about research toolkit development

Workspace Management Service

LCMAPS Implementation

The Workspace Management Service can be configured to use LCMAPS, a local credential mapping service developed by David Groep and Martijn Steenbakkers (NIKHEF Amsterdam, the Netherlands). We employ a subset of LCMAPS's functionality, the pool and VOMS credential mapping plugins.

LCMAPS uses a flexible algorithm configurable with a custom policy definition language to associate credentials with pool leases.

Upon account creation, the Workspace Service calls the 'lcmaps_poolindex' program (that we provide) that calls the LCMAPS poolindex function which associates credential information with a pool lease. LCMAPS leases an acount via hardlink in the gridmapdir - a directory set up explicity to lease pool accounts based on Andrew McNab's gridmapdir patch.

Upon account termination, the Workspace Service calls the 'lcmaps_poolindex' program to remove the lease from the gridmapdir, quarantine accounts (if configured to do so) and callout to a site specific program to clean the user account (we provide an example system script). The termination procedure is documented below.

The directions here are not complete LCMAPS instructions, but instructions for driving LCMAPS with the Workspace Management grid services and system tools. For full documentation, see the LCMAPS page.

Install LCMAPS

The LCMAPS code itself is not included in the Workspace Management Service distribution.

The recommended installation procedure can found at the LCMAPS site here. If you have gLite installed, it is included as part of the distribution.

The code is also available via anonymous CVS. A script of the checkout/build process is available here. If you run it from $DIR, the build directory is $DIR/egee. The code will be installed to $DIR/egee/stage but the script takes an optional argument to override the install prefix to another location.

e.g.,

./lcmaps_cvs.sh /usr/local

Set up pool

Before configuring LCMAPS, set up a pool of users.

  1. # mkdir /path/to/gridmapdir
  2. Create Unix accounts. One option is to use a creation script (via Andrew McNab):

    Look at the scripts carefully before use. It is especially important to set the first five variables of the script to valid values.

  3. If you did not use the creation script, /bin/touch a file in the gridmapdir for each account in the pool. The accounts need to have a common prefix, e.g., 'pool001','pool002',etc., to be considered in the same pool

  4. LCMAPS needs to know to use this pool, set the "gridmapdir" paths in lcmaps.db

    A sample lcmaps.db file can be viewed here.

    lcmaps.db can be stored anywhere on your file system (if readable by the globus user).

Associations

LCMAPS uses two files to associate DNs and attributes to pools and groups.

This sample grid-mapfile associates the attribute "/EGEE/egee" with the 'EGEE' pool (users in gridmapdir with prefix 'EGEE') and another attribute "/EGEE/egee/manager" to a separate pool. Also, here a DN is mapped to directly to a pool.

"/O=dutchgrid/O=users/O=nikhef/CN=UserSmith" .mgmtpool
"/EGEE/egee/manager" .mgmtpool
"/EGEE/egee" .EGEE

This sample groupmapfile associates the attribute "/EGEE/egee" with the Unix group 'egtest' and the attribute "/EGEE/egee/manager" with the Unix group 'egmgr'.

"/EGEE/egee" egtest
"/EGEE/egee/manager" egmgr

LCMAPS needs to know how to find these files. It does by using lcmaps.db. A sample lcmaps.db file can be viewed here.

Configure lcmaps.db to use the appropriate files. Also create a directory "groupmapdir" and configure the -groupmapdir field in lcmaps.db

Install lcmaps_poolindex

To configure the lcmaps_poolindex program, edit $WORKSPACE_HOME/local/lcmaps/source/config.h

todo: move config.h explanations to web page. For now, follow the instructions in the file.

One of these settings is a path to an account expiry program (we provide a sample program). For a full termination explanation, see the termination section below.

Edit $WORKSPACE_HOME/local/lcmaps/source/Makefile: set correct path to 'org.glite.security.lcmaps-interface/interface' for the headers.

Once configured, compile and install lcmaps_poolindex by running:

$ export GLOBUS_LOCATION=/path/to/globus
$ make install

The program "lcmaps_poolindex" is now in $GLOBUS_LOCATION/bin where the service code expects it to be.

NOTE: remember for the service code to drive LCMAPS for its backend, the deploy-jndi-config.xml resourceClass has to be set to org.globus.dynamicAccounts.impl.service.LCMAPSResource

NOTE: if the LCMAPS install is not in the system shared library search path, you must add it before starting the container as it is the container process' environment that will be loading the library

$ cd $GLOBUS_LOCATION
$ export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/path/to/lcmaps/install/lib
$ ./bin/globus-start-container 2>&1 | tee globus_log

Termination

Account termination is achieved by either an authorized destroy request, or by allowing the account's time to live (TTL) to expire. An authorized client can prevent automatic termination by extending the termination time.

The setuid program is called with -unlease_poolindex to expire the lease in the gridmapdir and can optionally be configured (in config.h) to put a quarantine on the account. The quarantine lasts until the quarantine hardlink (e.g., "pool002.quarantined") is removed, either by a script or manually (rm *quarantined).

After the lease is expired, the program can optionally be configured (in config.h) to invoke a site specific script that should deal with cleaning up an expired account. The example script included (expire_pooluser) kills all the user's processes (via kill -9), deletes all the user's files, and reverts the user's group back to the default.

expire lease

Note

Whether or not quarantine is configured, the account is quarantined during the lease removal process. If any configuration problems or callout script errors occur, the account remains quarantined whether or not DO_QUARANTINE is configured.

expire_pooluser Errors

  • The C program expects 0 for success and non-zero for failure. Non zero return values are logged and translated to the EXPIRY_PROG_FAILURE return value (see errors.h). This signals the service that there was an internal failure in the script that was called.

  • The C program is currently set up to check several aspects of the program it is configured to run (program path is configured in config.h). The program must exist as a regular file and be executable by its owner. The program must not be editable by any user other than the effective UID of the program. These situations return the EXPIRY_PROG_CHECK error (see errors.h) from the setuid program to the Java service (triggering an exception) and implies an environment problem.

  • Note: at the point either of these types of problems occurs, the lease (the gridmapdir mapping that actually secures the lease) is expired. Also, the account is quarantined and unavailable for new pool leases (a good safety net, an administrator can examine the problem with the expire_pooluser.sh script) no matter if DO_QUARANTINE is configured or not).

See the Developer's Guide to configure a different program entirely to call at resource destruction (i.e., modification of the C call from Java). This 'termination' section refers to modifying the lcmaps_poolindex program's invocation of the expire script, which is different.