Please go to the new GLExec Argus Quick Installation Guide

Configuration files for the Worker Node (WN) case.

This page gives the configuration files for the glexec running in privileged mode and performing the identity switching.

On the WN:

Install a user account glexec.
Set its shell to /sbin/nologin
Please set its ownership to: chown root:glexec /opt/glite/sbin/glexec
Set the file permissions to: chmod 6555 /opt/glite/sbin/glexec

To be installed at /opt/glite/etc/glexec.conf (hard-coded at the glexec compile time for security).

The glexec.conf file ownership must be root.glexec.
The glexec.conf file permissions must be 0640.

glexec configuration file.

#  Glexec configuration file
silent_logging                   = no
log_destination                  = syslog
log_level                        = 0
user_white_list                  = [to be filled by admin. differs between VOs.]
preserve_env_variables           =
linger                           = yes
user_identity_switch_by          = lcmaps

The default name and location of the following two configuration files are: /opt/glite/etc/lcas/lcas.db and /opt/glite/etc/lcmaps/lcmaps.db. These values may only be changed in the /opt/glite/etc/glexec.conf file by using the following switches:

lcas_db_file    = <path>/<name of db file>
lcmaps_db_file  = <path>/<name of db file>

LCMAPS configuration file.

# LCMAPS policy file/plugin definition
# Written by: Oscar Koeroo - okoeroo * at * nikhef * dot * nl
# Configuration file is specialized for the gLExec on WN
# This configuration for LCMAPS assumes that the process is running with (effective) root privileges.

# default path for the modules
path = /opt/glite/lib/modules

# Plugin definitions:
good             = "lcmaps_dummy_good.mod"

posix_enf        = "lcmaps_posix_enf.mod"
                   " -maxuid 1"
                   " -maxpgid 1"
                   " -maxsgid 32"

localaccount     = "lcmaps_localaccount.mod"
                   " -gridmapfile /etc/grid-security/grid-mapfile"

poolaccount      = "lcmaps_poolaccount.mod"
                   " -override_inconsistency"
                   " -gridmapfile /etc/grid-security/grid-mapfile"
                   " -gridmapdir /etc/grid-security/gridmapdir"

vomslocalgroup   = "lcmaps_voms_localgroup.mod"
                   "-groupmapfile /etc/grid-security/groupmapfile"
                   "-mapmin 0"

vomspoolaccount  = "lcmaps_voms_poolaccount.mod"
                   "-gridmapfile /etc/grid-security/grid-mapfile"
                   "-gridmapdir /etc/grid-security/gridmapdir"

vomslocalaccount = "lcmaps_voms_localaccount.mod"
                   "-gridmapfile /etc/grid-security/grid-mapfile"

verify_proxy     = "lcmaps_verify_proxy.mod"
                   " -certdir /etc/grid-security/certificates/"

### Warning: The false goto state is not defined in this line "vomspoolaccount -> posix_enf", 
###          because the gathered vomslocalgroup information is still in memory. 
###          Jumping to another plugin evaluation policy will clear the intermediate mappin results.
###          So in the rare occassion that the vomslocalgroup was successful and the vomspoolaccount
###          failed, you must abondon ship to avoid undesired mappings

# Policies:
# verify_proxy -> DN-local -> VO-static -> VO-pool -> DN-pool

verify_proxy -> localaccount
localaccount -> posix_enf | vomslocalgroup
vomslocalgroup -> vomslocalaccount | poolaccount
vomslocalaccount -> posix_enf | vomspoolaccount
vomspoolaccount -> posix_enf
poolaccount -> posix_enf

LCAS configuration file.

Install the following lcas.db at the location defined in glexec.conf (usually /opt/glite/etc/lcas/lcas.db) In the scenario where glexec is installed with setuid bit enabled, let the lcmaps.db file be owned by root.root and the file permissions should be 0644 or 0640. In the scenario where glexec is installed without setuid bit enabled (= a regular executable), let the lcas.db file be owned by root.root and the file permissions should be 0644.


Create an empty file at /opt/glite/etc/lcas/ban_users.db.

-- JohnWhite - 14 Aug 2008

Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r6 - 2012-08-27 - unknown
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EGEE All webs login

This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright & by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Ask a support question or Send feedback