Difference between revisions of "ARC CE Hints"

Revision as of 18:58, 17 June 2014

Mapping to pool accounts

Argus in combination with lcmaps can be used to map DNs to pool accounts. In the [gridftpd] section of /etc/arc.conf include the following:

unixmap="* lcmaps liblcmaps.so /usr/lib64 /etc/lcmaps/lcmaps.db voms"
unixmap="nobody:nobody all"

where /etc/lcmaps/lcmaps.db is

path = /usr/lib64/lcmaps

verify_proxy = "lcmaps_verify_proxy.mod"
                    "-certdir /etc/grid-security/certificates"
                    "--discard_private_key_absence"
                    "--allow-limited-proxy"

pepc = "lcmaps_c_pep.mod"
            "--pep-daemon-endpoint-url https://argus.domain:8154/authz"
            "--resourceid http://authz-interop.org/xacml/resource/resource-type/arc"
            "--actionid http://glite.org/xacml/action/execute"
            "--capath /etc/grid-security/certificates/"
            "--certificate /etc/grid-security/hostcert.pem"
            "--key /etc/grid-security/hostkey.pem"

# Policies:
arc:
verify_proxy -> pepc

where argus.domain should be replace with the hostname of your Argus server. The Argus default policy should contain an appropriate section for the ARC CE, for example:

resource "http://authz-interop.org/xacml/resource/resource-type/arc" {
      obligation
"http://glite.org/xacml/obligation/local-environment-map" {}
       action ".*" {
         rule permit { pfqan="/cms/Role=pilot/Capability=NULL" }
         rule permit { pfqan="/cms/Role=pilot" }
         rule permit { pfqan="/cms/Role=lcgadmin/Capability=NULL" }
         rule permit { pfqan="/cms/Role=lcgadmin" }
         rule permit { pfqan="/cms/Role=production/Capability=NULL" }
         rule permit { pfqan="/cms/Role=production" }
         rule permit { pfqan="/cms/Role=t1production/Capability=NULL" }
         rule permit { pfqan="/cms/Role=t1production" }
         rule permit { pfqan="/cms/Role=t1access/Capability=NULL" }
         rule permit { pfqan="/cms/Role=t1access" }
     }
}