lcmaps and voms integration for globus services
play

LCMAPS (and VOMS) integration for Globus services D. H. van Dok - PowerPoint PPT Presentation

Jun 11, 2023 •13 likes •203 views

LCMAPS (and VOMS) integration for Globus services D. H. van Dok (Nikhef) and M. Sall (Nikhef) 2013-04-09 LCMAPS (and VOMS) integration for Globus services This is a demonstration of the installation of Globus services with VOMS based

  1. LCMAPS (and VOMS) integration for Globus services D. H. van Dok (Nikhef) and M. Sallé (Nikhef) 2013-04-09

  2. LCMAPS (and VOMS) integration for Globus services This is a demonstration of the installation of Globus services with VOMS based authentication and accounting, using the LCMAPS framework. The integration with the Globus GSI authorization callout was the focus of our work in the IGE project, and some key results are highlighted here.

  3. About this training This training is aimed at people who wish to set up Globus Toolkit services such as GridFTP and GSI-SSH and make use of the flexible mapping options of the LCMAPS framework, which includes support for VOMS. Because time is short this will not be a hands-on, installation from scratch; some of this material was prepared in advance.

  4. Basic system installation This presentation is based on a CentOS 6 machine. It is nearly the same for CentOS 5 or Debian.

  5. Configuration of software repositories ◮ IGE 3 See http://www.ige-project.eu/downloads/software/releases/downloads Unfortunately no ready-made repo file. Just copy & paste from the website. ◮ EGI trustanchors (a.k.a. the IGTF CA distribution) cd /etc/yum.repos.d/ && wget http://repository.egi.eu/sw/production/cas/1/current/repo- files/EGI-trustanchors.repo ◮ EPEL rpm -i http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release- 6-8.noarch.rpm ◮ importing the gpg keys rpm --import http://repo-rpm.ige-project.eu/RPM-GPG-KEY-IGE rpm --import http://repository.egi.eu/sw/production/cas/1/GPG- KEY-EUGridPMA-RPM-3

  6. Installation of services and middleware yum -y install ca_policy_igtf-{classic,mics,slcs} yum -y install gsi-openssh-server yum -y install globus-ftp-server-progs

  7. Host certificate Installed (of course) in /etc/grid-security/host{key,cert}.pem Make sure the key is mode -r-------- .

  8. Configuration files Grid mapfile in /etc/grid-security/grid-mapfile with user’s DN and local account. Set the default port of gsissh: sed -i ’s/#Port 22/&\nPort 2200/’ /etc/gsissh/sshd_config Ready to roll! (demo)

  9. LCMAPS installation yum install lcas-lcmaps-gt4-interface gt4-interface-install.sh install yum install lcmaps-plugins-basic lcmaps-plugins-voms Add lines to the /etc/sysconfig/globus-gridftp-server export LLGT_RUN_LCAS=no export LLGT_LIFT_PRIVILEGED_PROTECTION=1 Add more lines to /etc/sysconfig/gsisshd export LLGT_RUN_LCAS=no export LLGT_LIFT_PRIVILEGED_PROTECTION=1 /etc/init.d/gsisshd restart /etc/init.d/globus-gridftp-server restart

  10. VOMS FQAN mapping Extend the grid-mapfile with the FQANs for the supported VOs. cat >> /etc/grid-security/grid-mapfile <<EOF "/ige-project.eu" .egcf "/ige-project.eu/*" .egcf EOF

  11. Setting up pool accounts groupadd -g 9000 egcf mkdir /etc/grid-security/gridmapdir for i in ‘seq -f "%02g" 0 99‘ ; do useradd -g egcf -N -u 90$i egcf$i touch /etc/grid-security/gridmapdir/egcf$i done

  12. VOMS server identity Put the LSC file in /etc/grid-security/vomsdir/ige-project.eu/ mkdir /etc/grid-security/vomsdir/ige-project.eu cat > /etc/grid-security/vomsdir/ige-project.eu/\ vomrs01.grid.tu-dortmund.de.lsc <<EOF /C=DE/O=GermanGrid/OU=TU-Dortmund/CN=vomrs01.grid.tu-dortmund.de /C=DE/O=GermanGrid/CN=GridKa-CA EOF

  13. LCMAPS policies (basic) good = "lcmaps_dummy_good.mod" vomspoolaccount = "lcmaps_voms_poolaccount.mod" "-gridmapfile /etc/grid-security/grid-mapfile" "-gridmapdir /etc/grid-security/gridmapdir" default: vomspoolaccount -> good (demo)

  14. LCMAPS policies (add fallback) We’ve lost our original mapping to the local user account. But with an extra policy line we can get it back. localaccount = "lcmaps_localaccount.mod" "-gridmapfile /etc/grid-security/grid-mapfile" default: vomspoolaccount -> good | localaccount localaccount -> good (demo)

  15. LCMAPS policies (add banning) Banning used to be done by LCAS, but LCMAPS has a plug-in for that. bandn = "lcmaps_ban_dn.mod" "-banmapfile /etc/grid-security/ban_users.db" default: bandn -> vomspoolaccount vomspoolaccount -> good | localaccount localaccount -> good Add a DN to the ban_users.db (demo)

  16. Additional policy options (skip) ◮ (Secondary) group mapping based on VOMS ◮ Banning based on FQANS (e.g. VOMS subgroup) ◮ ARGUS call-out ◮ . . . much more

  17. Customizing the logging Logs go to syslog, but the default log level is limited to notices, warnings and errors. If something goes wrong and debugging is needed, add the following: /etc/sysconfig/globus-gridftp-server: export LCMAPS_DEBUG_LEVEL=5 export LLGT_LOG_FACILITY=LOG_LOCAL5 (Specifically for CentOS 6:) # rate limiter bites us cat > /etc/rsyslog.d/lcmaps.conf <<’EOF’ local5.* /var/log/lcmaps.log $SystemLogRateLimitInterval 2 $SystemLogRateLimitBurst 1000 EOF

  18. Additional debugging tools Install the llrun tool rpm -i http://software.nikhef.nl/dist/mwsec/rpm/epel6/x86_64/llrun- 0.1.3-1.el6.x86_64.rpm (demo)

  19. Wrapping up ◮ LCMAPS can be set up in many, many ways to accomodate almost every imaginable (and unimaginable) policy. ◮ https://wiki.nikhef.nl/grid/Site_Access_Control ◮ Just ask! grid-mw-security-support@nikhef.nl

Recommend

A VOMS overview Andrea Ceccanti (on behalf of the VOMS team) NRENS and Grids Workshop Malaga,

A VOMS overview Andrea Ceccanti (on behalf of the VOMS team) NRENS and Grids Workshop Malaga,

Enabling Grids for E-sciencE A VOMS overview Andrea Ceccanti (on behalf of the VOMS team) NRENS and Grids Workshop Malaga, 29-30/11/07 www.eu-egee.org EGEE-II INFSO-RI-031688 EGEE and gLite are registered trademarks Outline Enabling Grids

488 views • 25 slides
Hands On Exercises for Globus Online Command Line Interface IGE Globus Online Tutorial EGI

Hands On Exercises for Globus Online Command Line Interface IGE Globus Online Tutorial EGI

Hands On Exercises for Globus Online Command Line Interface IGE Globus Online Tutorial EGI Community Forum 2013, Manchester, April 9, 2013 Trainers: S. Tuecke, M. Hoffman, I. Muntean Setup: Add your public key to your identities in Globus

56 views • 3 slides
Update on the Globus Transition FEARLESS SCIENCE Reminder: Where are we coming from? In 2017,

Update on the Globus Transition FEARLESS SCIENCE Reminder: Where are we coming from? In 2017,

Update on the Globus Transition FEARLESS SCIENCE Reminder: Where are we coming from? In 2017, the Globus organization announced the From May 2017 Globus end-of-support for the Globus Toolkit. Globus Toolkit provides the reference

486 views • 9 slides
Grid Computing with Debian, Globus Grid Computing with Debian, Globus and ARC and ARC Mattias

Grid Computing with Debian, Globus Grid Computing with Debian, Globus and ARC and ARC Mattias

Grid Computing with Debian, Globus Grid Computing with Debian, Globus and ARC and ARC Mattias Ellert, Uppsala Universitet (.se) Steffen Mller, Universitt zu Lbeck (.de) Anders Wnnen, Niels Bohr Institutet (.dk) Grid Computing

514 views • 17 slides
Globus integration in the NCAR RDA data portal: Recent enhancements Thomas Cram Shortened

Globus integration in the NCAR RDA data portal: Recent enhancements Thomas Cram Shortened

NCAR/CISL/Research Data Archive Globus integration in the NCAR RDA data portal: Recent enhancements Thomas Cram Shortened presentation title NCAR, Computational Information Systems Laboratory (CISL) Shortened presentation title GlobusWorld

533 views • 14 slides
globus online Globus Online Reliable File Transfer. No IT Required. September 20, 2011 Steve

globus online Globus Online Reliable File Transfer. No IT Required. September 20, 2011 Steve

globus online Globus Online Reliable File Transfer. No IT Required. September 20, 2011 Steve Tuecke , Deputy Director, Computation Institute University of Chicago and Argonne National Laboratory Big science has achieved big successes OSG:

602 views • 22 slides
CD/MH Integration Workgroup The What and the How of integration CD Integration Workgroup

CD/MH Integration Workgroup The What and the How of integration CD Integration Workgroup

CD/MH Integration Workgroup The What and the How of integration CD Integration Workgroup RECOMMENDATIONS TO THE TASK FORCE July 18, 2014 Each Behavioral Health Organization should provide rapid access to the following billable services along a

790 views • 9 slides
Using Globus at NCAR Brian Vanderwende CISL Consulting Services February 20, 2020 This material

Using Globus at NCAR Brian Vanderwende CISL Consulting Services February 20, 2020 This material

Using Globus at NCAR Brian Vanderwende CISL Consulting Services February 20, 2020 This material is based upon work supported by the National Center for Atmospheric Research, which is a major facility sponsored by the National Science Foundation

325 views • 19 slides
globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory Computation Institute (CI) Apply to challenging problems Accelerate Promulgate by building the via new educational research

1k views • 24 slides
11/4/16 Disclosures Consultant: Globus, Medtronic, Orthofix Adult Deformity: When to Consider

11/4/16 Disclosures Consultant: Globus, Medtronic, Orthofix Adult Deformity: When to Consider

11/4/16 Disclosures Consultant: Globus, Medtronic, Orthofix Adult Deformity: When to Consider a Royalty: Globus Smaller Procedure Dean Chou, M.D. Professor of Neurosurgery The UCSF Spine Center University of California San Francisco

324 views • 20 slides
globus online Simplify big data sharing with Globus Online Steve Tuecke Computation Institute

globus online Simplify big data sharing with Globus Online Steve Tuecke Computation Institute

globus online Simplify big data sharing with Globus Online Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory The Challenge: Moving and Sharing Big Data Easily What should be trivial I need my

459 views • 14 slides
iRODS + Globus Vas Vasiliadis vas@uchicago.edu iRODS User Group Meeting June 11, 2020

iRODS + Globus Vas Vasiliadis vas@uchicago.edu iRODS User Group Meeting June 11, 2020

iRODS + Globus Vas Vasiliadis vas@uchicago.edu iRODS User Group Meeting June 11, 2020 Globus is a non-profit data management service developed and operated by Globus conceptual architecture Data Transfer Node(s) Other Data

379 views • 6 slides
Globus Toolkit Support Transition Derek Simmel &lt;dsimmel@psc.edu&gt; TAGPMA Chair 41 st

Globus Toolkit Support Transition Derek Simmel &lt;dsimmel@psc.edu&gt; TAGPMA Chair 41 st

T h e A m e r i c a s G r i d Policy Management Authority Globus Toolkit Support Transition Derek Simmel &lt;dsimmel@psc.edu&gt; TAGPMA Chair 41 st EUGridPMA / IGTF All-Hands Meeting September 25-27, 2017 JISC, Manchester, England Globus

98 views • 6 slides
UCLA Grid Portal (UGP) A Globus Incubator Project OGF 2007 Documentation at:

UCLA Grid Portal (UGP) A Globus Incubator Project OGF 2007 Documentation at:

Academic Technology Services UCLA Grid Portal (UGP) A Globus Incubator Project OGF 2007 Documentation at: http://www.ucgrid.org Prakashan Korambath Prakashan Korambath &amp; Joan Slottow &amp; Joan Slottow Research Computing Technologies

408 views • 23 slides
Data Transfers in the Grid: Data Transfers in the Grid: Workload Analysis of Globus Globus

Data Transfers in the Grid: Data Transfers in the Grid: Workload Analysis of Globus Globus

Data Transfers in the Grid: Data Transfers in the Grid: Workload Analysis of Globus Globus GridFTP Workload Analysis of GridFTP Nicolas Kourtellis, Lydia Prieto, Gustavo Zarrate, Adriana Iamnitchi Adriana Iamnitchi Nicolas Kourtellis, Lydia

965 views • 27 slides
Services Knowledge Platform to Facilitate Deeper Integration in Services Trade Sjamsu Rahardja

Services Knowledge Platform to Facilitate Deeper Integration in Services Trade Sjamsu Rahardja

Services Knowledge Platform to Facilitate Deeper Integration in Services Trade Sjamsu Rahardja The World Bank Presentation at Policy Group Meeting of ILO/EU Project Jakarta, July 12 th 2012 Synopsis of my talk Despite potential benefits of

399 views • 19 slides
Integration of Family Planning and Child Immunization Services: Leveraging Private-Public

Integration of Family Planning and Child Immunization Services: Leveraging Private-Public

Integration of Family Planning and Child Immunization Services: Leveraging Private-Public Partnerships to Increase Impact June 23, 2014 Presentation Outline 1) Background and Rationale for Integration 2) Existing Evidence and Key Lessons 3)

790 views • 32 slides
HEP Applications with Globus Virtual Workspaces Ian Gable , A. Agarwal, A. Charbonneau, R.

HEP Applications with Globus Virtual Workspaces Ian Gable , A. Agarwal, A. Charbonneau, R.

HEP Applications with Globus Virtual Workspaces Ian Gable , A. Agarwal, A. Charbonneau, R. Desmarais, R. Enge, D. Grundy, A. Norton, D. Penfold-Brown, R. Seuster, R.J. Sobie, D. C. Vanderster National Research Council of Canada, Ottawa, Ontario,

244 views • 20 slides
Cameron Berkley cameron.berkley@fsu.edu 150-B DSL 1 10/12/2016 What is Globus? 2 10/12/2016

Cameron Berkley cameron.berkley@fsu.edu 150-B DSL 1 10/12/2016 What is Globus? 2 10/12/2016

Cameron Berkley cameron.berkley@fsu.edu 150-B DSL 1 10/12/2016 What is Globus? 2 10/12/2016 Managed File T ransfer Ease of Use Reliable, Fire and Forget Parallelism and Concurrency Secure Notifjciations Performance Monitoring

642 views • 21 slides
An Extended Design of the Grid Enabled SEE++ System Based on Globus Toolkit 4 and gLite

An Extended Design of the Grid Enabled SEE++ System Based on Globus Toolkit 4 and gLite

Enabling Grids for E-sciencE An Extended Design of the Grid Enabled SEE++ System Based on Globus Toolkit 4 and gLite Authors: K. Bosa, W. Schreiner, T. Kaltofen, M. Buchberger Research Institute For Symbolic Computation (RISC), Johannes

100 views • 9 slides
Complications in Adult Deformity Surgery Research/Institutional Support: NIH, AO Spine,

Complications in Adult Deformity Surgery Research/Institutional Support: NIH, AO Spine,

Disclosures Complications in Adult Deformity Surgery Research/Institutional Support: NIH, AO Spine, OREF, Globus Honoraria: Proximal Junctional Kyphosis: Medtronic, DePuy, Stryker, Globus Thoracolumbar and Cervicothoracic

376 views • 18 slides
Cost-Effective Integration of MKM Semantic Services into Editing Environments CICM 2012

Cost-Effective Integration of MKM Semantic Services into Editing Environments CICM 2012

Cost-Effective Integration of MKM Semantic Services into Editing Environments CICM 2012 Constantin Jucovschi Jacobs University July 10, 2012 Motivation Service-Editor Integrations Call for Action Service + Editor integration Better

500 views • 27 slides
of Executing Integration and Interoperability in Health and Human Services A Presentation by Uma

of Executing Integration and Interoperability in Health and Human Services A Presentation by Uma

The Art and Business of Executing Integration and Interoperability in Health and Human Services A Presentation by Uma S. Ahluwalia Wednesday | May 28, 2014 Information About our County. Almost 1 Million Residents 50.6% Racial/Ethnic 17%

404 views • 13 slides
Integration Programme? Integration Strategy? No national or local integration programme (not

Integration Programme? Integration Strategy? No national or local integration programme (not

Integration Programme? Integration Strategy? No national or local integration programme (not voluntary or compulsory) BUT Citizenship now requires a language and culture test National government is now piloting a personal integration

778 views • 13 slides

More recommend