Version 11 (modified by mmamonski, 10 years ago) (diff)

--

In version 3.0.X (QCG-Core >= 3.0.1) the QCG-Computing service was enabled for the VOMS (Virtual Organization Membership Service) infrastructure. In practice this means that in addition to plain grid-mapfile authorization it is possible to use pool accounts (as implemented in  LCMAPS). The VOMS support was implement as the new authorization module called atz_callout. Example configuration (qcg-compd.xml) snipped:

                                <sm:Module xsi:type="sm:atz_callout">
                                        <sm:AtzLibraryPath>/usr/lib64/liblcas_lcmaps_gt4_mapping_.so</sm:AtzLibraryPath>
                                </sm:Module>

Configuration options:

  • <Mapfile> - the grid mapfile (default: /etc/grid-security/grid-mapfile),
  • <AtzLibraryPath> - path for the LCAS/LCMAPS callout librart (default: /usr/lib64/liblcas_lcmaps_gt4_mapping_.so ),
  • <CalloutName> - the name of the authorization routine (default: lcmaps_callout).

The QCG-Computing expects that the LCMAPS configuration file can be found in lcmaps/lcmaps-qcg.db (This behavior can be overridden by setting the LCMAPS_DB_FILE environment variable). The content of the file must be similar to:

# where to look for modules
path = YOUR_PATH_FOR_LCMAPS_MODULES


localaccount = "lcmaps_localaccount.mod"
" -gridmapfile /etc/grid-security/grid-mapfile"

poolaccount = "lcmaps_poolaccount.mod"
" -override_inconsistency"
" -gridmapfile /etc/grid-security/grid-mapfile"
" -gridmapdir /etc/grid-security/gridmapdir"

vomslocalgroup = "lcmaps_voms_localgroup.mod"
" -groupmapfile /etc/grid-security/groupmapfile"
" -mapmin 0"

vomslocalaccount = "lcmaps_voms_localaccount.mod"
" -gridmapfile /etc/grid-security/grid-mapfile"
" -use_voms_gid"

vomspoolaccount = "lcmaps_voms_poolaccount.mod"
" -gridmapfile /etc/grid-security/grid-mapfile"
" -gridmapdir /etc/grid-security/gridmapdir"
" -do_not_use_secondary_gids"

# gridftp related code
good = "lcmaps_dummy_good.mod"

# --only-post-verify-checks
# --allow-limited-proxy
# --max-proxy-level-ttl=<level> <time-length; example: 2d-13:37>
#   Sets a maximum lifetime for proxy certificate level <level> where <level>
#  can be 0-9 or 'l' or 'L' to indicate a Leaf proxy (last proxy # in the chain)

# policies
withvoms:
vomslocalgroup -> vomslocalaccount
vomslocalaccount -> good | vomspoolaccount
vomspoolaccount -> good

standard:
localaccount -> good | poolaccount
poolaccount -> good

This is a copy of the default lcmaps.db file with one major change: instead of posix_enf the no operation good module is used. Rationale: posix_enf drops privilages so the process calling LCMAPS must run with root priivlages, this is case for GridFTP but not the case for the QCG-Computing service which call authorization functions as regular user (usually qcg-comp), dropping privileges is done in a  separate process. The standard lcmaps.db must be preserved if the machine hosts also GridFTP.

To complete the configuration you must add the qcg-comp user to the edguser group which is allowed to alter the /etc/grid-security/gridmapdir/ directory that stores the credential to local pool account mappings.

Important: Due to heavy memory leak caused by dlopening liblcmaps many times the qcg-compd sets LLGT_DLCLOSE_LCMAPS=no in its atz_callout module. However this requires lcas-lcmaps-gt4-interface package to be newer than 0.2.5.

Quick HOW-TO

  • Install lcas-lcmas authorization interface and its dependencies:
    yum install lcas-lcmaps-gt4-interface.x86_64
    yum install lcmaps-plugins-voms
    yum install voms-clients3
    
  • create/copy from other machine all necessary vomsdir files, e.g.:
    # pwd
    /etc/grid-security/vomsdir/gaussian
    # cat voms.cyf-kr.edu.pl.lsc 
    /C=PL/O=GRID/O=Cyfronet/CN=voms.cyf-kr.edu.pl
    /C=PL/O=GRID/CN=Polish Grid CA
    # cat /etc/vomses/dteam-voms.hellasgrid.gr 
    "dteam" "voms.hellasgrid.gr" "15004" "/C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms.hellasgrid.gr" "dteam" "24"
    # cat /etc/grid-security/grid-mapfile.local 
    "/C=PL/O=GRID/O=PSNC/CN=qcg-broker/qcg-broker.man.poznan.pl" qcg-broker
    
    "/dteam/Role=NULL/Capability=NULL" .dteam
    "/dteam" .dteam
    
    
    
  • edit the /etc/qcg/qcg-comp/qcg-compd.xml