In version 3.0.X (QCG-Core >= 3.0.1) the QCG-Computing service was enabled for the VOMS (Virtual Organization Membership Service) infrastructure. In practice this means that in addition to plain grid-mapfile authorization it is possible to use pool accounts (as implemented in LCMAPS). The VOMS support was implement as the new authorization module called atz_callout. Example configuration (qcg-compd.xml) snipped:
<sm:Module xsi:type="sm:atz_callout"> <sm:AtzLibraryPath>/usr/lib64/liblcas_lcmaps_gt4_mapping_.so</sm:AtzLibraryPath> </sm:Module>
Configuration options:
- <Mapfile> - the grid mapfile (default: /etc/grid-security/grid-mapfile),
- <AtzLibraryPath> - path for the LCAS/LCMAPS callout librart (default: /usr/lib64/liblcas_lcmaps_gt4_mapping_.so ),
- <CalloutName> - the name of the authorization routine (default: lcmaps_callout).
The QCG-Computing expects that the LCMAPS configuration file can be found in lcmaps/lcmaps-qcg.db (This behavior can be overridden by setting the LCMAPS_DB_FILE environment variable). The content of the file must be similar to:
# where to look for modules path = YOUR_PATH_FOR_LCMAPS_MODULES localaccount = "lcmaps_localaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" poolaccount = "lcmaps_poolaccount.mod" " -override_inconsistency" " -gridmapfile /etc/grid-security/grid-mapfile" " -gridmapdir /etc/grid-security/gridmapdir" vomslocalgroup = "lcmaps_voms_localgroup.mod" " -groupmapfile /etc/grid-security/groupmapfile" " -mapmin 0" vomslocalaccount = "lcmaps_voms_localaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" " -use_voms_gid" vomspoolaccount = "lcmaps_voms_poolaccount.mod" " -gridmapfile /etc/grid-security/grid-mapfile" " -gridmapdir /etc/grid-security/gridmapdir" " -do_not_use_secondary_gids" # gridftp related code good = "lcmaps_dummy_good.mod" # --only-post-verify-checks # --allow-limited-proxy # --max-proxy-level-ttl=<level> <time-length; example: 2d-13:37> # Sets a maximum lifetime for proxy certificate level <level> where <level> # can be 0-9 or 'l' or 'L' to indicate a Leaf proxy (last proxy # in the chain) # policies withvoms: vomslocalgroup -> vomslocalaccount vomslocalaccount -> good | vomspoolaccount vomspoolaccount -> good standard: localaccount -> good | poolaccount poolaccount -> good
This is a copy of the default lcmaps.db file with one major change: instead of posix_enf the no operation good module is used. Rationale: posix_enf drops privilages so the process calling LCMAPS must run with root priivlages, this is case for GridFTP but not the case for the QCG-Computing service which call authorization functions as regular user (usually qcg-comp), dropping privileges is done in a separate process. The standard lcmaps.db must be preserved if the machine hosts also GridFTP.
To complete the configuration you must add the qcg-comp user to the edguser group which is allowed to alter the /etc/grid-security/gridmapdir/ directory that stores the credential to local pool account mappings.
Important: Due to heavy memory leak caused by dlopening liblcmaps many times the qcg-compd sets LLGT_DLCLOSE_LCMAPS=no in its atz_callout module. However this requires lcas-lcmaps-gt4-interface package to be newer than 0.2.5.
Quick HOW-TO
- Install lcas-lcmas authorization interface and its dependencies (from UMD3 repository):
yum install lcas-lcmaps-gt4-interface.x86_64 yum install lcas-plugins-voms yum install lcas-plugins-basic yum install lcmaps-plugins-voms yum install voms-clients3 yum install lcmaps-plugins-basic
- create/copy from other machine all necessary vomsdir files, e.g.:
# pwd /etc/grid-security/vomsdir/gaussian # cat voms.cyf-kr.edu.pl.lsc /C=PL/O=GRID/O=Cyfronet/CN=voms.cyf-kr.edu.pl /C=PL/O=GRID/CN=Polish Grid CA # cat /etc/vomses/dteam-voms.hellasgrid.gr "dteam" "voms.hellasgrid.gr" "15004" "/C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms.hellasgrid.gr" "dteam" "24" # touch /etc/lcas/lcas.db # cat /etc/grid-security/grid-mapfile.local "/C=PL/O=GRID/O=PSNC/CN=qcg-broker/qcg-broker.man.poznan.pl" qcg-broker "/dteam/Role=NULL/Capability=NULL" .dteam "/dteam" .dteam
- edit the /etc/qcg/qcg-comp/qcg-compd.xml and change authorization module to sm:atz_callout as shown in the begging of the document.