guide:Dgridmap

From Dgiref

Information

the dgridmap script creates grid mapfile and UUDB for a D-Grid resource.

This script creates the necessary configuration files for the mapping of the grid DNs-user certificates to Unix accounts during the grid middleware operation. As an output, will be generated:

• the grid-mapfile for Globus
• the UUDB file for UNICORE

The script is executed on the resource for which the mapping files were created. If your site offers multiple resources, the script should run on each of your resources for which the mapping file was created.

The script contacts the central database of the D-Grid resources and user-management located at Research Center Juelich, which sends the information about the users "grid-user certificate" DNs who are registered for this resource and provides associated names for their Unix accounts. The script writes this information in the correct format for the Globus or UNICORE grid middleware. The script sends also the DNs for the server certificates of other UNICORE (NJS) resources, so that a data transfer is possible between these resources.

The script can be found here: dgridmap file

The dgridmap script generates only the configuration files for the mapping of DNs to Unix accounts. It not generates itself any Unix accounts. The local user management of a site or a resource must ensure that new Unix accounts to be created when new users arise in the mapping. An easy way is to have a fixed pool of example 200 users ppvv0001 to ppvv0200 in advance on all the resources of a site for all their VOs, who are expected. Then you need only to ensure that this pool does not overflow when there are more than 200 D-Grid users of a VO for this site.

Syntax

'''dgridmap [option]'''

Options

-cert-path

is the path where the grid-server certificate, the corresponding private key of the resource (or one of the resources of your site) and the Root certificate of the issuing CA to find. Default is /etc/grid-security.

If a working Globus installation is available on the resource , all the necessary files are available under the standard path /etc/grid security. Then the option is not required.

The certificates must be in the same form as in Globus toolkit

1. the grid-server certificate is cert-path/hostcert.pem
2. the private key of the grid-server is cert-path/hostkey.pem certificate
3. the certificate issuing Root CA is cert-path/certificates/hash.0
4. the URL of the Certificate Revocation List is cert-path/certificates/hash.crl_url
5. the signing is cert-path/certificates/hash.signing_policy Policy

hash is the hash value of the Root certificate. If the hash value of the certificate root.pem Root is unknown, you can make it with openssl x509 hash noout-in root.pem out.

-output-g file_g

file_g is the name of the grid-mapfile file to be generated.

-output-u file_u

file_u is the name of the UUDB file to be generated.

-output-o file_o

file_o is the name of the mapping file for OGSA-DAI (consisting of VO-name entries and DN).

-output-a file_a

file_a is the name of a file to be created with more information for administrators (VO, VO-shortcuts, group, ID, member status, date changes status, first name, surname, institute, street, postal code, city, country, telephone, nationality, E - Mail, DN), with one field each, and is separated with a #.

-pre pp

pp is a prefix with a maximum of 2 characters that you choose for the Unix account names. Default is dg. If no prefix is desired, this can be achieved with pre- ' '.

The grid-server certificate under /etc/grid-security or -cert-path path is implicitly the resource. In particular, sites, which operate multiple resources, the mapping only for this resource. The entries for users of all VOs, the resource expected to be produced.

If none of the options -output-g, -output-u and -output-o, is used, all 3 files with the default name gridmap. <site>.<resource>.uudb.<site>.<resource> and ogsa.<site>.<resource> in the working directory.

<site> is determined by the abbreviation for the site replaced

<resource> by the abbreviation for the resource.

If one of the options is only appropriate that this option file. It may also be more of these options. Then the relevant files.

The generated name of the Unix account has the ppvvnnnn format, where:

pp - prefix

vv the abbreviation for the VO

nnnn a zeros-filled 4-digit number, which is awarded from the D-Grid resource and user management database.

The accounts for each VO are numbered separately.

Usage

Upgrading a grid-mapfile for Globus

# Store the previous grid mapfile:
cp -a /etc/grid-security/grid-mapfile /etc/grid-security/grid-mapfile.save 
# Upgrade grid-mapfile: 
dgridmap -pre dg -output-g /etc/grid-security/grid-mapfile

Upgrading a UUDB for UNICORE

cd /opt/unicore/d-grid_uudb.0.5 
# Store the previous UUDB:
mv /opt/unicore/d-grid_uudb.0.5/UUDB /opt/unicore/d-grid_uudb.0.5/UUDB.save 
# update the UUDB: 
dgridmap -cert-path /root/certificates -pre dg -output-u /opt/unicore/d-grid_uudb.0.5/UUDB.in 
./uudb_admin add -a -f UUDB.in

It is important to rename here the old UUDB but not copy, otherwise the old records will be read before the new entries and deleted entries are stored in the UUDB.

Upgrade dcache.kpwd for dCache

Upgrade a grid-mapfile on your dCache resource and use grid-mapfile2dcache to generate the dcache.kpwd file from the updated grid mapfile.