|
Документ взят из кэша поисковой машины. Адрес
оригинального документа
: http://theory.sinp.msu.ru/pipermail/ru-ngi/2013q3/001095.html
Дата изменения: Tue Sep 10 00:11:53 2013 Дата индексирования: Fri Feb 28 03:24:38 2014 Кодировка: |
Я от аргуса отказался - я пробовал ставить его на СЕ, но цель не
оправдывает усилий. Он синхранизирует пулы gLexec , а для LCG задач это не
особо важно на мой взгляд. И ни кто особо мне не возразил ...
2013/9/9 Liudmila Stepanova <sli at inr.ru>
> Добрый вечер.
> Я для cms установила Argus и gLexec на WN. На Argus-е mount по nfs
> /etc/grid-security/gridmapdir c creamce.
> На данном этапе разбираюсь почему glexec -d /usr/bin/id на WN дает 203
> exit code.
> Проверяю Argus на WN
> WN:
> [cms143 at grwn236 ~]$ pepcli --key .globus/userkey.pem --cert
> .globus/usercert.pem -c /tmp/x509up_u42143 --capath
> /etc/grid-security/certificates/
> --pepdhttps://grinr07.inr.troitsk.ru:8154/authz --resourceid
> http://authz-interop.org/xacml/resource/resource-type/wn --actionid
> http://glite.org/xacml/action/execute -t 60 -x
> Key password:
> Resource: http://authz-interop.org/xacml/resource/resource-type/wn
> Decision: Permit
> Obligation: http://glite.org/xacml/obligation/local-environment-map/posix
> (caller should resolve POSIX account mapping)
> Username: cms143
> Group: cms
> Secondary Groups: cms
>
>
> export GLEXEC_CLIENT_CERT=/tmp/x509up_u42143
> export X509_USER_PROXY=/tmp/x509up_u42143
>
> [cms143 at grwn236 ~]$ /usr/sbin/glexec -d /usr/bin/id -a ; echo $?
> [gLExec]: LCMAPS failed.
> The reason can be found in the syslog.
> 203
>
>
> /var/log/messages:
>
> Sep 9 22:08:32 grwn236 glexec[13917]: lcmaps: Error:
> pep_authorize(request,response) failed. The Argus-PEP return code is: 8
> with error message: "authorize request error"
>
>
> /etc/glexec.conf
>
>
> #
> # Glexec configuration file
> #
> [glexec]
> silent_logging = no
> log_level = 0
> user_white_list = .pilcms,.cms
> linger = yes
> user_identity_switch_by = glexec
> use_lcas = no
> target_lock_mechanism = flock
> input_lock_mechanism = flock
> lcmaps_db_file = /etc/lcmaps/lcmaps-glexec.db
> lcmaps_log_file = /var/log/glexec/lcas_lcmaps.log
> lcmaps_debug_level = 0
> lcmaps_log_level = 1
> lcmaps_get_account_policy = glexec_get_account
> lcmaps_verify_account_policy = glexec_verify_account
>
> lcas_db_file = /etc/lcas/lcas-glexec.db
> lcas_log_file = /var/log/glexec/lcas_lcmaps.log
> lcas_debug_level = 0
> lcas_log_level = 1
> preserve_env_variables = no
> log_destination = syslog
>
> /etc/lcmaps/lcmaps-glexec.db
>
> #
> # LCMAPS config file for glexec generated by YAIM: Mon Jul 22 16:26:31 MSK
> 2013
> #
>
> # where to look for modules
> path = /usr/lib64/lcmaps
>
> # module definitions
> verify_proxy = "lcmaps_verify_proxy.mod"
> " -certdir /etc/grid-security/certificates/"
> " --allow-limited-proxy"
>
> pepc = "lcmaps_c_pep.mod"
> "--pep-daemon-endpoint-url
> http://grinr07.inr.troitsk.ru:8154/authz"
> " -resourceid
> http://authz-interop.org/xacml/resource/resource-type/wn"
> " -actionid http://glite.org/xacml/action/execute"
> " -capath /etc/grid-security/certificates/"
> " -pep-certificate-mode implicit"
> " --use-pilot-proxy-as-cafile" # Add this on RHEL 6 based
> systems
>
> glexec_get_account:
> verify_proxy -> pepc
>
>
>
> На ARGUS-е
>
> ARGUS:
>
> root at grinr07 ~]# pap-admin lp
>
> default (local):
>
> resource "http://authz-interop.org/xacml/resource/resource-type/wn" {
> obligation "http://glite.org/xacml/obligation/local-environment-map" {
> }
> action "http://glite.org/xacml/action/execute" {
> rule permit { pfqan="/cms/Role=lcgadmin/Capability=NULL" }
> rule permit { pfqan="/cms/Role=lcgadmin" }
> rule permit { pfqan="/cms/Role=production/Capability=NULL" }
> rule permit { pfqan="/cms/Role=production" }
> rule permit { pfqan="/cms/Role=pilot/Capability=NULL" }
> rule permit { pfqan="/cms/Role=pilot" }
> rule permit { pfqan="/cms/Role=priorityuser/Capability=NULL" }
> rule permit { pfqan="/cms/Role=priorityuser" }
> rule permit { pfqan="/cms/Role=hiproduction/Capability=NULL" }
> rule permit { pfqan="/cms/Role=hiproduction" }
> rule permit { pfqan="/cms/HeavyIons/Role=NULL/Capability=NULL" }
> rule permit { pfqan="/cms/HeavyIons" }
> rule permit { pfqan="/cms/Higgs/Role=NULL/Capability=NULL" }
> rule permit { pfqan="/cms/Higgs" }
> rule permit { pfqan="/cms/StandardModel/Role=NULL/Capability=NULL"
> }
> rule permit { pfqan="/cms/StandardModel" }
> rule permit { pfqan="/cms/Susy/Role=NULL/Capability=NULL" }
> rule permit { pfqan="/cms/Susy" }
> rule permit { pfqan="/cms/Role=NULL/Capability=NULL" }
> rule permit { pfqan="/cms" }
> Best regards,
> Liudmila.
>
> > Добрый день.
> > Тут вроде бы подступает время обязательной установки gLexec. В
> > документации го дляворится, что нужно еще ставить какой-то Argus сервер.
> Что
> > это за зверь? Какие требования по железу? Кто-нибудь совмещал его с
> > какими-то другими серверами? В частности, в документации говорится
> > "CREAM now supports the use of Argus also on the CE level
> > (recommended)..."
> > Что значит - on the CE level? На той же машине, что и CREAM-CE?
> > Заранее спасибо и всего наилучшего,
> > Владимир.
> >
> > _______________________________________________
> > RU-NGI mailing list
> > RU-NGI at theory.sinp.msu.ru
> > http://theory.sinp.msu.ru/mailman/listinfo/ru-ngi
> >
>
>
> -
>
> _______________________________________________
> RU-NGI mailing list
> RU-NGI at theory.sinp.msu.ru
> http://theory.sinp.msu.ru/mailman/listinfo/ru-ngi
>
--
Best Regards,
Andrey Zarochentsev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://theory.sinp.msu.ru/pipermail/ru-ngi/attachments/20130909/445cf1cf/attachment-0001.html>