Difference between revisions of "ARC CE Hints"
From GridPP Wiki
(→Mapping to pool accounts) |
|||
Line 19: | Line 19: | ||
arc: | arc: | ||
verify_proxy -> pepc | verify_proxy -> pepc | ||
− | where ''argus.domain'' should be replace with the hostname of your Argus server. | + | where ''argus.domain'' should be replace with the hostname of your Argus server. The Argus default policy should contain an appropriate section for the ARC CE, for example: |
+ | resource "http://authz-interop.org/xacml/resource/resource-type/arc" { | ||
+ | obligation | ||
+ | "http://glite.org/xacml/obligation/local-environment-map" {} | ||
+ | action ".*" { | ||
+ | rule permit { pfqan="/cms/Role=pilot/Capability=NULL" } | ||
+ | rule permit { pfqan="/cms/Role=pilot" } | ||
+ | rule permit { pfqan="/cms/Role=lcgadmin/Capability=NULL" } | ||
+ | rule permit { pfqan="/cms/Role=lcgadmin" } | ||
+ | rule permit { pfqan="/cms/Role=production/Capability=NULL" } | ||
+ | rule permit { pfqan="/cms/Role=production" } | ||
+ | rule permit { pfqan="/cms/Role=t1production/Capability=NULL" } | ||
+ | rule permit { pfqan="/cms/Role=t1production" } | ||
+ | rule permit { pfqan="/cms/Role=t1access/Capability=NULL" } | ||
+ | rule permit { pfqan="/cms/Role=t1access" } | ||
+ | } | ||
+ | } |
Revision as of 18:58, 17 June 2014
Mapping to pool accounts
Argus in combination with lcmaps can be used to map DNs to pool accounts. In the [gridftpd] section of /etc/arc.conf include the following:
unixmap="* lcmaps liblcmaps.so /usr/lib64 /etc/lcmaps/lcmaps.db voms" unixmap="nobody:nobody all"
where /etc/lcmaps/lcmaps.db is
path = /usr/lib64/lcmaps
verify_proxy = "lcmaps_verify_proxy.mod" "-certdir /etc/grid-security/certificates" "--discard_private_key_absence" "--allow-limited-proxy"
pepc = "lcmaps_c_pep.mod" "--pep-daemon-endpoint-url https://argus.domain:8154/authz" "--resourceid http://authz-interop.org/xacml/resource/resource-type/arc" "--actionid http://glite.org/xacml/action/execute" "--capath /etc/grid-security/certificates/" "--certificate /etc/grid-security/hostcert.pem" "--key /etc/grid-security/hostkey.pem"
# Policies: arc: verify_proxy -> pepc
where argus.domain should be replace with the hostname of your Argus server. The Argus default policy should contain an appropriate section for the ARC CE, for example:
resource "http://authz-interop.org/xacml/resource/resource-type/arc" { obligation "http://glite.org/xacml/obligation/local-environment-map" {} action ".*" { rule permit { pfqan="/cms/Role=pilot/Capability=NULL" } rule permit { pfqan="/cms/Role=pilot" } rule permit { pfqan="/cms/Role=lcgadmin/Capability=NULL" } rule permit { pfqan="/cms/Role=lcgadmin" } rule permit { pfqan="/cms/Role=production/Capability=NULL" } rule permit { pfqan="/cms/Role=production" } rule permit { pfqan="/cms/Role=t1production/Capability=NULL" } rule permit { pfqan="/cms/Role=t1production" } rule permit { pfqan="/cms/Role=t1access/Capability=NULL" } rule permit { pfqan="/cms/Role=t1access" } } }