|
Документ взят из кэша поисковой машины. Адрес
оригинального документа
: http://theory.sinp.msu.ru/pipermail/ru-ngi/2013q3/001096.html
Дата изменения: Tue Sep 10 00:29:16 2013 Дата индексирования: Fri Feb 28 03:24:45 2014 Кодировка: |
?????? ?????.
? ??? ?
https://wiki.italiangrid.it/twiki/bin/view/CREAM/TroubleshootingGuide
????????
Please note that this test makes sense only when the CREAM CE is
configured to NOT use Argus. When the CREAM CE is instead configured to
use Argus, glexec is not used at all in the CREAM CE node.
??????????, ??? ???? Argus, ???? glexec.
?. ????????
09.09.2013 22:52, Andrey Zarochentsev ?????:
> ? ?? ?????? ????????? - ? ???????? ??????? ??? ?? ??, ?? ???? ??
> ??????????? ??????. ?? ?????????????? ???? gLexec , ? ??? LCG ?????
> ??? ?? ????? ????? ?? ??? ??????. ? ?? ??? ????? ??? ?? ???????? ...
>
>
> 2013/9/9 Liudmila Stepanova <sli at inr.ru <mailto:sli at inr.ru>>
>
> ?????? ?????.
> ? ??? cms ?????????? Argus ? gLexec ?? WN. ?? Argus-? mount ?? nfs
> /etc/grid-security/gridmapdir c creamce.
> ?? ?????? ????? ?????????? ?????? glexec -d /usr/bin/id ?? WN
> ???? 203
> exit code.
> ???????? Argus ?? WN
> WN:
> [cms143 at grwn236 ~]$ pepcli --key .globus/userkey.pem --cert
> .globus/usercert.pem -c /tmp/x509up_u42143 --capath
> /etc/grid-security/certificates/
> --pepdhttps://grinr07.inr.troitsk.ru:8154/authz
> <http://grinr07.inr.troitsk.ru:8154/authz> --resourceid
> http://authz-interop.org/xacml/resource/resource-type/wn --actionid
> http://glite.org/xacml/action/execute -t 60 -x
> Key password:
> Resource: http://authz-interop.org/xacml/resource/resource-type/wn
> Decision: Permit
> Obligation:
> http://glite.org/xacml/obligation/local-environment-map/posix
> (caller should resolve POSIX account mapping)
> Username: cms143
> Group: cms
> Secondary Groups: cms
>
>
> export GLEXEC_CLIENT_CERT=/tmp/x509up_u42143
> export X509_USER_PROXY=/tmp/x509up_u42143
>
> [cms143 at grwn236 ~]$ /usr/sbin/glexec -d /usr/bin/id -a ; echo $?
> [gLExec]: LCMAPS failed.
> The reason can be found in the syslog.
> 203
>
>
> /var/log/messages:
>
> Sep 9 22:08:32 grwn236 glexec[13917]: lcmaps: Error:
> pep_authorize(request,response) failed. The Argus-PEP return code
> is: 8
> with error message: "authorize request error"
>
>
> /etc/glexec.conf
>
>
> #
> # Glexec configuration file
> #
> [glexec]
> silent_logging = no
> log_level = 0
> user_white_list = .pilcms,.cms
> linger = yes
> user_identity_switch_by = glexec
> use_lcas = no
> target_lock_mechanism = flock
> input_lock_mechanism = flock
> lcmaps_db_file = /etc/lcmaps/lcmaps-glexec.db
> lcmaps_log_file = /var/log/glexec/lcas_lcmaps.log
> lcmaps_debug_level = 0
> lcmaps_log_level = 1
> lcmaps_get_account_policy = glexec_get_account
> lcmaps_verify_account_policy = glexec_verify_account
>
> lcas_db_file = /etc/lcas/lcas-glexec.db
> lcas_log_file = /var/log/glexec/lcas_lcmaps.log
> lcas_debug_level = 0
> lcas_log_level = 1
> preserve_env_variables = no
> log_destination = syslog
>
> /etc/lcmaps/lcmaps-glexec.db
>
> #
> # LCMAPS config file for glexec generated by YAIM: Mon Jul 22
> 16:26:31 MSK
> 2013
> #
>
> # where to look for modules
> path = /usr/lib64/lcmaps
>
> # module definitions
> verify_proxy = "lcmaps_verify_proxy.mod"
> " -certdir /etc/grid-security/certificates/"
> " --allow-limited-proxy"
>
> pepc = "lcmaps_c_pep.mod"
> "--pep-daemon-endpoint-url
> http://grinr07.inr.troitsk.ru:8154/authz"
> " -resourceid
> http://authz-interop.org/xacml/resource/resource-type/wn"
> " -actionid http://glite.org/xacml/action/execute"
> " -capath /etc/grid-security/certificates/"
> " -pep-certificate-mode implicit"
> " --use-pilot-proxy-as-cafile" # Add this on RHEL 6
> based
> systems
>
> glexec_get_account:
> verify_proxy -> pepc
>
>
>
> ?? ARGUS-?
>
> ARGUS:
>
> root at grinr07 ~]# pap-admin lp
>
> default (local):
>
> resource "http://authz-interop.org/xacml/resource/resource-type/wn" {
> obligation
> "http://glite.org/xacml/obligation/local-environment-map" {
> }
> action "http://glite.org/xacml/action/execute" {
> rule permit { pfqan="/cms/Role=lcgadmin/Capability=NULL" }
> rule permit { pfqan="/cms/Role=lcgadmin" }
> rule permit { pfqan="/cms/Role=production/Capability=NULL" }
> rule permit { pfqan="/cms/Role=production" }
> rule permit { pfqan="/cms/Role=pilot/Capability=NULL" }
> rule permit { pfqan="/cms/Role=pilot" }
> rule permit { pfqan="/cms/Role=priorityuser/Capability=NULL" }
> rule permit { pfqan="/cms/Role=priorityuser" }
> rule permit { pfqan="/cms/Role=hiproduction/Capability=NULL" }
> rule permit { pfqan="/cms/Role=hiproduction" }
> rule permit {
> pfqan="/cms/HeavyIons/Role=NULL/Capability=NULL" }
> rule permit { pfqan="/cms/HeavyIons" }
> rule permit { pfqan="/cms/Higgs/Role=NULL/Capability=NULL" }
> rule permit { pfqan="/cms/Higgs" }
> rule permit {
> pfqan="/cms/StandardModel/Role=NULL/Capability=NULL" }
> rule permit { pfqan="/cms/StandardModel" }
> rule permit { pfqan="/cms/Susy/Role=NULL/Capability=NULL" }
> rule permit { pfqan="/cms/Susy" }
> rule permit { pfqan="/cms/Role=NULL/Capability=NULL" }
> rule permit { pfqan="/cms" }
> Best regards,
> Liudmila.
>
> > ?????? ????.
> > ??? ????? ?? ?????????? ????? ???????????? ????????? gLexec. ?
> > ???????????? ?? ??????????, ??? ????? ??? ??????? ?????-?? Argus
> ??????.
> ???
> > ??? ?? ?????? ????? ?????????? ?? ??????? ???-?????? ???????? ??? ?
> > ??????-?? ??????? ?????????? ? ?????????, ? ???????????? ?????????
> > "CREAM now supports the use of Argus also on the CE level
> > (recommended)..."
> > ??? ?????? - on the CE level? ?? ??? ?? ??????, ??? ? CREAM-CE?
> > ??????? ??????? ? ????? ??????????,
> > ????????.
> >
> > _______________________________________________
> > RU-NGI mailing list
> > RU-NGI at theory.sinp.msu.ru <mailto:RU-NGI at theory.sinp.msu.ru>
> > http://theory.sinp.msu.ru/mailman/listinfo/ru-ngi
> >
>
>
> -
>
> _______________________________________________
> RU-NGI mailing list
> RU-NGI at theory.sinp.msu.ru <mailto:RU-NGI at theory.sinp.msu.ru>
> http://theory.sinp.msu.ru/mailman/listinfo/ru-ngi
>
>
>
>
> --
> Best Regards,
> Andrey Zarochentsev
>
>
> _______________________________________________
> RU-NGI mailing list
> RU-NGI at theory.sinp.msu.ru
> http://theory.sinp.msu.ru/mailman/listinfo/ru-ngi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://theory.sinp.msu.ru/pipermail/ru-ngi/attachments/20130910/6c233e2f/attachment.html>