LFC 1.4.5
The LFC version 1.4.5 supports :
- virtual uids and gids
- VOMS
It means that whenever and whereever you access the LFC, you will always be mapped to the same virtual uid. A given group or
VOMS role will always be mapped to the same virtual gid.
Thus, this version of the LFC makes the ACLs be fully operational, when using pool accounts.
Everything below is handled automatically by YAIM.
Installation from scratch
Here is how to install the LFC version 1.4.5.
Follow the LFC Admin Guide
See the
https://twiki.cern.ch/twiki/bin/view/LCG/LfcAdminGuide
Add the supported VOs/groups
The step
lfc-chown root:VO /grid/VO
will not work unless you explicitely add the VO groupid in the LFC :
$lfc-entergrpmap --group <VO_name>
For instance :
$lfc-entergrpmap --group atlas
This command will automatically assign a gid to the given VO.
There is no need to specify "--gid" (especially, there is absolutely no relation between the unix gid and the LFC gid...)
Upgrade from LFC version < 1.4.0
Here is the procedure on how to upgrade the LFC to version 1.4.5.
Important
The LFC server has to be upgraded before the LFC clients.
An old client (version < 1.4.0) will work with a new server (>= 1.4.0).
But a new client (>= 1.4.0) will not work with an old server (< 1.4.0).
Install the new RPMs
First, upgrade the RPMs :
$ rpm -Uvh LFC-client-1.4.5-1_sl3.i386.rpm
$ rpm -Uvh LFC-server-mysql-1.4.5-1_sl3.i386.rpm
$ rpm -Uvh LFC-interfaces-1.4.5-1_sl3.i386.rpm
And install the dependencies :
- lcg-dm-common-1.4.5-1_sl3.i386.rpm
- voms-api-gcc32dbgpthr-_gcc3_2_2-1.5.4-1_sl3.i386.rpm
- voms-api_gcc3_2_2-1.5.4-1_sl3.i386.rpm
- glite-security-voms-api-c-1.6.10-0.i386.rpm
But don't restart the LFC daemon
Migrate to version 1.4.5
The script you have to run will :
- create a file containing the (group id <-> group name) mappings. Check this file to see if the information is correct
- migrate the database schema (two new tables will be created)
- create the DN <-> existing groups mappings in the database
A specific grid-mapfile also has to be created. This is taken care of automatically by YAIM.
Note : The mappings for the users and future groups will be automatically created by the LFC.
The script comes with the
LFC-server
RPM and is located in
/opt/lcg/share/LFC/LFC-migration-1.4.0/
.
Mysql
Run the script as follow :
./create-uid-gid-mappings.sh --mysql --user <lfc_user> --password-file "/path/to/password/file" --database <mysql_database> --verbose
For instance :
./create-uid-gid-mappings.sh --mysql --user lfc --password-file "/file/to/delete/password" --database cns_db --verbose
Note : The file containing the LFC user password should be protected, and deleted afterwards.
Oracle
Run the script as follow :
./create-uid-gid-mappings.sh --oracle --user <lfc_user> --password-file "/path/to/password/file" --database <oracle_sid> --verbose
For instance :
./create-uid-gid-mappings.sh --oracle --user lfc --password "/file/to/delete/password" --database LFC --verbose
Note : The file containing the LFC user password should be protected, and deleted afterwards.1
Create the specific grid-mapfile
The specific
lcgdm-mapfile
is automatically created/updated by a cron job using the
lcgdm-mkgridmap.conf
file.
It is used when authenticating with
grid-proxy-init
(instead of
voms-proxy-init
).
But you can create it by hand before testing, as follow :
/opt/edg/libexec/edg-mkgridmap/edg-mkgrimap.pl \
--conf=/opt/lcg/etc/lcgdm-mkgridmap.conf \
--output=/opt/lcg/etc/lcgdm-mapfile --safe
lcgdm-mapfile
contains DNs to VO names mappings.
This file is used if
grid-proxy-init
or
voms-proxy-init
is used to create the user proxy.
It is
not used if
voms-proxy-init -voms
is used instead.
Migrate the existing ACLs
Not supported (yet?).
Upgrade from LFC version >= 1.4.0
If you are using an
Oracle LFC, you have to run the following script :
$ sqlplus lfc_user/lfc_password@oracle_sid < /opt/lcg/share/LFC-migration-1.4.0/migrate-oracle-schema-to-2-1-0.sql
This script slightly modifies the Oracle LFC database schema.
Test
The LFC version 1.4.5 works with both
grid-proxy-init
and
voms-proxy-init
From a UI where
LFC-client-1.4.5
has been installed, test :
grid-proxy-init
$ grid-proxy-init
Your identity: /C=CH/O=CERN/OU=GRID/CN=Sophie Lemaitre 2268
Enter GRID pass phrase for this identity:
Creating proxy ........................................................................... Done
Your proxy is valid until: Sat Oct 29 05:53:15 2005
$ lfc-mkdir /grid/dteam/tests_sophie/lfc_voms_test
$ lfc-ls -ld /grid/dteam/tests_sophie/lfc_voms_test
drwxrwxr-x 0 101 2688 0 Oct 28 17:51 /grid/dteam/tests_sophie/lfc_voms_test
Important : you are now always mapped to the same user and group ids (here
101
and
2688
).
voms-proxy-init
$ voms-proxy-init -voms dteam
Your identity: /C=CH/O=CERN/OU=GRID/CN=Sophie Lemaitre 2268
Enter GRID pass phrase:
Creating proxy ................................. Done
Your proxy is valid until Sat Oct 29 06:03:40 2005
$ lfc-mkdir /grid/dteam/tests_sophie/lfc_voms_test2
$ lfc-ls -ld /grid/dteam/tests_sophie/lfc_voms_test2
drwxrwxr-x 0 101 2688 0 Oct 28 18:51 /grid/dteam/tests_sophie/lfc_voms_test2
Important : you are now always mapped to the same user and group ids (here
101
and
2688
).
Help !
In case of any problem or if you have questions, do not hesitate to contact
helpdesk@ggusNOSPAMPLEASE.org (remove the NOSPAM !).
--
SophieLemaitre - 10 Mar 2006