LFC 1.4.5

The LFC version 1.4.5 supports :

• virtual uids and gids
• VOMS

It means that whenever and whereever you access the LFC, you will always be mapped to the same virtual uid. A given group or VOMS role will always be mapped to the same virtual gid.

Thus, this version of the LFC makes the ACLs be fully operational, when using pool accounts.

Everything below is handled automatically by YAIM.

Installation from scratch

Here is how to install the LFC version 1.4.5.

Follow the LFC Admin Guide

See the https://twiki.cern.ch/twiki/bin/view/LCG/LfcAdminGuide

Add the supported VOs/groups

The step lfc-chown root:VO /grid/VO will not work unless you explicitely add the VO groupid in the LFC :

$lfc-entergrpmap --group <VO_name>

For instance :

$lfc-entergrpmap --group atlas

This command will automatically assign a gid to the given VO. There is no need to specify "--gid" (especially, there is absolutely no relation between the unix gid and the LFC gid...)

Upgrade from LFC version < 1.4.0

Here is the procedure on how to upgrade the LFC to version 1.4.5.

Important

The LFC server has to be upgraded before the LFC clients.

An old client (version < 1.4.0) will work with a new server (>= 1.4.0). But a new client (>= 1.4.0) will not work with an old server (< 1.4.0).

Install the new RPMs

First, upgrade the RPMs :

$ rpm -Uvh LFC-client-1.4.5-1_sl3.i386.rpm
$ rpm -Uvh LFC-server-mysql-1.4.5-1_sl3.i386.rpm
$ rpm -Uvh LFC-interfaces-1.4.5-1_sl3.i386.rpm

And install the dependencies :

• lcg-dm-common-1.4.5-1_sl3.i386.rpm
• voms-api-gcc32dbgpthr-_gcc3_2_2-1.5.4-1_sl3.i386.rpm
• voms-api_gcc3_2_2-1.5.4-1_sl3.i386.rpm
• glite-security-voms-api-c-1.6.10-0.i386.rpm

But don't restart the LFC daemon

Migrate to version 1.4.5

The script you have to run will :

• create a file containing the (group id <-> group name) mappings. Check this file to see if the information is correct
• migrate the database schema (two new tables will be created)
• create the DN <-> existing groups mappings in the database

A specific grid-mapfile also has to be created. This is taken care of automatically by YAIM.

Note : The mappings for the users and future groups will be automatically created by the LFC.

The script comes with the LFC-server RPM and is located in /opt/lcg/share/LFC/LFC-migration-1.4.0/.

Mysql

Run the script as follow :

./create-uid-gid-mappings.sh --mysql --user <lfc_user> --password-file "/path/to/password/file" --database <mysql_database> --verbose

For instance :

./create-uid-gid-mappings.sh --mysql --user lfc --password-file "/file/to/delete/password" --database cns_db --verbose

Note : The file containing the LFC user password should be protected, and deleted afterwards.

Oracle

Run the script as follow :

./create-uid-gid-mappings.sh --oracle --user <lfc_user> --password-file "/path/to/password/file" --database <oracle_sid> --verbose

For instance :

./create-uid-gid-mappings.sh --oracle --user lfc --password "/file/to/delete/password" --database LFC --verbose

Note : The file containing the LFC user password should be protected, and deleted afterwards.1

Create the specific grid-mapfile

The specific lcgdm-mapfile is automatically created/updated by a cron job using the lcgdm-mkgridmap.conf file.

It is used when authenticating with grid-proxy-init (instead of voms-proxy-init).

But you can create it by hand before testing, as follow :

/opt/edg/libexec/edg-mkgridmap/edg-mkgrimap.pl \
      --conf=/opt/lcg/etc/lcgdm-mkgridmap.conf \
      --output=/opt/lcg/etc/lcgdm-mapfile --safe

lcgdm-mapfile contains DNs to VO names mappings.

This file is used if grid-proxy-init or voms-proxy-init is used to create the user proxy. It is not used if voms-proxy-init -voms is used instead.

Migrate the existing ACLs

Not supported (yet?).

Upgrade from LFC version >= 1.4.0

If you are using an Oracle LFC, you have to run the following script :

$ sqlplus lfc_user/lfc_password@oracle_sid < /opt/lcg/share/LFC-migration-1.4.0/migrate-oracle-schema-to-2-1-0.sql

This script slightly modifies the Oracle LFC database schema.

Test

The LFC version 1.4.5 works with both grid-proxy-init and voms-proxy-init

From a UI where LFC-client-1.4.5 has been installed, test :

grid-proxy-init

$ grid-proxy-init
Your identity: /C=CH/O=CERN/OU=GRID/CN=Sophie Lemaitre 2268
Enter GRID pass phrase for this identity:
Creating proxy ........................................................................... Done
Your proxy is valid until: Sat Oct 29 05:53:15 2005

$ lfc-mkdir /grid/dteam/tests_sophie/lfc_voms_test

$ lfc-ls -ld /grid/dteam/tests_sophie/lfc_voms_test
drwxrwxr-x   0 101      2688      0 Oct 28 17:51 /grid/dteam/tests_sophie/lfc_voms_test

Important : you are now always mapped to the same user and group ids (here 101 and 2688).

voms-proxy-init

$ voms-proxy-init -voms dteam
Your identity: /C=CH/O=CERN/OU=GRID/CN=Sophie Lemaitre 2268
Enter GRID pass phrase:
Creating proxy ................................. Done
Your proxy is valid until Sat Oct 29 06:03:40 2005

$ lfc-mkdir /grid/dteam/tests_sophie/lfc_voms_test2

$ lfc-ls -ld /grid/dteam/tests_sophie/lfc_voms_test2
drwxrwxr-x   0 101      2688      0 Oct 28 18:51 /grid/dteam/tests_sophie/lfc_voms_test2

Important : you are now always mapped to the same user and group ids (here 101 and 2688).

Help !

In case of any problem or if you have questions, do not hesitate to contact helpdesk@ggusNOSPAMPLEASE.org (remove the NOSPAM !).

-- SophieLemaitre - 10 Mar 2006