sure that the LD_LIBRARY_PATH is set to the required paths.
- Install the CA certificates, like the IGTF accredited CAs.
- Setup fetch-crl to update the CRL files.
- Create a configuration file for the scas daemon in /opt/glite/etc/scas.conf with the following content:
scas_port = 8443 scas_capath = /etc/grid-security/certificates/ scas_hostcert = /etc/grid-security/scascert.pem scas_hostkey = /etc/grid-security/scaskey.pem lcas_db_file = /opt/glite/etc/lcmaps/lcas-scas.db lcmaps_db_file = /opt/glite/etc/lcmaps/lcmaps-scas.db scas_log_level = 1 scas_debug_level = 0 scas_log_file = /var/log/glite/scas.log lcas_log_level = 1 lcas_debug_level = 0 lcmaps_log_level = 1 lcmaps_debug_level = 0
Note: For testing practices its advised to set the scas_log_level and scas_debug_level to 5 to see all possible interactions with the service.
- Prepare the gridmapdir for LCMAPS, like on a CE. All the poolaccounts that are required for the mapping on the client machines need to exist on the system. The poolaccounts need to exist as empty files in this directory, each representing a poolaccount.
- The gridmapdir directory must be owned by the 'scas' account.
- Create the following lcmaps-scas.db in the following location: /opt/glite/etc/lcmaps/lcmaps-scas.db
# LCMAPS policy file/plugin definition
# Written by: Oscar Koeroo - okoeroo * at * nikhef * dot * nl
# The configuration file is specialized for non-root privileged processes/services, like:
### SCAS service and others
# default path for the modules
path = /opt/glite/lib/modules
# Plugin definitions:
good = "lcmaps_dummy_good.mod"
localaccount = "lcmaps_localaccount.mod"
"-gridmapfile /etc/grid-security/grid-mapfile"
poolaccount = "lcmaps_poolaccount.mod"
" -override_inconsistency"
" -gridmapfile /etc/grid-security/grid-mapfile"
" -gridmapdir /etc/grid-security/gridmapdir"
vomslocalgroup = "lcmaps_voms_localgroup.mod"
"-groupmapfile /etc/grid-security/groupmapfile"
"-mapmin 0"
vomspoolaccount = "lcmaps_voms_poolaccount.mod"
"-gridmapfile /etc/grid-security/grid-mapfile"
"-gridmapdir /etc/grid-security/gridmapdir"
"-do_not_use_secondary_gids"
vomslocalaccount = "lcmaps_voms_localaccount.mod"
"-gridmapfile /etc/grid-security/grid-mapfile"
"-use_voms_gid"
# Policies:
# DN-local -> VO-static -> VO-pool -> DN-pool
static-account-mapping:
localaccount -> good
voms-mapping:
vomslocalgroup -> vomslocalaccount
vomslocalaccount -> good | vomspoolaccount
classic-poolaccount:
poolaccount -> good
- The grid-mapfile may contain both DNs and FQANs. They must match to either localaccounts or poolaccounts (both VOMS and non-VOMS based).
"/dteam" .dteam "/C=NL/CN=Oscar Koeroo" mylocalaccount
Note: These types of data may also be split into different files. Adjust the plugin arguments accordingly to point to the different files.
- The groupmapfile must have content only related to VOMS (FQAN) mappings, like:
"/dteam" dteam
- Install the following lcas.db at the location setup in the scas.conf (usually /opt/glite/etc/lcas/lcas-scas.db):
# LCAS policy file/plugin definition # Written by: Oscar Koeroo - okoeroo * at * nikhef * dot * nl pluginname=lcas_userban.mod,pluginargs=ban_users.db
- touch /opt/glite/etc/lcas/ban_users.db
- Make sure the configuration files ban_users.db, lcas-scas.db, lcmaps-scas.db, scas.conf, grid-mapfile and groupmapfile can be read by the 'scas' user. May still be owned by root (recommended).
- After this, you may start the service:
/etc/init.d/scas start or service scas start
Performance test results and certification
Manual and documentation
The SCAS(8) man page contains all information needed to configure a SCAS service. It is installed with the SCAS package (in share/man/man8) and a snapshot is available on line.
