From: František Dvořák Date: Tue, 26 Apr 2011 17:05:58 +0000 (+0000) Subject: Support for GLITE_LB_WMS_DN and GLITE_LB_AUTHZ_* yaim parameters. X-Git-Tag: glite-lb-emi-lb_R_1_0_0_1~4 X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=d241cd8adbb1cc71c8e1a102ff0f2a705a0ad44f;p=jra1mw.git Support for GLITE_LB_WMS_DN and GLITE_LB_AUTHZ_* yaim parameters. --- diff --git a/org.glite.lb.doc/src/LBAG-Installation.tex b/org.glite.lb.doc/src/LBAG-Installation.tex index 31ab6bb..43d5926 100644 --- a/org.glite.lb.doc/src/LBAG-Installation.tex +++ b/org.glite.lb.doc/src/LBAG-Installation.tex @@ -187,9 +187,6 @@ According to local retention policy you may want to use different purge timeouts \item \texttt{GLITE\_LB\_EXPORT\_ENABLED} -- set to \texttt{true} for export to JP, installed glite-lb-client and glite-jp-client are needed (default: \texttt{false}) \item \texttt{GLITE\_LB\_EXPORT\_JPPS} -- Job Provenance Primary Storage where to export purged jobs, required if export to JP is enabled \item \texttt{GLITE\_LB\_RTM\_ENABLED} -- enable settings for Real Time Monitor - indexes and additional access (default: false) -\item \texttt{GLITE\_LB\_RTM\_DN} -- DNs using to get notifications from \LB server\\ -(default: \texttt{heppc24.hep.ph.ic.ac.uk} machine certificate) -\item \texttt{GLITE\_LB\_SUPER\_USERS} -- additional super-users (default: empty) \item \texttt{GLITE\_LB\_TYPE} -- type of the \LB service: server, proxy, both (default: autodetect, \LB node only: 'server', WMS node only: proxy, \LB and WMS: 'both') \item \texttt{GLITE\_LB\_INDEX\_OWNER} -- when specified, add (\texttt{true}) or drop (\texttt{false}) 'owner' index (default: 'owner' index not touched) \item \texttt{GLITE\_LB\_MSG\_BROKER} -- URL of the MSG broker, 'auto' for looking in BDII, 'false' for disabling MSG notifications (default: auto) @@ -197,6 +194,15 @@ According to local retention policy you may want to use different purge timeouts \item \texttt{LCG\_GFAL\_INFOSYS} -- BDII servers (default: lcg-bdii.cern.ch:2170) \end{itemize} +Authorization: +\begin{itemize} +\item \texttt{GLITE\_LB\_SUPER\_USERS} -- additional super-users (default: empty) +\item \texttt{GLITE\_LB\_WMS\_DN} -- DNs of WMS servers (default: empty) +\item \texttt{GLITE\_LB\_RTM\_DN} -- DNs using to get notifications from \LB server\\ +(default: \texttt{heppc24.hep.ph.ic.ac.uk} machine certificate) +\item \texttt{GLITE\_LB\_AUTHZ\_} -- more detailed tuning of access grants, see Section~\ref{inst:authz} (default: empty, '.*' for logging and job registrations) +\end{itemize} + Additional helper or legacy parameters for \LB: \begin{itemize} \item \texttt{GLITE\_LB\_LOCATION} -- \LB prefix (default: \texttt{/opt/glite} or \texttt{/usr}) @@ -213,7 +219,7 @@ export data are written for use by lgcmon/R-GMA In addition to those, YAIM LB module uses following parameters: \texttt{INSTALL\_ROOT}, \texttt{GLITE\_LOCATION\_VAR}, \texttt{GLITE\_USER}, \texttt{SITE\_EMAIL}. -Lists separated by comma (\texttt{GLITE\_LB\_RTM\_DN} and \texttt{GLITE\_LB\_SUPER\_USERS}). +Lists are separated by comma. \subsubsection{Migration to a different OS version} \label{inst:OSmigration} diff --git a/org.glite.lb.yaim/config/defaults/glite-lb.pre b/org.glite.lb.yaim/config/defaults/glite-lb.pre index 6af4bf9..0902e5d 100644 --- a/org.glite.lb.yaim/config/defaults/glite-lb.pre +++ b/org.glite.lb.yaim/config/defaults/glite-lb.pre @@ -32,19 +32,30 @@ GLITE_JP_LOCATION= # L&B configuration # -# L&B super users (separated by comma) -GLITE_LB_SUPER_USERS= # L&B service type (server/proxy/both), overrided by YAIM when needed GLITE_LB_TYPE= # configure glite-LB to be used with Real Time Monitor (harvester) GLITE_LB_RTM_ENABLED='false' -# Real Time Monitoring identities (separated by comma) -GLITE_LB_RTM_DN='/C=UK/O=eScience/OU=Imperial/L=Physics/CN=heppc24.hep.ph.ic.ac.uk/Email=janusz.martyniak@imperial.ac.uk' # MSG publish GLITE_LB_MSG_BROKER='true' GLITE_LB_MSG_NETWORK='PROD' LCG_GFAL_INFOSYS='lcg-bdii.cern.ch:2170' +# L&B authorization (items in list separated by comma) +GLITE_LB_SUPER_USERS= +GLITE_LB_WMS_DN= +GLITE_LB_RTM_DN='/C=UK/O=eScience/OU=Imperial/L=Physics/CN=heppc24.hep.ph.ic.ac.uk/Email=janusz.martyniak@imperial.ac.uk' +GLITE_LB_AUTHZ_ADMIN_ACCESS= +GLITE_LB_AUTHZ_READ_ALL= +GLITE_LB_AUTHZ_READ_PURGE= +GLITE_LB_AUTHZ_STATUS_FOR_MONITORING= +GLITE_LB_AUTHZ_GET_STATISTICS= +GLITE_LB_AUTHZ_GRANT_OWNERSHIP= +GLITE_LB_AUTHZ_REGISTER_JOBS=".*" +GLITE_LB_AUTHZ_LOG_WMS_EVENTS=".*" +GLITE_LB_AUTHZ_LOG_CE_EVENTS=".*" +GLITE_LB_AUTHZ_LOG_GENERAL_EVENTS=".*" + # # additional options # diff --git a/org.glite.lb.yaim/config/functions/config_glite_lb.in b/org.glite.lb.yaim/config/functions/config_glite_lb.in index 8c8afbe..3ad5999 100644 --- a/org.glite.lb.yaim/config/functions/config_glite_lb.in +++ b/org.glite.lb.yaim/config/functions/config_glite_lb.in @@ -102,48 +102,34 @@ function config_glite_lb_setenv(){ function config_glite_lb_authz() { superusers="$1" rtm="$2" + wms="$GLITE_LB_WMS_DN" - superusers="`echo \"$superusers\" | tr ',' '\n' | grep -v ^$ | sed 's/\(.*\)/\trule permit {\n\t\tsubject = \"\1\"\n\t}/'`" - rtm="`echo \"$rtm\" | tr ',' '\n' | grep -v ^$ | sed 's/\(.*\)/\trule permit {\n\t\tsubject = \"\1\"\n\t}/'`" authconf="$GLITE_LB_LOCATION_ETC/glite-lb/glite-lb-authz.conf" cat < "$authconf".new resource "LB" { - -action "ADMIN_ACCESS" { -$superusers -} - -action "READ_ALL" { -$rtm -} - -action "REGISTER_JOBS" { - rule permit { - subject = ".*" - } -} - -action "LOG_WMS_EVENTS" { - rule permit { - subject = ".*" - } -} - -action "LOG_CE_EVENTS" { - rule permit { - subject = ".*" - } -} - -action "LOG_GENERAL_EVENTS" { - rule permit { - subject = ".*" - } +EOF + for section in ADMIN_ACCESS STATUS_FOR_MONITORING GET_STATISTICS REGISTER_JOBS READ_ALL PURGE GRANT_OWNERSHIP LOG_WMS_EVENTS LOG_CE_EVENTS LOG_GENERAL_EVENTS; do + eval value=\"$`echo GLITE_LB_AUTHZ_$section`\" + case "$section" in + ADMIN_ACCESS) value="$value,$superusers" ;; + READ_ALL) value="$value,$wms,$rtm" ;; + PURGE) value="$value,$wms" ;; + LOG_WMS_EVENTS) value="$value,$wms" ;; + esac + value="`echo \"$value\" | tr ',' '\n' | grep -v ^$ | sed 's/\(.*\)/\trule permit {\n\t\tsubject = \"\1\"\n\t}/'`" + cat <> "$authconf".new + +action "$section" { +$value } +EOF + done + cat <> "$authconf".new } EOF + # something changed if test -f "$authconf"; then diff -w "$authconf" "$authconf".new >/dev/null