LCMAPS v.1.4.29

Release Notes

What's new

  • LCMAPS framework:
    • Fixed a memory cleanup problem when using VOMS Generic Attributes.
    • Adds a SIGPIPE handler to print the caught signal, especially interesting when the VOMS api, SCAS-Client plugin or another plugin could trigger a SIGPIPE without handling it locally. The SIGPIPE handler will be set at the beginning of each run, and removed after each run, i.e. not in the initialization or terminate sequences.
    • Fixed signed and unsigned conflicts in parsing routines when fullfilling rules and policys and recursion issues. This problem was hard to exploit, but a bug nontheless (unless somebody went beyond 2^31 plugins and policies)
    • Fixed the poolindex interface to LCMAPS. A symbol would not have been resolved during run-time as it has been depricated last year. Only used by the Globus DAS/Workspace Service interfacing (to the best of our knowledge).
    • Fixed a problem in the logging facility during the initialization phase. The value was always overridden by the next call. I've removed the previous overridden call, which might call for bug Savannah bug #61772.

    • Found a more generic location for the printCredData function to log the credential data that has lead to a particular mapping decision mapping.
    • (almost) all public functions are now prefixed with with "lcmaps_" to avoid symbol clashes
    • Update for single lcmaps-interface for both lcmaps types.
    • Use enable_gsi_mode directly instead of lcmaps_gsi_mode
    • Default paths in LCMAPS are set at build time. All hardcoded paths into /opt/glite or (in some places) /opt/edg are removed.
    • /etc/lcmaps/lcmaps.db will be the new default path to a lcmaps.db file. Use ${LCMAPS_DB_FILE} to override or the ./configure options.
    • Building lcmaps-without-gsi doesn't require Globus libraries during the build and linking of this LCMAPS flavor.
    • LCMAPS ./configure new option --with-voms-prefix instead of --with-glite-location, no glite.m4 necessary, it's done using --libdir and system defaults

  • API extentions:
    • Function: int lcmaps_get_major_version (void);
    • Function: int lcmaps_get_minor_version (void);
    • Function: int lcmaps_get_patch_version (void);
    • Function: lcmaps_disable_voms_attributes_verification
    • Description: Disables the verification in the VOMS API
    • Function: lcmaps_enable_voms_attributes_verification
    • Description: Enables the verification in the VOMS API (default)
    • Function: lcmaps_is_set_to_verify_voms_attributes
    • Description: Will return the current setting to enable or disable the
    • Verification of the VOMS credentials by the VOMS API
    • Function: lcmaps_run_with_stack_of_x509_and_return_account
    • Description: LCMAPS runs receiving a certificate chain, containing at least an End-Entity Certificate. A list of policies may be provided.
    • The allocated uid, gids and the poolindex will be returned to the calling application.

  • For all LCMAPS plugins:
    • Updated the gridmapfile and gridmapdir code to signal that the gridmapdir is not setup properly or full in the logfile. This message was lost. Updated all other localaccount and poolaccount plug-in logging as well to be less verbose and to the point for debugging purposes.

  • Plugin lcmaps-plugins-basic - Dummy Good plugin:
    • The dummy plugin "good" is transmorfed into something more then just a dummy to provide a static account selection/mappin:

  • Configuration options:
    • --dummy-uid
    • --dummy-gid
    • --dummy-sec-gid Note: Only ONE secondary GID can be configured.
    • --dummy-username
    • --dummy-group
    • --dummy-sec-group

  • Plugin lcmaps-plugins-tracking-groupid (NEW) - GGUS ticket #69159:
    • The goal of this new LCMAPS plugin is to preserve Batch System (like SGE and Condor) issued Tracking Group IDs and preserve them between the Pilot Job and Payload context in a Multi User Pilot Job environment. Especially useful for batch system that use the Tracking Group ID feature in Condor and Sun Grid Engine / Oracle Grid Engine batch systems.

  • tracking_groupid = "lcmaps_tracking_groupid.mod" "--tracking-groupid-min MINGID" "--tracking-groupid-max MAXGID"

  • Plugin lcmaps-plugins-verify-proxy:
    • Fixed the Proxy Life Time Policy enforcement functionality.
    • Fixed the VOMS Life Time Policy enforcement functionality.
    • To cope with Subordinate CAs we have to extend the verification depth to be able to hold the certificate chain (could contain a lot of delegations) and all the CA certificate, which might not be added to the certificate chain itself but would still be lingering in the X509 CA directory lookup functions. OpenSSL uses a default depth of 9.

  • Resurrected an option with a different name: --only-enforce-lifetime-checks When this option is set the verification routines are skipped to enforce the proxy and/or VOMS lifetime policies only. This is interesting for GT4/5 tools like GridFTPd and the Gatekeeper as they already perform full authentication on the SSL layer. In gLExec this plug-in MUST run in full mode.

  • Plugin lcmaps-plugins-scas-client:
    • Fixed file descriptor leak, found by Brian Bockelman (and team): "This should be used by anyone who calls LCMAPS repeatedly in the same process (i.e., you don't really need this for glexec or xinetd-based gridftp); it currently leaks two file descriptors per invocation. This was problematic in Xrootd. [...] Thanks to Matevz for making me look into this."
    • Fixed memory leaks found Brian Bockelman. Found in xrootd. There were mostly cleanups of structs and objects that didn't get free'd.
    • Updated the manpage, to reflect the new features
    • The overriding hostname messege in the xacml_io_ssl.c file is logging on the debug setting instead of the error setting.
    • Exposed the override of the expected hostname in the new option "--override-expected-hostname "
    • Fixes a problem when interacting with the GUMS service. The check to see if an essential Obligation Handler has fired lacked the situation where a GUMS service replied the Username OH. This is now fixed.
    • Fixed a seg.fault situation when the FQDN in the URL doesn't match a dnsAltName entry when dnsAltNames are present. The mismatch triggered the SSL-connection to be disconnect due to this post connection check to fail.

  • Added new configuration options:
    • --override-expected-hostname
      This option will override the expected hostname from the service it connects to. The service must present a valid host certificate, but during the validation of the hostname and the certificate the set string will be used to check the expected host to be OK to communicate with.
    • --authorization-only
      Skip the requirement for Obligations. Do authorization only (used by SAZ)
    • --enable-poolindex-fix
      Add the faked poolindex to the LCMAPS framework. This is to cope with LCMAPS 1.4.6 and older.
    • --cert-owner
      This is an optional parameter, mostly interesting for sites that use gLExec that use host certificates to authenticate the SSL connection to GUMS, SCAS or something else.

  • API Extentions:
    • Function: get_hostname_to_match_client_cert
    • Description: Gets the hostname string to which the peer certificate must match. Is this can not be matched automatically, then this feature can be used to do so.
    • Function: set_hostname_to_match_client_cert
    • Description: Sets the hostname string to which the peer certificate must match. Is this can not be matched automatically, then this feature can be used to do so.
    • Function: free_hostname_to_match_client_cert
    • Description: Sets the hostname string to which the peer certificate must match. Is this can not be matched automatically, then this feature can be used to do so.

  • Plugin lcmaps-plugins-jobrepository:
    • Resurrected an old plugin that is capable of logging the LCMAPS mapping state into a relational database schema for detailed account mapping information gathering.

  • SAML2-XACML2-C-LIB library:
    • Shipping updated gSOAP 2.7.17 internally to generate the XACML client and service library.
    • Supports multi-threading on the service side. This speeds up the library significantly. Benchmarked on 1kHz sustained rate of full SAML2-XACML2 protocol marshal/unmarshal + processing in various plug-ins (grid-mapfile for example).

  • Generic to all components:
    • Adjusted to be able to use EPEL, EMI and gLite packages and system native library installations
    • Cleanup of unused files and support for distribution tarball.
    • Provide pkg-config files
    • All LCMAPS public header files are all in ${includeDir}/lcmaps/*.h

Deployment notes

  • Run ldconfig after each update, as the packages don't seem to do this by themselves.
  • All services are recommended to be restarted. gLExec is an exception, as it is not a service.

Known issues

  • This version of C-PEP needs to be tested more on root-squashed environments.
  • The verify-proxy plugins fails to verify Terena eScience Personal certificate chains deeper then 5 certificates. 5 is ok, 6 is not.

List of RFCs




-- MarcelinaBorcz - 11-May-2011

Edit | Attach | Watch | Print version | History: r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r2 - 2011-05-12 - EmidloGiorgioExCern
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EMI All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback