Set up gLExec for Argus

From PDP/Grid Wiki
Revision as of 09:20, 12 April 2013 by Msalle@nikhef.nl (talk | contribs) (→‎Configuration with YAIM)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

NOTE: This page is outdated (gLite information). See GLExec Argus Quick Installation Guide for an updated document.

Setting up gLExec on the worker node to query Argus for authorization decisions is preferably done through YAIM, but some set-ups require manual configuration.

This page is part of the guide on HOWTO set up gLExec on the worker node.

Installation

For the installation and configuration of Argus, see the Argus documentation.

For the installation of gLExec on the worker node, see the release notes and the installation manual.

Typical gLite installation is done with

wget -O /etc/yum.repos.d/glite-GLEXEC_wn.repo http://grid-deployment.web.cern.ch/grid-deployment/glite/repos/3.2/glite-GLEXEC_wn.repo
yum install glite-GLEXEC_wn

Configuration with YAIM

Please see the YAIM guide for general instructions on using YAIM, and the list of variables that need to be set in site-info.def, or services/glite-glexec_wn.

Noteworthy variables:

GLEXEC_WN_OPMODE=setuid
GLEXEC_WN_ARGUS_ENABLED=yes
ARGUS_PEPD_ENDPOINTS="https://argus1.example.com:8154/authz"

Only one endpoint may be defined.

After setting the variables, running YAIM is usually done as follows:

/opt/glite/yaim/bin/yaim -c -s site-info.def -n TORQUE_client -n WN -n GLEXEC_wn

Manual Configuration

Simple configuration. The following assumes you have pool accounts that are expected to use gLExec named pilota001, pilota002, etc. and pilotb001, etc.

Edit /opt/glite/etc/glexec.conf as follows. Make sure the file's mode is

-rw-r----- 1 root glexec  /opt/glite/etc/glexec.conf
[glexec]
silent_logging               = no
log_level                    = 0
user_white_list              = .pilota,.pilotb
linger                       = yes
lcmaps_db_file               = /opt/glite/etc/lcmaps/lcmaps-glexec.db
lcmaps_log_file              = /var/log/glexec/lcas_lcmaps.log
lcmaps_debug_level           = 0
lcmaps_log_level             = 1
lcmaps_get_account_policy    = glexec_get_account
lcmaps_verify_account_policy = glexec_verify_account

lcas_db_file                 = /opt/glite/etc/lcas/lcas-glexec.db
lcas_log_file                = /var/log/glexec/lcas_lcmaps.log
lcas_debug_level             = 0
lcas_log_level               = 1
user_identity_switch_by      = lcmaps
preserve_env_variables       = no
log_destination              = file
log_file                     = /var/log/glexec/glexec_log

Place this in /opt/glite/etc/lcas/lcas-glexec.db:

pluginname=/opt/glite/lib64/modules/lcas_userban.mod,pluginargs=/opt/glite/etc/lcas/ban_users.db

Place this in /opt/glite/etc/lcmaps/lcmaps-glexec.db:

path = /opt/glite/lib64/modules
verify_proxy = "lcmaps_verify_proxy.mod" 
               " -certdir /etc/grid-security/certificates/"
               " --allow-limited-proxy"

posix_enf = "lcmaps_posix_enf.mod"
            " -maxuid 1"
            " -maxpgid 1"
            " -maxsgid 32"

pepc        = "lcmaps_c_pep.mod"
              "--pep-daemon-endpoint-url https://argus1.example.com:8154/authz"
              "--pep-daemon-endpoint-url https://argus2.example.com:8154/authz"
              "--resourceid http://authz-interop.org/xacml/resource/resource-type/wn"
              "--actionid http://glite.org/xacml/action/execute"
              "--capath /etc/grid-security/certificates/"
              "--pep-certificate-mode implicit"

glexec_get_account:
verify_proxy -> pepc
pepc -> posix_enf