middleware:Globus/extension/aba

From Dgiref

Please open a NGI-DE ticket if you experience any Installation or Configuration problem.

Globus/42/authorization

Install

The original description can be downloaded from d-grid site.

To apply the Attribute-based authorization to the Globus Toolkit, the following components should be additionally installed:

Virtual Organization Membership Server (VOMS) Authorization Interceptors for the Globus Web-Services (GRAM and RFT. The service security should be configured accordingly).
Authorization callout C-API for the Globus GridFTP should be used for attributes mapping.
The aba-glite.tar.gz file regarding the attribute based authorization is supposed to be installed in /opt/glite

administrator's script: install.sh

```
 
```
```
#!/bin/sh
```

# prepare globus toolkit 4.2.1 for attribute-based authorization

# Declare the variables section ------------

# BASE_URL="http://mirror.scc.kit.edu/downloads/src/globus"

# PACKAGE_GLOBUS_ABA="aba-glite.tar.gz"

```
# workdir=/opt/glite 
```

# Please insert your actual configuration

# from here ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

BASE_URL="http://mirror.scc.kit.edu/downloads"

```
PACKAGE_GLOBUS_ABA="aba-glite.tar.gz" 
```
```
workdir=/opt/glite 
```

# till here ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

```
service globus stop
```
```
 
```

wget $BASE_URL/src/globus/2010.1/$PACKAGE_GLOBUS_ABA .

```
tar xfvz $PACKAGE_GLOBUS_ABA
```
```
mv opt/glite /opt
```
```
chown -R globus.globus /opt/glite
```
```
 
```
```
# execute 
```

/opt/glite/sbin/gt4-interface-install.sh install

Configure

setup the voms server certificates
Configure the sudo for WSGRAM
Mappings for VOMS FQAN
ln -s /etc/grid-security/voms-attr-authz /etc/grid-security/voms-lcmaps-mapfile
configure the /opt/glite/etc/vomses file (see the file /opt/glite/etc/vomses.template for instructions, for accessing the voms server)

To avoid the error message: "<username> is not in the grid mapfile", all local accounts, which attributes should be mapped, the similar empty record in the grid-mapfile should be assigned:

vi /etc/grid‐security/grid‐mapfile 
 "" uhdtsgm

administrator's script: configure.sh

```
 
```
```
#!/bin/sh
```

# configuration script globus toolkit 4.2.1 attribute-based authorization

# 1) setup the voms server certificates ------------------------------------------

rpm -ihv http://mirror.scc.kit.edu/downloads/rpms/voms/fzk-vomscert-1.3-1.noarch.rpm

```
 
```
```
su - globus
```

wget -O /opt/authz-interceptors.tar http://mirror.scc.kit.edu/downloads/src/globus/2010.1/authz-interceptors.tar

```
cd /opt
```
```
tar xvf /opt/authz-interceptors.tar
```
```
cd /opt/authz-interceptors/voms/
```
```
ant build.xml
```
```
exit
```

# 2) Configure the sudo for WSGRAM -----------------------------------------------

```
visudo
```
```
Runas_Alias GLOBUSUSERS = ALL, !root
```

globus  ALL=(GLOBUSUSERS) NOPASSWD: /usr/local/globus/libexec/globus-gridmap-and-execute -g /etc/grid-security/grid-mapfile /usr/local/globus/libexec/globus-job-manager-script.pl *

globus  ALL=(GLOBUSUSERS) NOPASSWD: /usr/local/globus/libexec/globus-gridmap-and-execute -g /etc/grid-security/grid-mapfile /usr/local/globus/libexec/globus-gram-local-proxy-tool *

```
 
```

globus ALL=(GLOBUSUSERS) NOPASSWD: /usr/local/globus/libexec/globus-job-manager-script.pl *

globus ALL=(GLOBUSUSERS) NOPASSWD: /usr/local/globus/libexec/globus-gram-local-proxy-tool *

```
 
```

# 3) Mappings for VOMS FQAN ------------------------------------------------------

touch /etc/grid-security/voms-attr-mappings

ln -s /etc/grid-security/voms-attr-mappings /etc/grid-security/voms-attr-authz

```
 
```

cat /etc/grid-security/voms-attr-mappings

"/dgtest/admin/Role=softwareadmin/Capability=NULL" dgdtsgm

```
 
```

# 4) -----------------------------------------------------------------------------

ln -s /etc/grid-security/voms-attr-authz /etc/grid-security/voms-lcmaps-mapfile

```
 
```

# 5) configure the /opt/glite/etc/vomses file ------------------------------------

# (see the file /opt/glite/etc/vomses.template for instructions, for accessing the voms server)

```
echo "\
```

# \"nickname\" \"host\" \"port\" \"hostcert's dn\" \"vo\" \"globus version (of the server to contact)\"

\"dgtest\" \"dgrid-voms.fzk.de\" \"15000\" \"[/O=GermanGrid/OU=FZK/CN=host/dgrid-voms.fzk.de]\" \"dgtest\"

```
" > /opt/glite/etc/vomses
```
```
 
```
```
# vi /etc/xinetd.d/gsiftp
```
```
service gsiftp
```
```
{
```
```
instances  = 100
```
```
socket_type  = stream
```
```
wait  = no
```
```
user  = root
```

env  += LD_LIBRARY_PATH=/usr/local/globus/lib:/opt/glite/lib64

env  += GLOBUS_TCP_PORT_RANGE=20000,25000

server  = /usr/local/globus/sbin/globus-gridftp-server

```
server_args  = -i
```
```
nice = 10
```
```
disable = no
```
```
}
```
```
# vi /etc/xinetd.d/gsigatekeeper
```
```
service gsigatekeeper
```
```
{
```
```
socket_type = stream
```
```
protocol  = tcp
```
```
wait  = no
```
```
user = root
```

env  += LD_LIBRARY_PATH=/usr/local/globus/lib:/opt/glite/lib64

env += GLOBUS_TCP_PORT_RANGE=20000,25000

server = /usr/local/globus/sbin/globus-gatekeeper

server_args = -conf /usr/local/globus/etc/globus-gatekeeper.conf

```
disable = no
```
```
}
```
```
service xinetd restart
```
```
 
```
```
#
```
```
echo "\
```
```
\"\" dgdtsgm
```
```
" >> /etc/grid-security/grid-mapfile
```
```
 
```
```
#
```
```
echo "\
```

# we need a plugin, so we use a no-op, alternatively one can use an empty user ban list

pluginname=/opt/glite/lib64/modules/lcas_plugin_example.mod

```
" > /opt/glite/etc/lcas/lcas.db
```

middleware:Globus/extension/aba

Globus/42/authorization

Install

Configure

Views

Personal tools

general

guidelines

reference installation

Search

internal

Toolbox