Testing glexec on the worker node using YAIM

The text below is outdated and needs to be revised. In the meantime, a test suit for the YAIM functions is being developed. (See the attachment.) The full suit can be run (as root) with Dejagnu. It contains a limited set of tests but adding more tests is now rather simple. All tests can be run standalone even without Dejagnu.

Be aware that these test do not fully cover the functionality of the YAIM scripts for GLEXEC_wn. Manual testing of the validity of the resulting configuration is necessary.

The glexec on the worker node scenario is meant especially for pilot job frameworks; the user identity switching powers of glexec are called on to change the pilot user to the real user, as soon as the job has fetched the real user's payload and the real user's proxy.

In spite of this already particularly specific scenario, there are six different deployment cases that need to be tested, selected by three main choices:

  1. whether or not to use SCAS instead of a local LCAS/LCMAPS configuration
  2. whether or not to install glexec with setuid mode (the other mode is called logging-only)
  3. whether to log to syslog or to specific logfiles (logging only must use syslog)

The following snippet can be used in your site-info.def to fiddle with these choices.

# glexec related variables

# Define this variable to configure the glexec to work against a SCAS server.
# - yes : means you want to use a SCAS server and therefore you need to define:
#         - SCAS_HOST="scas server hostname"
#         - SCAS_PORT="scas server port"
# - no  : means you don't want to use any SCAS server.


# Define this variable to configure the operation mode of glexec in your WN.
# The possibilities are:
# - setuid   : it will actually enable glexec to do the identity change
# - log-only : it won't do any identity change. If you select log-only, it
#              doesn't matter whether SCAS is enabled or not. It isn't used.
#GLEXEC_WN_OPMODE="setuid or log-only"           

# Optional variable to tell glexec where to send the glexec logging information.
# There are two values: 'syslog' and 'file'. The default is 'syslog'
# The value 'syslog' puts all messages in the syslog
# and 'file' puts the messages in a file.
# Define this variable if you want to specify a file.
# For value 'file' define GLEXEC_WN_LOG_FILE as well.
# REMEMBER that for log-only mode, 'syslog' should be used !

To test glexec, configure it with YAIM. After making the desired settings with the above variables, run YAIM like this:

/opt/glite/yaim/bin/yaim -c -s site-info.def -n WN -n glite-GLEXEC_wn

Then log in to the machine as one of the whitelisted users. Install a valid proxy in and point to it:

export GLEXEC_CLIENT_CERT=your-proxy-file

Then run a simple test:

/opt/glite/sbin/glexec /usr/bin/id

This should return the output of the id command with the identity of the user you've been mapped to, but very likely you've made a mistake and the message is simply:

glexec was unable to execute the request. See glexec log for more details.

Follow that advice! If you set logging to file, inspect the logfiles for both glexec and lcas-lcmaps. If you set logging to syslog only, check /var/log/messages. You may increase the verbosity by setting a higher value for the log_level, lcmaps_log_level and lcas_log_level in /opt/glite/etc/glexec.conf.

-- DennisVanDok - 19 Jan 2009

Topic attachments
I Attachment History Action Size Date Who Comment
Unknown file formatgz testsuite.tar.gz r1 manage 6.5 K 2009-11-16 - 16:05 DennisvdExternal testsuite for GLEXEC_wn YAIM functions
Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r3 - 2009-11-17 - DennisvdExternal
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EGEE All webs login

This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright & by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Ask a support question or Send feedback