ARC CE Hints
From GridPP Wiki
Revision as of 19:02, 17 June 2014 by Andrew Lahiff b13e4f09e2 (Talk | contribs)
Mapping to pool accounts
Argus in combination with lcmaps can be used to map DNs to pool accounts. In the [gridftpd] section of /etc/arc.conf include the following:
unixmap="* lcmaps liblcmaps.so /usr/lib64 /etc/lcmaps/lcmaps.db voms" unixmap="nobody:nobody all"
The second line above ensures that DNs which are not mapped successfully are mapped to nobody. The LRMS can be configured to not accept jobs from nobody. The file /etc/lcmaps/lcmaps.db is
path = /usr/lib64/lcmaps
verify_proxy = "lcmaps_verify_proxy.mod" "-certdir /etc/grid-security/certificates" "--discard_private_key_absence" "--allow-limited-proxy"
pepc = "lcmaps_c_pep.mod" "--pep-daemon-endpoint-url https://argus.domain:8154/authz" "--resourceid http://authz-interop.org/xacml/resource/resource-type/arc" "--actionid http://glite.org/xacml/action/execute" "--capath /etc/grid-security/certificates/" "--certificate /etc/grid-security/hostcert.pem" "--key /etc/grid-security/hostkey.pem"
# Policies: arc: verify_proxy -> pepc
where argus.domain should be replace with the hostname of your Argus server. The Argus default policy should contain an appropriate section for the ARC CE, for example:
resource "http://authz-interop.org/xacml/resource/resource-type/arc" { obligation "http://glite.org/xacml/obligation/local-environment-map" {} action ".*" { rule permit { pfqan="/cms/Role=pilot/Capability=NULL" } rule permit { pfqan="/cms/Role=pilot" } rule permit { pfqan="/cms/Role=lcgadmin/Capability=NULL" } rule permit { pfqan="/cms/Role=lcgadmin" } rule permit { pfqan="/cms/Role=production/Capability=NULL" } rule permit { pfqan="/cms/Role=production" } rule permit { pfqan="/cms/Role=t1production/Capability=NULL" } rule permit { pfqan="/cms/Role=t1production" } rule permit { pfqan="/cms/Role=t1access/Capability=NULL" } rule permit { pfqan="/cms/Role=t1access" } } }