Configuration files for the Worker Node (WN) case with logging only.

This page gives the configuration files for the glexec running in not-necessarily privileged mode and performing logging only and no identity swtiching.

On the WN:

Install a user account glexec.
Set its shell to /sbin/nologin
Please set its ownership to: chown root:glexec /opt/glite/sbin/glexec
Set the file permissions to: chmod 6555 /opt/glite/sbin/glexec

To be installed at /opt/glite/etc/glexec.conf (hard-coded at the glexec compile time for security).

The glexec.conf file ownership must be root.glexec.
The glexec.conf file permissions must be 0640.

An example glexec configuration file.
#
#  Glexec configuration file
#
[glexec]
silent_logging                   = no
log_destination                  = syslog
log_level                        = 0
user_white_list                  = .pool
preserve_env_variables           =
linger                           = yes
user_identity_switch_by          = lcmaps

The last line of the above glexec configuration file gives the task of the "identity switch" to LCMAPS and not to glexec.

The file above assumes that the lcas and lcmaps configuration files are in default places (/opt/glite/etc/lcas/lcas-glexec.db and /opt/glite/etc/lcmaps/lcmaps-glexec.db). If you want to override the default locations, add the following lines to the configuration file.

lcas_db_file    = <path>/lcas-glexec.db
lcmaps_db_file  = <path>/lcmaps-glexec.db

Corresponding LCMAPS configuration file

# LCMAPS policy file/plugin definition
# Written by: Oscar Koeroo - okoeroo * at * nikhef * dot * nl
# Configuration file is specialized for the gLExec on WN
# This configuration for LCMAPS assumes that the process is running with (effective) root privileges.

# default path for the modules
path = /opt/glite/lib/modules

# Plugin definitions:
good             = "lcmaps_dummy_good.mod"

verify_proxy     = "lcmaps_verify_proxy.mod"
                   " -certdir /etc/grid-security/certificates/"

# Policies:
# verify_proxy only (logging only)

glexec_get_account:
verify_proxy -> good

The last line above gives the only simple plugin to execute here is the verify_proxy since the LCMAPS is not required to do anything.

-- JohnWhite - 14 Aug 2008

Edit | Attach | Watch | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r5 - 2008-08-21 - JoniHahkala
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EGEE All webs login

This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright & by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Ask a support question or Send feedback