Scroll to navigation

LCMAPS_JOBREP.MOD(8) Site Access Control LCMAPS_JOBREP.MOD(8)

NAME

lcmaps_jobrep.mod - jobrepository LCMAPS plug-in

SYNOPSIS

lcmaps_jobrep.mod [--test] --dsn <Database Service Name> --username <database user> --password <database password>

DESCRIPTION

The LCMAPS Jobrepository plug-in stores credentials and the resulting account mappings into a relational database. This plugin will link up all the known in-process information from LCMAPS core memory and stores it in a database. This plug-in uses ODBC (http://en.wikipedia.org/wiki/ODBC) to connect to the database.
The current state of the mappings between various credentials and Unix accounts is stored in an open database on disk, but this information can change over time through (regular) system administrative interventions. This state is now preserved in a relational database with the added benefit of being accessible by other systems, e.g. GridSAFE and build-up an easy to backup historic view on the mapping state.
Quite some systems seem to dig up data by trawling log files, e.g. to construct accounting data records. This method is subjected to the settings of the sub-systems which control the format of the log file output. Log trawling tools are interacting with the log files as a glorified API. This lowers the ability for tools, e.g. LCMAPS, to alter their log output. By offering the LCMAPS Jobrepository plug-in as an alternative with the added benefit of offering the data in a structured fine-grained database with the ability of an historic view the intend is to avoid the need and/or requirement for log file trawling.

DATABASE SCHEMA EXTENSIONS

The schema can be used to link up account mapping and/or credential mapping results originating from other credential types and link up more fine grained details from the specific work environment, i.e. a Gatekeeper and GridFTPd will be able to add service specific information together with the mapping results.

FUTURE

The LCMAPS Jobrepository plug-in is currently limited to MySQL and MariaDB despite its usage of the ODBC database interface. The intend is to remove this limitation and make the plug-in work with other database, e.g. PostgreSQL, Oracle and SQLite.

OPTIONS

--test
When enabled the plug-in will only test if the connection to the database can be established through the ODBC coupling. The test will verify the correctness of the DSN, Username and Password combination. The plug-in will announce an LCMAPS SUCCESS when the connection was established, and a FAILURE when it was not able to establish the connection.
--dsn <Database Service Name>
This will select the Data Source Name (DSN) that has been set in a odbc.ini file. Use the odbc.ini file to configure the database driver, server/host, port number and database name. See below for an example odbc.ini file.
--username <database username>
Specifies the database username that the LCMAPS module must use to authorize itself with the database.
--password <database password>
Specifies the database password that the LCMAPS module must use to authorize itself with. You can omit the setting if you set the password in the odbc.ini file.
WARNING: Be careful to assess the read permissions on the lcmaps.db file to be exclusive to the service using this file, i.e. it's probably best to make the file exclusive to root:root.

RETURN VALUES

LCMAPS_MOD_SUCCESS
Success.
LCMAPS_MOD_FAIL
Failure.

EXAMPLES

Notice the --dsn <value> matches the DSN shown in the .ini section header. Also notice that the posix_enf plug-in is executed after the jobrep plug-in. The motivation is to be able to use privilege separation and with that protect the database password.
Example lcmaps.db
jobrep      = "lcmaps_jobrep.mod"
              "--dsn  MySQL-test"
              "--username root"
              "--password worteltjes"


example_plugin_policy:
verifyproxy -> vomslocalgroup
vomslocalgroup -> vomspoolaccount
vomspoolaccount -> tracking_groupid
tracking_groupid -> jobrep
jobrep -> posix_enf
Example /etc/odbc.ini file:
[ MySQL-test]
Description = MySQL test database
Driver      = MySQL
SERVER      = 127.0.0.1
PORT        = 3306
DATABASE    = jobrepository

SUPPORTED INSTALLATIONS

Tested front-end tools and services
gLExec
 
globus-gridftp-server
 
globus-gatekeeper
Likely to work
SCAS
 
lcmaps-rest (only the Full-SSL interface)
 
gsi-openssh-server
Front-ends that will likely NOT work
WMProxy
 
StoRM backend

LIMITATIONS

The front-ends which do not use an LCMAPS interface that provides certificates can currently not be supported. It is a requirement for the 1.5 version to be able to work from a certificate chain.

BUGS

Please report any errors to the Nikhef Grid Middleware Security Team <grid-mw-security-support@nikhef.nl>.

SEE ALSO

lcmaps(8), lcmaps_jobrep.mod(8), mysql(1).
 
More information can be found on-line at https://wiki.nikhef.nl/grid/Site_Access_Control the Nikhef Wiki on Site Access Control and https://wiki.nikhef.nl/grid/LCMAPS the Nikhef Wiki on LCMAPS and other plug-ins.

AUTHOR

The Jobrepository and the LCMAPS plug-ins were written by the Nikhef Grid Middleware Security Team <grid-mw-security@nikhef.nl>.
August 31, 2012 Nikhef