The glexec version should come from the certified patch 1985. This gives version

glexec

• glite-security-glexec-0.5.33-1.slc4.i386.rpm

LCAS & LCMAPS

Install the following set of RPMs from the certified patch number 1830:

LCAS

• glite-security-lcas-1.3.7-2.slc4.i386.rpm
• glite-security-lcas-interface-1.3.6-3.slc4.i386.rpm
• glite-security-lcas-plugins-basic-1.3.2-3.slc4.i386.rpm
• glite-security-lcas-plugins-voms-1.3.4-5.slc4.i386.rpm
• glite-security-lcas-plugins-check-executable-1.2.1-3.slc4.i386.rpm

LCMAPS

• glite-security-lcmaps-1.4.3-4.slc4.i386.rpm
• glite-security-lcmaps-plugins-voms-1.3.7-5.slc4.i386.rpm
• glite-security-lcmaps-plugins-verify-proxy-1.3.2-1.slc4.i386.rpm
• glite-security-lcmaps-plugins-basic-1.3.8-2.slc4.i386.rpm
• glite-security-lcas-lcmaps-gt4-interface-0.0.14-2.slc4.i386.rpm (CE only!)

Location of the gridmapdir and grid-mapfile

Create an NFS export on which to put the gridmapdir and grid-mapfile. This should be mounted on each worker node as /etc/grid-security/ and this is where the gridmapdir and grid-mapfile pool account information will be placed. By centralizing these files within a site i.e. through NFS, the information is consistent across the worker nodes. The mappings are cached (by LCMAPS?) and when a job enters the site with a previously-used proxy the previous mapping is recalled.

Note

The NFS export is not mandatory, but if these files are deployed on a per-worker node basis then any changes need to be propagated to "N" worker nodes simultaneously. If this is not followed then the following situation could arise:

• A job belonging to "JohnDoe" arrives on Worker Node 1 (WN1) and is mapped to pool001 on WN1.
• A job belonging to "JaneDoe" arrives on WN2 and is mapped to pool001 on WN2.
• A job belonging to "JohnDoe" arrives on WN2 and is mapped to pool002 on WN2.

This may cause problems in a shared file system cluster as now JohnDoe as pool002 may not be able to access data in the pool001 directories. Or worse, JohnDoe as pool002 may be able to overwrite JaneDoe's files.

Let us continue with an NFS export which needs to be mounted on each worker node as '/etc/grid-security/'. In this directory the 'gridmapdir' and 'grid-mapfile' pool account information is created. The location of the 'gridmapdir' and 'grid-mapfile' can be changed in the configuration file for LCAS, as the plugin handling the pool accounts may accept a different location. For example:

Configuration files.

The following sections detail the configuration files for the "default" CE installation, glexec on worker node and glexec on worker node in logging mode only. In each case, there are three configuration files needed: glexec.conf,lcmaps.db and lcas.db. The location of glexec.conf is determined at compile-time (/opt/glite/etc/glexec.conf) whereas the location/name of the other two configuration files may be determined in glexec.conf.

A glexec configuration file for the default (CE) case.

A glexec configuration file for deployment on a WN.

A glexec configuration file for deployment on a WN with logging mode only enabled.

-- JohnWhite - 27 Jun 2008