In version 3.0.X (QCG-Core >= 3.0.1) the QCG-Computing service was enabled for the VOMS (Virtual Organization Membership Service) infrastructure. In practice this means that in addition to plain grid-mapfile authorization it is possible to use pool accounts (as implemented in [http://wiki.nikhef.nl/grid/LCMAPS LCMAPS]). The VOMS support was implement as the new authorization module called `atz_callout`. Example configuration (`qcg-compd.xml`) snipped:
{{{
/usr/lib64/liblcas_lcmaps_gt4_mapping_.so
}}}
Configuration options:
* `` - the grid mapfile (default: `/etc/grid-security/grid-mapfile`),
* `` - path for the LCAS/LCMAPS callout librart (default: `/usr/lib64/liblcas_lcmaps_gt4_mapping_.so` ),
* `` - the name of the authorization routine (default: `lcmaps_callout`).
The QCG-Computing expects that the LCMAPS configuration file can be found in `lcmaps/lcmaps-qcg.db` (This behavior can be overridden by setting the LCMAPS_DB_FILE environment variable). The content of the file must be similar to:
{{{
# where to look for modules
path = YOUR_PATH_FOR_LCMAPS_MODULES
localaccount = "lcmaps_localaccount.mod"
" -gridmapfile /etc/grid-security/grid-mapfile"
poolaccount = "lcmaps_poolaccount.mod"
" -override_inconsistency"
" -gridmapfile /etc/grid-security/grid-mapfile"
" -gridmapdir /etc/grid-security/gridmapdir"
vomslocalgroup = "lcmaps_voms_localgroup.mod"
" -groupmapfile /etc/grid-security/groupmapfile"
" -mapmin 0"
vomslocalaccount = "lcmaps_voms_localaccount.mod"
" -gridmapfile /etc/grid-security/grid-mapfile"
" -use_voms_gid"
vomspoolaccount = "lcmaps_voms_poolaccount.mod"
" -gridmapfile /etc/grid-security/grid-mapfile"
" -gridmapdir /etc/grid-security/gridmapdir"
" -do_not_use_secondary_gids"
# gridftp related code
good = "lcmaps_dummy_good.mod"
# --only-post-verify-checks
# --allow-limited-proxy
# --max-proxy-level-ttl=
# Sets a maximum lifetime for proxy certificate level where
# can be 0-9 or 'l' or 'L' to indicate a Leaf proxy (last proxy # in the chain)
# policies
withvoms:
vomslocalgroup -> vomslocalaccount
vomslocalaccount -> good | vomspoolaccount
vomspoolaccount -> good
standard:
localaccount -> good | poolaccount
poolaccount -> good
}}}
This is a copy of the default `lcmaps.db` file with one major change: instead of `posix_enf` the no operation `good` module is used. Rationale: `posix_enf` drops privilages so the process calling
LCMAPS must run with root priivlages, this is case for GridFTP but not the case for the QCG-Computing service which call authorization functions as regular user (usually `qcg-comp`), dropping privileges is done in a [http://en.wikipedia.org/wiki/Privilege_separation| separate process]. The standard `lcmaps.db` must be preserved if the machine hosts also GridFTP.
To complete the configuration you must add the `qcg-comp` user to the `edguser` group which is allowed to alter the `/etc/grid-security/gridmapdir/` directory that stores the credential to local pool account mappings.
**Important:** Due to heavy memory leak caused by dlopening liblcmaps many times the qcg-compd sets `LLGT_DLCLOSE_LCMAPS=no` in its `atz_callout` module. However this requires lcas-lcmaps-gt4-interface package to be newer than 0.2.5.
== Quick HOW-TO ==
- Install lcas-lcmas authorization interface and its dependencies (from [http://repository.egi.eu/category/umd_releases/distribution/umd-3/ UMD3 repository]):
{{{
yum install lcas-lcmaps-gt4-interface.x86_64
yum install lcas-plugins-voms
yum install lcas-plugins-basic
yum install lcmaps-plugins-voms
yum install voms-clients3
yum install lcmaps-plugins-basic
}}}
- create/copy from other machine all necessary vomsdir files, e.g.:
{{{
# pwd
/etc/grid-security/vomsdir/gaussian
# cat voms.cyf-kr.edu.pl.lsc
/C=PL/O=GRID/O=Cyfronet/CN=voms.cyf-kr.edu.pl
/C=PL/O=GRID/CN=Polish Grid CA
# cat /etc/vomses/dteam-voms.hellasgrid.gr
"dteam" "voms.hellasgrid.gr" "15004" "/C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms.hellasgrid.gr" "dteam" "24"
# touch /etc/lcas/lcas.db
# cat /etc/grid-security/grid-mapfile.local
"/C=PL/O=GRID/O=PSNC/CN=qcg-broker/qcg-broker.man.poznan.pl" qcg-broker
"/dteam/Role=NULL/Capability=NULL" .dteam
"/dteam" .dteam
}}}
- edit the `/etc/qcg/qcg-comp/qcg-compd.xml` and change authorization module to sm:atz_callout as shown in the begging of the document.