As we are moving to ARGUS, I found it annoying that we need the same
policy for several different hosts. Here's a Makefile I've written to
simplify it - together with the argus.template file it uses.
Constructive criticism welcome. In particular, remove-all-policies seems
to create a window where jobs will fail - which seems suboptimal.
Clearly puppet using sites will use that - but for those of us that
haven't got there yet...
[root@argus01 argus_policy]# cat Makefile
#!/usr/bin/make
#
# Christopher J. Walker <[log in to unmask]>
#
# School of Physics and Astronomy
# Queen Mary, University of London
#
# 25 July 2013
#
# Generate an argus policy file for several hosts based on a template
#
#
hosts = ce05.argus ce06.argus ce07.argus se01.argus se03.argus
se04.argus wn.argus
argus-policy.all: $(hosts)
cat $(hosts) >argus-policy.all
wn.argus: argus.template
# sed s/DEFAULTHOSTNAME/wn/ $< > [log in to unmask]
sed
-e'/resource/s%http://esc.qmul.ac.uk/DEFAULTHOSTNAME%http://authz-interop.org/xacml/resource/resource-type/wn%'
$< > [log in to unmask]
sed -e'/action/s%\.\*%http://glite.org/xacml/action/execute%' [log in to unmask] > $@
rm [log in to unmask]
%.argus: argus.template
sed s/DEFAULTHOSTNAME/$*/ $< > $@
clean:
rm $(hosts) argus-policy.all
deploy:
pap-admin remove-all-policies
pap-admin add-policies-from-file argus-policy.all
pap-admin lp
[root@argus01 argus_policy]# cat argus.template
resource "http://esc.qmul.ac.uk/DEFAULTHOSTNAME" {
obligation
"http://glite.org/xacml/obligation/local-environment-map" {}
action ".*" {
rule permit { vo = "ops" }
rule permit { vo = "dteam" }
rule permit { vo = "atlas" }
rule permit { vo = "lhcb" }
rule permit { vo = "cms" }
rule permit { vo = "biomed" }
rule permit { vo = "zeus" }
rule permit { vo = "cedar" }
rule permit { vo = "mice" }
rule permit { vo = "pheno" }
rule permit { vo = "ilc" }
rule permit { vo = "hone" }
rule permit { vo = "t2k.org" }
rule permit { vo = "vo.londongrid.ac.uk" }
rule permit { vo = "superbvo.org" }
rule permit { vo = "camont" }
rule permit { vo = "ngs.ac.uk" }
rule permit { vo = "supernemo.vo.eu-egee.org" }
rule permit { vo = "cernatschool.org" }
rule permit { vo = "snoplus.snolab.ca" }
rule permit { vo = "neiss.org.uk" }
rule permit { vo = "epic.vo.gridpp.ac.uk" }
rule permit { vo = "hyperk.org" }
}
}
Chris
|