Configuration

edg-gatekeeper

The edg-gatekeeper is configurable with a few more command line options in addition to the normal globus-gatekeeper options:

• -lcmaps_debug_level <debug level>: set the debug level for LCMAPS (0-5, default: 0 (= no debugging))
• -lcmaps_db_file <file>: specifies the filename of the LCMAPS policy file (default: lcmaps.db).
• -lcmaps_etc_dir <path>: specifies the directory where the LCMAPS configuration files are located (default: /opt/edg/etc/lcmaps/).
• -lcmapsmod_dir <path>: specifies the directory where the LCMAPS library is located (default: /opt/edg/lib/lcmaps/).
• -lcas_debug_level <debug level>: set the debug level for LCAS (0-5, default: 0 (= no debugging))
• -lcas_db_file <file>: specifies the filename of the LCAS policy file (default: lcas.db).
• -lcas_etc_dir <path>: specifies the directory where the LCAS authorization configuration files are located (default /opt/edg/etc/lcas/).
• -lcas_dir <path>: same as -lcas_etc_dir <path>, deprecated.
• -lcasmod_dir <path>: specifies the directory where the LCAS library is located (default /opt/edg/lib/lcas/).
• -plainoldglobus: provides the old globus-gatekeeper functionality, LCAS and LCMAPS are not used.
• -no_lcas: do not use LCAS.
• -no_lcmaps: do not use LCMAPS (use standard gridmap functionality of gatekeeper).

The globus.conf file (usually residing in the /etc directory) contains the configuration parameters for the globus software. The gatekeeper init.d script uses this file to to configure the edg-gatekeeper. The following lines were added/modified in /etc/globus.conf:

[common]

[...]

[gatekeeper]

[...]

globus_gatekeeper=/opt/edg/sbin/edg-gatekeeper

extra_options="-lcas_etc_dir /opt/edg/etc/lcas/ -lcasmod_dir /opt/edg/lib/lcas/ -lcas_db_file lcas.db -lcmaps_etc_dir /opt/edg/etc/lcmaps/ -lcmapsmod_dir /opt/edg/lib/lcmaps -lcmaps_db_file lcmaps.db"

The globus_gatekeeper= line gives the path of the gatekeeper to be used and the extra_options= line the gatekeeper options to be added.

LCFG configuration:
The globus.conf file can be created using the globus LCFG object contained in package edg-lcfg-globuscfg. The extra lines for the configuration files have to be specified in an LCFGng resource file in the way that is shown in the Computing Element resource file ComputingElement-cfg.h.

LCAS

The LCAS reads its configuration, in particular the plugins that it should load, from the file lcas.db. The format of this file is shown in this example. For now only lines containing an entry for the name of a plugin (i.e. pluginname="<path>") are allowed. The arguments the plugin requires are specified as pluginargs="<arguments>" on the same line.
If no absolute path is specified for the plugin module, the LCAS will search for it in the following directories: (in order of appearance)

• ./
• ./modules/
• /opt/edg/etc/lcas/
• /opt/opt/edg/lib/lcas/modules/
• /opt/opt/edg/lib/lcas/

The three standard authorization plugins each have their own configuration database:

• allowed_users.db: this file is not used in this release, but will eventually partly replace the gridmap file. It will contain the list of LDAP distinguished names (DN) of the users that are allowed on the fabric. This version of the LCAS, however, still relies on the gridmap file.
• ban_users.db: this file contains the list of DNs of the users that should be banned from the fabric. An example can be found here.
• timeslots.db: This file contains the 'opening hours' of the fabric. The format of the file is explained in this example.
• the voms authorization file (specified with the -authfile option). This file controls which VOs, groups etc. are allowed on the fabric. Three different formats are/will be supported (specified with the -authformat option):
  • text file format (just a list of allowed VO-GROUP-ROLE combinations). The same files can be used as are by the LCMAPS voms plugins. An example can be found here. N.B.: The second column is ignored.
  • GACL format (GACL is an XML ACL language). Voms credentials and DNs are supported. Any kind of permission (read, write, list etc.) will result in an authorization success. An example can be found here. A tool exists (edg-lcas-voms2gacl) to convert the textformat into gacl format.
  • XACML format (generic XML authorization language). This format is not supported yet, but will be in the future.

LCFG configuration:
The LCAS configuration files (except for the voms plugin policy file) can also be created using the LCAS LCFG object contained in package edg-lcfg-lcas. The lines for the configuration files have to be specified in an LCFG resource file in the way that is shown in the Computing Element resource file ComputingElement-cfg.h. One should be careful when specifying asterixes and double quotes. The VOMS authorization file can be the same file as the vomapfile and groupmapfile from LCMAPS or can be created from those by the command edg-lcas-voms2gacl.