Next: Adding authorization plugins
Up: Guide to LCAS
Previous: Installation
Subsections
The edg-gatekeeper is configurable with a few more command line options in addition to the normal
globus-gatekeeper options:
- -lcmaps_debug_level <debug level>: set the debug level for LCMAPS (0-5, default: 0 (= no debugging))
- -lcmaps_db_file <file>: specifies the filename of the LCMAPS policy file
(default: lcmaps.db).
- -lcmaps_etc_dir <path>: specifies the directory where the LCMAPS configuration files
are located (default: /opt/edg/etc/lcmaps/).
- -lcmapsmod_dir <path>: specifies the directory where the LCMAPS library is located
(default: /opt/edg/lib/lcmaps/).
- -lcas_debug_level <debug level>: set the debug level for LCAS (0-5, default: 0 (= no debugging))
- -lcas_db_file <file>: specifies the filename of the LCAS policy file
(default: lcas.db).
- -lcas_etc_dir <path>: specifies the directory where the LCAS authorization
configuration files are located
(default /opt/edg/etc/lcas/).
- -lcas_dir <path>: same as -lcas_etc_dir <path>, deprecated.
- -lcasmod_dir <path>: specifies the directory where the LCAS library is located
(default /opt/edg/lib/lcas/).
- -plainoldglobus: provides the old globus-gatekeeper functionality,
LCAS and LCMAPS are not used.
- -no_lcas: do not use LCAS.
- -no_lcmaps: do not use LCMAPS (use standard gridmap functionality of
gatekeeper).
The globus.conf file (usually residing in the /etc directory) contains the
configuration parameters for the globus software. The gatekeeper init.d script uses this file to
to configure the edg-gatekeeper. The following lines were added/modified in /etc/globus.conf:
- [common]
- [...]
- [gatekeeper]
- [...]
- globus_gatekeeper=/opt/edg/sbin/edg-gatekeeper
- extra_options="-lcas_etc_dir /opt/edg/etc/lcas/ -lcasmod_dir /opt/edg/lib/lcas/ -lcas_db_file lcas.db -lcmaps_etc_dir /opt/edg/etc/lcmaps/ -lcmapsmod_dir /opt/edg/lib/lcmaps -lcmaps_db_file lcmaps.db"
The globus_gatekeeper= line gives the path of the gatekeeper to be used and the extra_options=
line the gatekeeper options to be added.
LCFG configuration:
The globus.conf file can be created using the globus LCFG object contained in package
edg-lcfg-globuscfg. The extra lines for the configuration files have to be specified in
an LCFGng resource file in the way that is shown in
the Computing Element resource file
ComputingElement-cfg.h.
The LCAS reads its configuration, in particular the plugins that it should load,
from the file lcas.db. The format of this file is shown
in
this example.
For now only lines containing an entry for the name of a plugin (i.e. pluginname="<path>"
) are
allowed.
The arguments the plugin requires are specified as pluginargs="<arguments>"
on the same line.
If no absolute path is specified for the plugin module, the LCAS will search for it in the following
directories: (in order of appearance)
- ./
- ./modules/
- /opt/edg/etc/lcas/
- /opt/opt/edg/lib/lcas/modules/
- /opt/opt/edg/lib/lcas/
The three standard authorization plugins each have their own configuration database:
- allowed_users.db: this file is not used in this release, but will eventually partly replace
the gridmap file. It will contain the list of LDAP distinguished names (DN) of the users that are
allowed on the fabric. This version of the LCAS, however, still relies on the gridmap file.
- ban_users.db: this file contains the list of DNs of the users that should be banned
from the fabric. An example
can be found
here.
- timeslots.db: This file contains the 'opening hours' of the fabric. The format of the file
is explained in
this example.
- the voms authorization file (specified with the -authfile option).
This file controls which VOs, groups etc. are allowed on the fabric.
Three different formats are/will be supported (specified with the -authformat option):
- text file format (just a list of allowed VO-GROUP-ROLE combinations). The same files can be used as are
by the LCMAPS voms plugins.
An example can be found
here.
N.B.: The second column is ignored.
- GACL
format (GACL is an XML ACL language).
Voms credentials and DNs are supported. Any kind of permission (read, write, list etc.) will result in an
authorization success.
An example can be found
here.
A tool exists (edg-lcas-voms2gacl) to convert the textformat into gacl format.
- XACML
format (generic XML authorization language).
This format is not supported yet, but will be in the future.
LCFG configuration:
The LCAS configuration files (except for the voms plugin policy file)
can also be created using the LCAS LCFG object contained in package
edg-lcfg-lcas. The lines for the configuration files have to be specified in
an LCFG resource file in the way that is shown in
the Computing Element resource file
ComputingElement-cfg.h.
One should be careful when specifying asterixes and double quotes.
The VOMS authorization file can be the same file as the vomapfile and groupmapfile from LCMAPS
or can be created from those by the command edg-lcas-voms2gacl.
Next: Adding authorization plugins
Up: Guide to LCAS
Previous: Installation
Martijn Steenbakkers, Tuesday Sep 23 2003