| ||||||||||||
Workspace Management ServiceLCMAPS ImplementationThe Workspace Management Service can be configured to use LCMAPS, a local credential mapping service developed by David Groep and Martijn Steenbakkers (NIKHEF Amsterdam, the Netherlands). We employ a subset of LCMAPS's functionality, the pool and VOMS credential mapping plugins. LCMAPS uses a flexible algorithm configurable with a custom policy definition language to associate credentials with pool leases. Upon account creation, the Workspace Service calls the 'lcmaps_poolindex' program (that we provide) that calls the LCMAPS poolindex function which associates credential information with a pool lease. LCMAPS leases an acount via hardlink in the gridmapdir - a directory set up explicity to lease pool accounts based on Andrew McNab's gridmapdir patch. Upon account termination, the Workspace Service calls the 'lcmaps_poolindex' program to remove the lease from the gridmapdir, quarantine accounts (if configured to do so) and callout to a site specific program to clean the user account (we provide an example system script). The termination procedure is documented below. The directions here are not complete LCMAPS instructions, but instructions for driving LCMAPS with the Workspace Management grid services and system tools. For full documentation, see the LCMAPS page. Install LCMAPSThe LCMAPS code itself is not included in the Workspace Management Service distribution. The recommended installation procedure can found at the LCMAPS site here. If you have gLite installed, it is included as part of the distribution. The code is also available via anonymous CVS. A script of the checkout/build process is available here. If you run it from $DIR, the build directory is $DIR/egee. The code will be installed to $DIR/egee/stage but the script takes an optional argument to override the install prefix to another location. e.g., ./lcmaps_cvs.sh /usr/local
Set up poolBefore configuring LCMAPS, set up a pool of users.
AssociationsLCMAPS uses two files to associate DNs and attributes to pools and groups. This sample grid-mapfile associates the attribute "/EGEE/egee" with the 'EGEE' pool (users in gridmapdir with prefix 'EGEE') and another attribute "/EGEE/egee/manager" to a separate pool. Also, here a DN is mapped to directly to a pool. "/O=dutchgrid/O=users/O=nikhef/CN=UserSmith" .mgmtpool "/EGEE/egee/manager" .mgmtpool "/EGEE/egee" .EGEE This sample groupmapfile associates the attribute "/EGEE/egee" with the Unix group 'egtest' and the attribute "/EGEE/egee/manager" with the Unix group 'egmgr'. "/EGEE/egee" egtest "/EGEE/egee/manager" egmgr LCMAPS needs to know how to find these files. It does by using lcmaps.db. A sample lcmaps.db file can be viewed here. Configure lcmaps.db to use the appropriate files. Also create a directory "groupmapdir" and configure the -groupmapdir field in lcmaps.db Install lcmaps_poolindexTo configure the lcmaps_poolindex program, edit $WORKSPACE_HOME/local/lcmaps/source/config.h todo: move config.h explanations to web page. For now, follow the instructions in the file. One of these settings is a path to an account expiry program (we provide a sample program). For a full termination explanation, see the termination section below. Edit $WORKSPACE_HOME/local/lcmaps/source/Makefile: set correct path to 'org.glite.security.lcmaps-interface/interface' for the headers. Once configured, compile and install lcmaps_poolindex by running: $ export GLOBUS_LOCATION=/path/to/globus $ make install The program "lcmaps_poolindex" is now in $GLOBUS_LOCATION/bin where the service code expects it to be. NOTE: remember for the service code to drive LCMAPS for its backend, the deploy-jndi-config.xml resourceClass has to be set to org.globus.dynamicAccounts.impl.service.LCMAPSResource NOTE: if the LCMAPS install is not in the system shared library search path, you must add it before starting the container as it is the container process' environment that will be loading the library $ cd $GLOBUS_LOCATION $ export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/path/to/lcmaps/install/lib $ ./bin/globus-start-container 2>&1 | tee globus_log TerminationAccount termination is achieved by either an authorized destroy request, or by allowing the account's time to live (TTL) to expire. An authorized client can prevent automatic termination by extending the termination time.
Note Whether or not quarantine is configured, the account is quarantined during the lease removal process. If any configuration problems or callout script errors occur, the account remains quarantined whether or not DO_QUARANTINE is configured. expire_pooluser Errors
See the Developer's Guide to configure a different program entirely to call at resource destruction (i.e., modification of the C call from Java). This 'termination' section refers to modifying the lcmaps_poolindex program's invocation of the expire script, which is different. |