From 9552431576e94653cd10c2e69de0e1723db62b72 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Franti=C5=A1ek=20Dvo=C5=99=C3=A1k?= Date: Mon, 22 Mar 2010 18:25:30 +0000 Subject: [PATCH] Authz deployment updates: - multiple subjects rather into single rule - no subjects in MONITORING when RTM disabled - comment into old superusers file - LCAS plugin enabled with policy --- org.glite.lb.doc/src/LBAG-Installation.tex | 4 +++- org.glite.lb.server/config/startup | 2 +- org.glite.lb.yaim/config/functions/config_glite_lb | 18 ++++++++++++++---- 3 files changed, 18 insertions(+), 6 deletions(-) diff --git a/org.glite.lb.doc/src/LBAG-Installation.tex b/org.glite.lb.doc/src/LBAG-Installation.tex index f6ff88a..2668bf8 100644 --- a/org.glite.lb.doc/src/LBAG-Installation.tex +++ b/org.glite.lb.doc/src/LBAG-Installation.tex @@ -170,7 +170,7 @@ According to local retention policy you may want to use different purge timeouts \item \texttt{GLITE\_LB\_EXPORT\_JPPS} -- Job Provenance Primary Storage where to export purged jobs, required if export to JP is enabled \item \texttt{GLITE\_JP\_LOCATION} -- optional parameter for combining LB and JP subsystems on the different locations \item \texttt{GLITE\_LB\_RTM\_ENABLED} -- enable settings for Real Time Monitor - indexes and additional access (default: false) -\item \texttt{GLITE\_LB\_RTM\_DN} -- DN using to get notifications from \LB server\\ +\item \texttt{GLITE\_LB\_RTM\_DN} -- DNs using to get notifications from \LB server\\ (default: \texttt{heppc24.hep.ph.ic.ac.uk} machine certificate) \item \texttt{GLITE\_LB\_SUPER\_USERS} -- additional super-users (default: empty) \item \texttt{GLITE\_LB\_TYPE} -- type of the \LB service: server, proxy, both (default: server) @@ -182,6 +182,8 @@ According to local retention policy you may want to use different purge timeouts In addition to those, YAIM LB module uses following parameters: \texttt{INSTALL\_ROOT}, \texttt{GLITE\_LOCATION\_VAR}, \texttt{GLITE\_USER}, \texttt{SITE\_EMAIL}. +Lists separated by comma (\texttt{GLITE\_LB\_RTM\_DN} and \texttt{GLITE\_LB\_SUPER\_USERS}). + \subsubsection{Migration to a different OS version} \label{inst:OSmigration} Migration of a LB server to different machine is possible using diff --git a/org.glite.lb.server/config/startup b/org.glite.lb.server/config/startup index f8dcb9e..935f3da 100755 --- a/org.glite.lb.server/config/startup +++ b/org.glite.lb.server/config/startup @@ -137,7 +137,7 @@ start() policy="$GLITE_LOCATION/etc/glite-lb-authz.conf" if test -f "$policy"; then - policy="--policy '$policy'" + policy="--enable-lcas --policy '$policy'" else unset policy fi diff --git a/org.glite.lb.yaim/config/functions/config_glite_lb b/org.glite.lb.yaim/config/functions/config_glite_lb index d3f920f..5d4518c 100644 --- a/org.glite.lb.yaim/config/functions/config_glite_lb +++ b/org.glite.lb.yaim/config/functions/config_glite_lb @@ -47,18 +47,22 @@ function config_glite_lb_authz() { superusers="$1" rtm="$2" - superusers="`echo \"$superusers\"| grep -v ^$ | sed 's/\(.*\)/\trule permit {\n\t\tsubject = \"\1\" }\n\t}\n/'`" - rtm="`echo \"$rtm\"| grep -v ^$ | sed 's/\(.*\)/\trule permit {\n\t\tsubject = \"\1\" }\n\t}\n/'`" + superusers="`echo \"$superusers\"| grep -v ^$ | tr ',' '\n' | sed 's/\(.*\)/\t\tsubject = \"\1\"/'`" + rtm="`echo \"$rtm\"| grep -v ^$ | tr ',' '\n' | sed 's/\(.*\)/\t\tsubject = \"\1\"/'`" cat < "$GLITE_LOCATION/etc/glite-lb-authz.conf.new" resource "LB" { action "ADMIN_ACCESS" { + rule permit { $superusers + } } action "STATUS_FOR_MONITORING" { + rule permit { $rtm + } } action "LOG_WMS_EVENTS" { @@ -88,7 +92,9 @@ EOF # superusers file deprecated if test -s "${GLITE_LOCATION}/etc/LB-super-users"; then yaimlog WARNING "Found old superusers file '${GLITE_LOCATION}/etc/LB-super-users', check 'ADMIN_ACCESS' section in glite-lb-authz.conf" - mv "${GLITE_LOCATION}/etc/LB-super-users" "${GLITE_LOCATION}/etc/LB-super-users.old" + echo "# deprecated file, replaced by ADMIN_ACCESS action in glite-lb-authz.conf" > "${GLITE_LOCATION}/etc/LB-super-users.old" + cat "${GLITE_LOCATION}/etc/LB-super-users" >> "${GLITE_LOCATION}/etc/LB-super-users.old" + rm "${GLITE_LOCATION}/etc/LB-super-users" fi mv "$GLITE_LOCATION/etc/glite-lb-authz.conf.new" "$GLITE_LOCATION/etc/glite-lb-authz.conf" @@ -268,7 +274,11 @@ EOF echo "${GLITE_LOCATION}/etc/init.d/glite-lb-bkserverd" >> ${GLITE_LOCATION}/etc/gLiteservices fi - config_glite_lb_authz "$GLITE_LB_SUPER_USERS" "$GLITE_LB_RTM_DN" + if [ x"$GLITE_LB_RTM_ENABLED" = x"true" ]; then + config_glite_lb_authz "$GLITE_LB_SUPER_USERS" "$GLITE_LB_RTM_DN" + else + config_glite_lb_authz "$GLITE_LB_SUPER_USERS" "" + fi if [ ! -f ${GLITE_LOCATION}/etc/glite-lb-harvester.conf ]; then echo $HOSTNAME > ${GLITE_LOCATION}/etc/glite-lb-harvester.conf -- 1.8.2.3