.\" Hey, EMACS: -*- nroff -*- .\" First parameter, NAME, should be all caps .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection .\" other parameters are allowed: see man(7), man(1) .TH LCMAPS_JOBREP.MOD 8 "August 31, 2012" Nikhef "Site Access Control" .\" Please adjust this date whenever revising the manpage. .\" .\" Some roff macros, for reference: .\" .nh disable hyphenation .\" .hy enable hyphenation .\" .ad l left justify .\" .ad b justify to both left and right margins .\" .nf disable filling .\" .fi enable filling .\" .br insert line break .\" .sp insert n+1 empty lines .\" for manpage-specific macros, see man(7) .SH NAME lcmaps_jobrep.mod \- jobrepository LCMAPS plug-in .SH SYNOPSIS .B lcmaps_jobrep.mod .RB [ --test ] .RB --dsn .IR .RB --username .IR .RB --password .IR .SH DESCRIPTION The LCMAPS Jobrepository plug-in stores credentials and the resulting account mappings into a relational database. This plugin will link up all the known in-process information from LCMAPS core memory and stores it in a database. This plug-in uses ODBC (http://en.wikipedia.org/wiki/ODBC) to connect to the database. The current state of the mappings between various credentials and Unix accounts is stored in an open database on disk, but this information can change over time through (regular) system administrative interventions. This state is now preserved in a relational database with the added benefit of being accessible by other systems, e.g. GridSAFE and build-up an easy to backup historic view on the mapping state. Quite some systems seem to dig up data by trawling log files, e.g. to construct accounting data records. This method is subjected to the settings of the sub-systems which control the format of the log file output. Log trawling tools are interacting with the log files as a glorified API. This lowers the ability for tools, e.g. LCMAPS, to alter their log output. By offering the LCMAPS Jobrepository plug-in as an alternative with the added benefit of offering the data in a structured fine-grained database with the ability of an historic view the intend is to avoid the need and/or requirement for log file trawling. .SH DATABASE SCHEMA EXTENSIONS The schema can be used to link up account mapping and/or credential mapping results originating from other credential types and link up more fine grained details from the specific work environment, i.e. a Gatekeeper and GridFTPd will be able to add service specific information together with the mapping results. .SH FUTURE The LCMAPS Jobrepository plug-in is currently limited to MySQL and MariaDB despite its usage of the ODBC database interface. The intend is to remove this limitation and make the plug-in work with other database, e.g. PostgreSQL, Oracle and SQLite. .SH OPTIONS .TP .BI --test When enabled the plug-in will only test if the connection to the database can be established through the ODBC coupling. The test will verify the correctness of the DSN, Username and Password combination. The plug-in will announce an LCMAPS SUCCESS when the connection was established, and a FAILURE when it was not able to establish the connection. .TP .BI --dsn\ This will select the Data Source Name (DSN) that has been set in a \fBodbc.ini\fR file. Use the \fBodbc.ini\fR file to configure the database driver, server/host, port number and database name. See below for an example odbc.ini file. .TP .BI --username\ Specifies the database username that the LCMAPS module must use to authorize itself with the database. .TP .BI --password\ Specifies the database password that the LCMAPS module must use to authorize itself with. You can omit the setting if you set the password in the odbc.ini file. \fBWARNING\fR: Be careful to assess the read permissions on the lcmaps.db file to be exclusive to the service using this file, i.e. it's probably best to make the file exclusive to root:root. .SH "RETURN VALUES" .TP .B LCMAPS_MOD_SUCCESS Success. .TP .B LCMAPS_MOD_FAIL Failure. .SH EXAMPLES Notice the \fB--dsn \fR matches the \fBDSN\fR shown in the .ini \fBsection header\fR. Also notice that the posix_enf plug-in is executed \fBafter\fR the jobrep plug-in. The motivation is to be able to use privilege separation and with that protect the database password. .TP .B Example lcmaps.db .nf jobrep = "lcmaps_jobrep.mod" "--dsn \fBMySQL-test\fR" "--username root" "--password worteltjes" example_plugin_policy: verifyproxy -> vomslocalgroup vomslocalgroup -> vomspoolaccount vomspoolaccount -> tracking_groupid tracking_groupid -> jobrep jobrep -> posix_enf .fi .TP .B Example /etc/odbc.ini file: .nf [\fBMySQL-test\fR] Description = MySQL test database Driver = MySQL SERVER = 127.0.0.1 PORT = 3306 DATABASE = jobrepository .fi .SH SUPPORTED\ INSTALLATIONS .TP .B Tested front-end tools and services gLExec .br globus-gridftp-server .br globus-gatekeeper .TP .B Likely to work SCAS .br lcmaps-rest (only the Full-SSL interface) .br gsi-openssh-server .TP .B Front-ends that will likely NOT work WMProxy .br StoRM backend .SH LIMITATIONS The front-ends which do not use an LCMAPS interface that provides certificates can currently not be supported. It is a requirement for the 1.5 version to be able to work from a certificate chain. .SH BUGS Please report any errors to the Nikhef Grid Middleware Security Team . .SH SEE ALSO .BR lcmaps (8), .BR lcmaps_jobrep.mod (8), .BR mysql (1). .br More information can be found on-line at \fBhttps://wiki.nikhef.nl/grid/Site_Access_Control\fR the Nikhef Wiki on Site Access Control and \fBhttps://wiki.nikhef.nl/grid/LCMAPS\fR the Nikhef Wiki on LCMAPS and other plug-ins. .SH AUTHOR The Jobrepository and the LCMAPS plug-ins were written by the Nikhef Grid Middleware Security Team .