gPlazma1
comes with support for five different authentication and
mapping methods. Each method is implemented in a plug-in-like module.
The gPlazma
cell can be called from the
and the
GridFTP
door
and the dCap
doorsrm
server.
This section describes how to configure gPlazma1
in general. You
also need to adjust the plug-in specific configuration files, depending
on which authorization methods you choose to employ. The configuration
of the plug-ins is described later in this chapter, since the files are
also used by gPlazma2
.
The gPlazma
policy, located in the
/opt/d-cache/etc/dcachesrm-gplazma.policy
file,
controls the authorization plug-ins to be used (ON
or OFF
for each plug-in) and the order of their
execution.
Example:
# Switches xacml-vo-mapping="OFF" saml-vo-mapping="ON" kpwd="ON" grid-mapfile="OFF" gplazmalite-vorole-mapping="OFF"
The order of execution is specified by assigning a different number to each plug-in, such as
# Priorities xacml-vo-mapping-priority="5" saml-vo-mapping-priority="1" kpwd-priority="3" grid-mapfile-priority="4" gplazmalite-vorole-mapping-priority="2"
In the above example, only the saml-vo-mapping
plug-in and the kpwd
plug-in are
activated (i.e., switched ON
). Of those the
saml-vo-mapping
plug-in would be tried first, because it was assigned a higher
priority. Note that the higher the value the
lower is the plugins priority. If authorization
was denied for that method, or if the authentication method itself
failed, then the next activated plugin with the next lower priority
would be tried. In this example this would be the kpwd
plug-in. If the
gplazmalite-vorole-mapping
plug-in would also be activated, it would be tried after the
saml-vo-mapping
plug-in and before the kpwd
plug-in.
Activating more than one plug-in allows plug-ins to be used as fall-back for another plug-ins that may fail. It also allows for the authorization of special users who may be denied by the other methods.
After the general configuration the policy file also contains a section for each of the plug-ins with plug-in specific configuration. These sections are described in the documentation for each plug-in, as follows. You may delete or comment out the lines specifing the priorities and configuration for unused plug-ins.
Here is an example of how a policy file might be set up.
Example:
# Switches
xacml-vo-mapping="OFF"
saml-vo-mapping="ON"
kpwd="ON"
grid-mapfile="OFF"
gplazmalite-vorole-mapping="OFF"
# Priorities
saml-vo-mapping-priority="1"
kpwd-priority="3"
# dcache.kpwd
kpwdPath="/opt/d-cache/etc/dcache.kpwd"
# SAML-based grid VO role mapping
mappingServiceUrl="https://fledgling09.fnal.gov:8443/gums/services/GUMSAuthorizationServicePort"
saml-vo-mapping-cache-lifetime="60"
In this case, gPlazma1
will attempt to authorize first
through a GUMS server, and fall back to using
dcache.kpwd
. The mappingServiceUrl
would have to be changed to a GUMS server appropriate for the site.
VOMS attribute validation in gPlazma1
does not
require VOMS server certificates. Instead the signature
of an attribute is checked against the CA Certificate that
signed the VOMS server certificate. To have
gPlazma1
validate the proxy attributes in dCache,
write configuration directories and
*.lsc
files in
/etc/grid-security/vomsdir
for each
authorized VOMS server according to
these instructions and set the
vomsValidation
in
/opt/d-cache/etc/dcachesrm-gplazma.policy
to true
.
Note
The legacy method of using *.pem
files which contain the VOMS server certificates is
still supported. To achieve this add the
*.pem
file which contains the
certificate of the VOMS server to the directory
/etc/grid-security/vomsdir/
.
Note that it is recommended to use the
*.lsc
files for the VOMS attribute
validation as with this method you don’t need to keep the
VOMS server certificate up to date.
The default is to validate the attributes. In both cases there must
be a non-empty /etc/grid-security/vomsdir
directory
on the node which is running gPlazma1
. To create a working
dummy directory it is enough to do
[root] #
mkdir -p /etc/grid-security/vomsdir
[root] #
touch /etc/grid-security/vomsdir/empty-cert.pem
This section describes the five different authentication methods for
gPlazma1
. Four of them share the common file
storage-authzdb
for mapping usernames to
UID/GID and provide additional user specific path information.
The format of this file is described in the section called “storage-authzdb
”.
The gplazmalite-vorole-mapping
plug-in maps a combination of DN and FQAN (Fully
Qualified Attribute Name) to a username using a
vorolemap
file. The subsequent mappings to
UID and GID is done via the storage-authzdb
file.
The kpwd
plug-in uses a kpwd
file for
authorization and mapping. This is the “legacy”
method and is recommended only for testing and/or rather small and
independent sites or as a fallback method. The file contains
different records for authorization and mappings. Its format is
documented within the sample file in
/opt/d-cache/share/examples/gplazma/dcache.kpwd
.
In the first step a DN or Kerberos
principal is mapped to a
username. To authorize the user has to provide the password
belonging to the mapped username to get UID and GID and user
path information.
This plug-in uses a grid-mapfile
to map DNs to
usernames. The subsequent mapping to UID/GID is done via the
storage-authzdb
file.
This plug-in requests DN to username mappings from a GUMS
server (Grid User Management System). The GUMS service may run an
extension which returns the UID/GID plus the additional user
path information. Without this extension UIDand GID are
obtained via the
storage-authzdb
file.
This plug-in requests DN to username mappings from a GUMS
server with XACML support. The GUMS service may run an
extension which returns the UID/GID plus the additional user
path information. Without this extension UID and GID are
obtained via the storage-authzdb
(see the section called “storage-authzdb
”) file.