Difference between revisions of "ARC CE Hints"
From GridPP Wiki
(→Mapping to pool accounts) |
|||
| Line 3: | Line 3: | ||
unixmap="* lcmaps liblcmaps.so /usr/lib64 /etc/lcmaps/lcmaps.db voms" | unixmap="* lcmaps liblcmaps.so /usr/lib64 /etc/lcmaps/lcmaps.db voms" | ||
unixmap="nobody:nobody all" | unixmap="nobody:nobody all" | ||
| − | + | The second line above ensures that DNs which are not mapped successfully are mapped to nobody. The LRMS can be configured to not accept jobs from nobody. The file /etc/lcmaps/lcmaps.db is | |
path = /usr/lib64/lcmaps<br/> | path = /usr/lib64/lcmaps<br/> | ||
verify_proxy = "lcmaps_verify_proxy.mod" | verify_proxy = "lcmaps_verify_proxy.mod" | ||
Revision as of 19:02, 17 June 2014
Mapping to pool accounts
Argus in combination with lcmaps can be used to map DNs to pool accounts. In the [gridftpd] section of /etc/arc.conf include the following:
unixmap="* lcmaps liblcmaps.so /usr/lib64 /etc/lcmaps/lcmaps.db voms" unixmap="nobody:nobody all"
The second line above ensures that DNs which are not mapped successfully are mapped to nobody. The LRMS can be configured to not accept jobs from nobody. The file /etc/lcmaps/lcmaps.db is
path = /usr/lib64/lcmaps
verify_proxy = "lcmaps_verify_proxy.mod" "-certdir /etc/grid-security/certificates" "--discard_private_key_absence" "--allow-limited-proxy"
pepc = "lcmaps_c_pep.mod" "--pep-daemon-endpoint-url https://argus.domain:8154/authz" "--resourceid http://authz-interop.org/xacml/resource/resource-type/arc" "--actionid http://glite.org/xacml/action/execute" "--capath /etc/grid-security/certificates/" "--certificate /etc/grid-security/hostcert.pem" "--key /etc/grid-security/hostkey.pem"
# Policies: arc: verify_proxy -> pepc
where argus.domain should be replace with the hostname of your Argus server. The Argus default policy should contain an appropriate section for the ARC CE, for example:
resource "http://authz-interop.org/xacml/resource/resource-type/arc" { obligation "http://glite.org/xacml/obligation/local-environment-map" {} action ".*" { rule permit { pfqan="/cms/Role=pilot/Capability=NULL" } rule permit { pfqan="/cms/Role=pilot" } rule permit { pfqan="/cms/Role=lcgadmin/Capability=NULL" } rule permit { pfqan="/cms/Role=lcgadmin" } rule permit { pfqan="/cms/Role=production/Capability=NULL" } rule permit { pfqan="/cms/Role=production" } rule permit { pfqan="/cms/Role=t1production/Capability=NULL" } rule permit { pfqan="/cms/Role=t1production" } rule permit { pfqan="/cms/Role=t1access/Capability=NULL" } rule permit { pfqan="/cms/Role=t1access" } } }
