Support for GLITE_LB_WMS_DN and GLITE_LB_AUTHZ_* yaim parameters.

diff --git a/org.glite.lb.doc/src/LBAG-Installation.tex b/org.glite.lb.doc/src/LBAG-Installation.tex
index 31ab6bb..43d5926 100644 (file)
--- a/org.glite.lb.doc/src/LBAG-Installation.tex
+++ b/org.glite.lb.doc/src/LBAG-Installation.tex
@@ -187,9 +187,6 @@ According to local retention policy you may want to use different purge timeouts
 \item \texttt{GLITE\_LB\_EXPORT\_ENABLED} -- set to \texttt{true} for export to JP, installed glite-lb-client and glite-jp-client are needed (default: \texttt{false})
 \item \texttt{GLITE\_LB\_EXPORT\_JPPS} -- Job Provenance Primary Storage where to export purged jobs, required if export to JP is enabled
 \item \texttt{GLITE\_LB\_RTM\_ENABLED} -- enable settings for Real Time Monitor - indexes and additional access (default: false)
-\item \texttt{GLITE\_LB\_RTM\_DN} -- DNs using to get notifications from \LB server\\
-(default: \texttt{heppc24.hep.ph.ic.ac.uk} machine certificate)
-\item \texttt{GLITE\_LB\_SUPER\_USERS} -- additional super-users (default: empty)
 \item \texttt{GLITE\_LB\_TYPE} -- type of the \LB service: server, proxy, both (default: autodetect, \LB node only: 'server', WMS node only: proxy, \LB and WMS: 'both')
 \item \texttt{GLITE\_LB\_INDEX\_OWNER} -- when specified, add (\texttt{true}) or drop (\texttt{false}) 'owner' index (default: 'owner' index not touched)
 \item \texttt{GLITE\_LB\_MSG\_BROKER} -- URL of the MSG broker, 'auto' for looking in BDII, 'false' for disabling MSG notifications (default: auto)
@@ -197,6 +194,15 @@ According to local retention policy you may want to use different purge timeouts
 \item \texttt{LCG\_GFAL\_INFOSYS} -- BDII servers (default: lcg-bdii.cern.ch:2170)
 \end{itemize}
 
+Authorization:
+\begin{itemize}
+\item \texttt{GLITE\_LB\_SUPER\_USERS} -- additional super-users (default: empty)
+\item \texttt{GLITE\_LB\_WMS\_DN} -- DNs of WMS servers (default: empty)
+\item \texttt{GLITE\_LB\_RTM\_DN} -- DNs using to get notifications from \LB server\\
+(default: \texttt{heppc24.hep.ph.ic.ac.uk} machine certificate)
+\item \texttt{GLITE\_LB\_AUTHZ\_<category>} -- more detailed tuning of access grants, see Section~\ref{inst:authz} (default: empty, '.*' for logging and job registrations)
+\end{itemize}
+
 Additional helper or legacy parameters for \LB:
 \begin{itemize}
 \item \texttt{GLITE\_LB\_LOCATION} -- \LB prefix (default: \texttt{/opt/glite} or \texttt{/usr})
@@ -213,7 +219,7 @@ export data are written for use by lgcmon/R-GMA
 In addition to those, YAIM LB module uses following parameters:
 \texttt{INSTALL\_ROOT}, \texttt{GLITE\_LOCATION\_VAR}, \texttt{GLITE\_USER}, \texttt{SITE\_EMAIL}.
 
-Lists separated by comma (\texttt{GLITE\_LB\_RTM\_DN} and \texttt{GLITE\_LB\_SUPER\_USERS}).
+Lists are separated by comma.
 
 \subsubsection{Migration to a different OS version}
 \label{inst:OSmigration}

diff --git a/org.glite.lb.yaim/config/defaults/glite-lb.pre b/org.glite.lb.yaim/config/defaults/glite-lb.pre
index 6af4bf9..0902e5d 100644 (file)
--- a/org.glite.lb.yaim/config/defaults/glite-lb.pre
+++ b/org.glite.lb.yaim/config/defaults/glite-lb.pre
@@ -32,19 +32,30 @@ GLITE_JP_LOCATION=
 # L&B configuration
 #
 
-# L&B super users (separated by comma)
-GLITE_LB_SUPER_USERS=
 # L&B service type (server/proxy/both), overrided by YAIM when needed
 GLITE_LB_TYPE=
 # configure glite-LB to be used with Real Time Monitor (harvester)
 GLITE_LB_RTM_ENABLED='false'
-# Real Time Monitoring identities (separated by comma)
-GLITE_LB_RTM_DN='/C=UK/O=eScience/OU=Imperial/L=Physics/CN=heppc24.hep.ph.ic.ac.uk/Email=janusz.martyniak@imperial.ac.uk'
 # MSG publish
 GLITE_LB_MSG_BROKER='true'
 GLITE_LB_MSG_NETWORK='PROD'
 LCG_GFAL_INFOSYS='lcg-bdii.cern.ch:2170'
 
+# L&B authorization (items in list separated by comma)
+GLITE_LB_SUPER_USERS=
+GLITE_LB_WMS_DN=
+GLITE_LB_RTM_DN='/C=UK/O=eScience/OU=Imperial/L=Physics/CN=heppc24.hep.ph.ic.ac.uk/Email=janusz.martyniak@imperial.ac.uk'
+GLITE_LB_AUTHZ_ADMIN_ACCESS=
+GLITE_LB_AUTHZ_READ_ALL=
+GLITE_LB_AUTHZ_READ_PURGE=
+GLITE_LB_AUTHZ_STATUS_FOR_MONITORING=
+GLITE_LB_AUTHZ_GET_STATISTICS=
+GLITE_LB_AUTHZ_GRANT_OWNERSHIP=
+GLITE_LB_AUTHZ_REGISTER_JOBS=".*"
+GLITE_LB_AUTHZ_LOG_WMS_EVENTS=".*"
+GLITE_LB_AUTHZ_LOG_CE_EVENTS=".*"
+GLITE_LB_AUTHZ_LOG_GENERAL_EVENTS=".*"
+
 #
 # additional options
 #

diff --git a/org.glite.lb.yaim/config/functions/config_glite_lb.in b/org.glite.lb.yaim/config/functions/config_glite_lb.in
index 8c8afbe..3ad5999 100644 (file)
--- a/org.glite.lb.yaim/config/functions/config_glite_lb.in
+++ b/org.glite.lb.yaim/config/functions/config_glite_lb.in
@@ -102,48 +102,34 @@ function config_glite_lb_setenv(){
 function config_glite_lb_authz() {
        superusers="$1"
        rtm="$2"
+       wms="$GLITE_LB_WMS_DN"
 
-       superusers="`echo \"$superusers\" | tr ',' '\n' | grep -v ^$ | sed 's/\(.*\)/\trule permit {\n\t\tsubject = \"\1\"\n\t}/'`"
-       rtm="`echo \"$rtm\" | tr ',' '\n' | grep -v ^$ | sed 's/\(.*\)/\trule permit {\n\t\tsubject = \"\1\"\n\t}/'`"
        authconf="$GLITE_LB_LOCATION_ETC/glite-lb/glite-lb-authz.conf"
 
        cat <<EOF > "$authconf".new
 resource "LB" {
-
-action "ADMIN_ACCESS" {
-$superusers
-}
-
-action "READ_ALL" {
-$rtm
-}
-
-action "REGISTER_JOBS" {
-        rule permit {
-                subject = ".*"
-        }
-}
-
-action "LOG_WMS_EVENTS" {
-       rule permit {
-               subject = ".*"
-       }
-}
-
-action "LOG_CE_EVENTS" {
-        rule permit {
-                subject = ".*"
-        }
-}
-
-action "LOG_GENERAL_EVENTS" {
-       rule permit {
-               subject = ".*"
-       }
+EOF
+       for section in ADMIN_ACCESS STATUS_FOR_MONITORING GET_STATISTICS REGISTER_JOBS READ_ALL PURGE GRANT_OWNERSHIP LOG_WMS_EVENTS LOG_CE_EVENTS LOG_GENERAL_EVENTS; do
+               eval value=\"$`echo GLITE_LB_AUTHZ_$section`\"
+               case "$section" in
+               ADMIN_ACCESS) value="$value,$superusers" ;;
+               READ_ALL) value="$value,$wms,$rtm" ;;
+               PURGE) value="$value,$wms" ;;
+               LOG_WMS_EVENTS) value="$value,$wms" ;;
+               esac
+               value="`echo \"$value\" | tr ',' '\n' | grep -v ^$ | sed 's/\(.*\)/\trule permit {\n\t\tsubject = \"\1\"\n\t}/'`"
+               cat <<EOF >> "$authconf".new
+
+action "$section" {
+$value
 }
+EOF
+       done
+       cat <<EOF >> "$authconf".new
 
 }
 EOF
+
        # something changed
        if test -f "$authconf"; then
                diff -w "$authconf" "$authconf".new >/dev/null