From 9a0e3712cd319909cbaf5eeae5c1899d7766b338 Mon Sep 17 00:00:00 2001 From: Steve Traylen Date: Mon, 18 Aug 2008 14:53:38 +0000 Subject: [PATCH] For new myproxy-config. --- .../config/functions/config_info_service_px | 2 +- .../config/functions/config_proxy_server | 65 ++++++++++++++++++---- org.glite.yaim.myproxy/config/man/yaim-myproxy.1 | 18 +++++- org.glite.yaim.myproxy/config/services/glite-px | 22 ++++++-- 4 files changed, 90 insertions(+), 17 deletions(-) diff --git a/org.glite.yaim.myproxy/config/functions/config_info_service_px b/org.glite.yaim.myproxy/config/functions/config_info_service_px index 1bbb0ee..06725d6 100644 --- a/org.glite.yaim.myproxy/config/functions/config_info_service_px +++ b/org.glite.yaim.myproxy/config/functions/config_info_service_px @@ -30,7 +30,7 @@ ############################################################################## config_info_service_px_check () { - requires $1 SITE_NAME INSTALL_ROOT + requires $1 SITE_NAME INSTALL_ROOT PX_HOST } config_info_service_px_setenv () { diff --git a/org.glite.yaim.myproxy/config/functions/config_proxy_server b/org.glite.yaim.myproxy/config/functions/config_proxy_server index a6d4dd8..48de34f 100644 --- a/org.glite.yaim.myproxy/config/functions/config_proxy_server +++ b/org.glite.yaim.myproxy/config/functions/config_proxy_server @@ -26,12 +26,16 @@ # NOTES : # # YAIM MODULE: glite-yaim-myproxy +# UPDATES: Ulrich.Schwickerath@cern.ch, Steve.Traylen@cern.ch # ############################################################################## +# +# 21/05/2008 US,ML rewrite to support more configuration options +# config_proxy_server_check () { -requires $1 GRID_TRUSTED_BROKERS +requires $1 return $? } @@ -46,23 +50,62 @@ config_proxy_server () { INSTALL_ROOT=${INSTALL_ROOT:-/opt} +MYPROXY_CONF=${INSTALL_ROOT}/glite/etc/myproxy-server.conf +MYPROXY_CONF_NEW=${INSTALL_ROOT}/glite/etc/myproxy-server.conf_NEW -if [ -f ${INSTALL_ROOT}/edg/etc/edg-myproxy.conf ]; then - rm -f ${INSTALL_ROOT}/edg/etc/edg-myproxy.conf + +yaimlog DEBUG "Creating Minimal myproxy configuration." +cat < $MYPROXY_CONF_NEW +# YAIM generated configuration file for MyProxy +# +# We allow anyone to use this service. They are checked against the +# installed CAs anyway. +# +accepted_credentials "*" + +EOF + +if [ "x$GRID_TRUSTED_BROKERS" != "x" ] ; then + yaimlog WARNING "Use of GRID_TRUSTED_BROKERS is deprecated in YAIM, use GRID_AUTHORIZED_RENEWERS" + echo "# Adding GRID_TRUSTED_BROKERS as authorized_renewers - Deprecated" >> $MYPROXY_CONF_NEW + split_quoted_variable $GRID_TRUSTED_BROKERS | while read x; do + test "x$x" != "x" && echo "authorized_renewers \"$x\"" >> $MYPROXY_CONF_NEW + done + echo "" >> $MYPROXY_CONF_NEW fi -split_quoted_variable $GRID_TRUSTED_BROKERS | while read x; do - echo "$x" >> ${INSTALL_ROOT}/edg/etc/edg-myproxy.conf +for VALUE in GRID_AUTHORIZED_RENEWERS GRID_DEFAULT_RENEWERS \ + GRID_AUTHORIZED_RETRIEVERS GRID_DEFAULT_RETRIEVERS \ + GRID_AUTHORIZED_KEY_RETRIEVERS GRID_DEFAULT_KEY_RETRIEVERS \ + GRID_TRUSTED_RETRIEVERS GRID_DEFAULT_TRUSTED_RETRIEVERS + +do + KEY=`echo $VALUE | sed 's/^GRID_//' | tr "[:upper:]" "[:lower:]"` + echo "#Adding YAIM value $VALUE if any as $KEY values" >> $MYPROXY_CONF_NEW + split_quoted_variable ${!VALUE} | while read x; do + test "x$x" != "x" && echo "$KEY \"$x\"" >> $MYPROXY_CONF_NEW + done + echo "" >> $MYPROXY_CONF_NEW done /sbin/chkconfig --add myproxy -yaimlog DEBUG "Stopping MyProxy server" -/etc/init.d/myproxy stop < /dev/null -yaimlog DEBUG "Waiting 3 second for a complete stop" -sleep 3 -yaimlog DEBUG "Starting MyProxy server" -/etc/init.d/myproxy start < /dev/null +# +# check if the configuration changed and reload/replace only if necessary +# + +[ -f $MYPROXY_CONF ] && diff $MYPROXY_CONF_NEW $MYPROXY_CONF 2>&1 > /dev/null +rc=$? + +if [ $rc == 0 ]; then + yaimlog INFO "MyProxy server configuration unchanged" + rm -f $MYPROXY_CONF_NEW +else + yaimlog INFO "Reloading MyProxy server" + mv $MYPROXY_CONF_NEW $MYPROXY_CONF + /etc/init.d/myproxy reload < /dev/null +fi + return 0 } diff --git a/org.glite.yaim.myproxy/config/man/yaim-myproxy.1 b/org.glite.yaim.myproxy/config/man/yaim-myproxy.1 index aa271df..e8b3824 100644 --- a/org.glite.yaim.myproxy/config/man/yaim-myproxy.1 +++ b/org.glite.yaim.myproxy/config/man/yaim-myproxy.1 @@ -28,7 +28,23 @@ GLOBUS_TCP_PORT_RANGE: Port range for Globus IO. It should be specified as "num1 .TP node specific variables: These variables are defined in /opt/glite/yaim/examples/services/glite-px. .TP -GRID_TRUSTED_BROKERS : List of the DNs of the Resource Brokers host certificates which are trusted by the Proxy node. (ex: /O=Grid/O=CERN/OU=cern.ch/CN=host/testbed013.cern.ch). +GRID_TRUSTED_BROKERS : List of the DNs of the Resource Brokers host certificates which are trusted by the Proxy node. (ex: /O=Grid/O=CERN/OU=cern.ch/CN=host/testbed013.cern.ch). Now deprecated, use GRID_DEFAULT_RENEWERS instead. +.TP +GRID_AUTHORIZED_RENEWERS : List of authorized_renewrs. +.TP +GRID_DEFAULT_RENEWERS : List of default_renewers +.TP +GRID_AUTHORIZED_RETRIEVERS : List of authorized_retrievers. +.TP +GRID_DEFAULT_RETRIEVERS : List of default_retrievers. +.TP +GRID_AUTHORIZED_KEY_RETRIEVERS : List of authorized_key_retrievers. +.TP +GRID_DEFAULT_KEY_RETRIEVERS : List default_key_retrievers. +.TP +GRID_TRUSTED_RETRIEVERS : List of trusted_retrievers. +.TP +GRID_DEFAULT_TRUSTED_RETRIEVERS List of default_trusted_retrievers. .TP .SH EXAMPLES diff --git a/org.glite.yaim.myproxy/config/services/glite-px b/org.glite.yaim.myproxy/config/services/glite-px index 5fbb176..053f1b9 100644 --- a/org.glite.yaim.myproxy/config/services/glite-px +++ b/org.glite.yaim.myproxy/config/services/glite-px @@ -33,9 +33,23 @@ # GRID_TRUSTED_BROKERS: DNs of services (RBs) allowed to renew/retrives # credentials from/at the myproxy server. Put single quotes around each trusted DN !!! -GRID_TRUSTED_BROKERS=" -'broker one' -'broker two' -" +# Deprecated +#GRID_TRUSTED_BROKERS=" +#'broker one' +#'broker two' +#" + + +GRID_AUTHORIZED_RENEWERS=${GRID_AUTHORIZED_RENEWERS:-""} +# WMS has traditionally used this next one. +GRID_DEFAULT_RENEWERS=${GRID_DEFAULT_RENEWERS:-""} +GRID_AUTHORIZED_RETRIEVERS=${GRID_AUTHORIZED_RETRIEVERS:-""} +GRID_DEFAULT_RETRIEVERS =${GRID_DEFAULT_RETRIEVERS:-""} +GRID_AUTHORIZED_KEY_RETRIEVERS =${GRID_AUTHORIZED_KEY_RETRIEVERS :-""} +GRID_DEFAULT_KEY_RETRIEVERS =${GRID_DEFAULT_KEY_RETRIEVERS :-""} + +# This is what NCG nagios solution uses this next one. +GRID_TRUSTED_RETRIEVERS =${GRID_TRUSTED_RETRIEVERS :-""} +GRID_DEFAULT_TRUSTED_RETRIEVERS=${GRID_DEFAULT_TRUSTED_RETRIEVERS:-""} -- 1.8.2.3