Version 8 (modified by mmamonski, 11 years ago) (diff) |
---|
In version 3.0.X (QCG-Core >= 3.0.1) the QCG-Computing service was enabled for the VOMS (Virtual Organization Membership Service) infrastructure. In practice this means that in addition to plain grid-mapfile authorization it is possible to use pool accounts (as implemented in LCMAPS). The VOMS support was implement as the new authorization module called atz_callout. Example configuration (qcg-compd.xml) snipped:
<sm:Module xsi:type="sm:atz_callout"> <sm:AtzLibraryPath>/usr/lib64/liblcas_lcmaps_gt4_mapping_.so</sm:AtzLibraryPath> </sm:Module>
Configuration options:
- <Mapfile> - the grid mapfile (default: /etc/grid-security/grid-mapfile),
- <AtzLibraryPath> - path for the LCAS/LCMAPS callout librart (default: /usr/lib64/liblcas_lcmaps_gt4_mapping_.so ),
- <CalloutName> - the name of the authorization routine (default: lcmaps_callout).
The QCG-Computing expects that the LCMAPS configuration file can be found in lcmaps/lcmaps-qcg.db (This behavior can be overridden by setting the LCMAPS_DB_FILE environment variable). The content of the file must be similar to:
# where to look for modules path = YOUR_PATH_FOR_LCMAPS_MODULES localaccount = "lcmaps_localaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" poolaccount = "lcmaps_poolaccount.mod" " -override_inconsistency" " -gridmapfile /etc/grid-security/grid-mapfile" " -gridmapdir /etc/grid-security/gridmapdir" vomslocalgroup = "lcmaps_voms_localgroup.mod" " -groupmapfile /etc/grid-security/groupmapfile" " -mapmin 0" vomslocalaccount = "lcmaps_voms_localaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" " -use_voms_gid" vomspoolaccount = "lcmaps_voms_poolaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" " -gridmapdir /etc/grid-security/gridmapdir" " -do_not_use_secondary_gids" # gridftp related code good = "lcmaps_dummy_good.mod" # --only-post-verify-checks # --allow-limited-proxy # --max-proxy-level-ttl=<level> <time-length; example: 2d-13:37> # Sets a maximum lifetime for proxy certificate level <level> where <level> # can be 0-9 or 'l' or 'L' to indicate a Leaf proxy (last proxy # in the chain) # policies withvoms: vomslocalgroup -> vomslocalaccount vomslocalaccount -> good | vomspoolaccount vomspoolaccount -> good standard: localaccount -> good | poolaccount poolaccount -> good
This is a copy of the default lcmaps.db file with one major change: instead of posix_enf the no operation good module is used. Rationale: posix_enf drops privilages so the process calling LCMAPS must run with root priivlages, this is case for GridFTP but not the case for the QCG-Computing service which call authorization functions as regular user (usually qcg-comp), dropping privileges is done in a separate process. The standard lcmaps.db must be preserved if the machine hosts also GridFTP.
To complete the configuration you must add the qcg-comp user to the edguser group which is allowed to alter the /etc/grid-security/gridmapdir/ directory that stores the credential to local pool account mappings.
Important: Due to heavy memory leak caused by dlopening liblcmaps many times the qcg-compd sets LLGT_DLCLOSE_LCMAPS=no in its atz_callout module. However this requires lcas-lcmaps-gt4-interface package to be newer than 0.2.5.