JISCMail - LCG-ROLLOUT Archives

Christian Neissner wrote:

> Hi Maarten:
> 
> On Tue, 12 Jun 2007 12:59:12 +0200, Maarten Litmaath <[log in to unmask]> wrote:
> 
>>That file is irrelevant when you properly configure the gLite CE.
>>It currently uses /etc/grid-security/grid-mapfile and
>>/etc/grid-security/groupmapfile, nothing else.
> 
> 
> Can you give me an example of those files in properly configured gliteCE?

/etc/grid-security/grid-mapfile for DTEAM
(if you use pool accounts for sgm/prd):

--------------------------------------------------
"/dteam/Role=lcgadmin/Capability=NULL" .dteamsgm
"/dteam/Role=lcgadmin" .dteamsgm
"/dteam/Role=production/Capability=NULL" .dteamprd
"/dteam/Role=production" .dteamprd
"/dteam/Role=NULL/Capability=NULL" .dteam
"/dteam" .dteam
--------------------------------------------------

/etc/grid-security/groupmapfile for DTEAM:

--------------------------------------------------
"/dteam/Role=lcgadmin/Capability=NULL" dteam
"/dteam/Role=lcgadmin" dteam
"/dteam/Role=production/Capability=NULL" dteam
"/dteam/Role=production" dteam
"/dteam/Role=NULL/Capability=NULL" dteam
"/dteam" dteam
--------------------------------------------------

YAIM's groups.conf for DTEAM:

--------------------------------------------------
"/VO=dteam/GROUP=/dteam/ROLE=lcgadmin":::sgm:
"/VO=dteam/GROUP=/dteam/ROLE=production":::prd:
"/VO=dteam/GROUP=/dteam"::::
--------------------------------------------------

 > And by the way, how do they look like on a WMS? Because we had to install
 > both machines "by hand" the generation of those files didn't work very well.

On the WMS /etc/grid-security/grid-mapfile still has the "classic" format.
Although /etc/grid-security/groupmapfile is created, it is not needed.
Ensure, however, that /opt/glite/etc/lcmaps/lcmaps.db looks like this:

--------------------------------------------------------------------------
# LCMAPS configuration file for WMProxy
#
# LCMAPS policy file/plugin definition
#
# default path
path = /opt/glite/lib/modules

# Plugin definitions:
good             = "lcmaps_dummy_good.mod"

localaccount     = "lcmaps_localaccount.mod"
                    "-gridmapfile /etc/grid-security/grid-mapfile"

poolaccount = "lcmaps_poolaccount.mod"
                    " -override_inconsistency"
                    " -gridmapfile /etc/grid-security/grid-mapfile"
                    " -gridmapdir /etc/grid-security/gridmapdir"

vomslocalgroup   = "lcmaps_voms_localgroup.mod"
                    "-groupmapfile /etc/grid-security/groupmapfile"
                    "-mapmin 0"

vomspoolaccount  = "lcmaps_voms_poolaccount.mod"
                    "-gridmapfile /etc/grid-security/grid-mapfile"
                    "-gridmapdir /etc/grid-security/gridmapdir"
                    "-do_not_use_secondary_gids"

vomslocalaccount = "lcmaps_voms_localaccount.mod"
                    "-gridmapfile /etc/grid-security/grid-mapfile"
                    "-use_voms_gid"

# Policies:
standard:
localaccount -> good | poolaccount
poolaccount -> good

# DN-local -> DN-pool -> VO-pool
voms:
localaccount -> good | poolaccount
poolaccount -> good | vomslocalgroup
vomslocalgroup -> vomspoolaccount

--------------------------------------------------------------------------