|Site Access Control
lcmaps_jobrep.mod - jobrepository LCMAPS plug-in
lcmaps_jobrep.mod [--test] --dsn <Database Service Name> --username <database user> --password <database password>
The LCMAPS Jobrepository plug-in stores credentials and the resulting account mappings into a relational database. This plugin will link up all the known in-process information from LCMAPS core memory and stores it in a database. This plug-in uses ODBC (http://en.wikipedia.org/wiki/ODBC) to connect to the database.
The current state of the mappings between various credentials and Unix accounts is stored in an open database on disk, but this information can change over time through (regular) system administrative interventions. This state is now preserved in a relational database with the added benefit of being accessible by other systems, e.g. GridSAFE and build-up an easy to backup historic view on the mapping state.
Quite some systems seem to dig up data by trawling log files, e.g. to construct accounting data records. This method is subjected to the settings of the sub-systems which control the format of the log file output. Log trawling tools are interacting with the log files as a glorified API. This lowers the ability for tools, e.g. LCMAPS, to alter their log output. By offering the LCMAPS Jobrepository plug-in as an alternative with the added benefit of offering the data in a structured fine-grained database with the ability of an historic view the intend is to avoid the need and/or requirement for log file trawling.
DATABASE SCHEMA EXTENSIONS¶
The schema can be used to link up account mapping and/or credential mapping results originating from other credential types and link up more fine grained details from the specific work environment, i.e. a Gatekeeper and GridFTPd will be able to add service specific information together with the mapping results.
The LCMAPS Jobrepository plug-in is currently limited to MySQL and MariaDB despite its usage of the ODBC database interface. The intend is to remove this limitation and make the plug-in work with other database, e.g. PostgreSQL, Oracle and SQLite.
- When enabled the plug-in will only test if the connection to the database can be established through the ODBC coupling. The test will verify the correctness of the DSN, Username and Password combination. The plug-in will announce an LCMAPS SUCCESS when the connection was established, and a FAILURE when it was not able to establish the connection.
- --dsn <Database Service Name>
- This will select the Data Source Name (DSN) that has been set in a odbc.ini file. Use the odbc.ini file to configure the database driver, server/host, port number and database name. See below for an example odbc.ini file.
- --username <database username>
- Specifies the database username that the LCMAPS module must use to authorize itself with the database.
- --password <database password>
- Specifies the database password that the LCMAPS module must use to
authorize itself with. You can omit the setting if you set the password in
the odbc.ini file.
WARNING: Be careful to assess the read permissions on the lcmaps.db file to be exclusive to the service using this file, i.e. it's probably best to make the file exclusive to root:root.
Notice the --dsn <value> matches the DSN shown in the .ini section header. Also notice that the posix_enf plug-in is executed after the jobrep plug-in. The motivation is to be able to use privilege separation and with that protect the database password.
- Example lcmaps.db
jobrep = "lcmaps_jobrep.mod"
"--password worteltjes" example_plugin_policy: verifyproxy -> vomslocalgroup vomslocalgroup -> vomspoolaccount vomspoolaccount -> tracking_groupid tracking_groupid -> jobrep jobrep -> posix_enf
- Example /etc/odbc.ini file:
[MySQL-test] Description = MySQL test database Driver = MySQL SERVER = 127.0.0.1 PORT = 3306 DATABASE = jobrepository
The front-ends which do not use an LCMAPS interface that provides certificates can currently not be supported. It is a requirement for the 1.5 version to be able to work from a certificate chain.
Please report any errors to the Nikhef Grid Middleware Security Team <firstname.lastname@example.org>.
lcmaps(8), lcmaps_jobrep.mod(8), mysql(1).
More information can be found on-line at https://wiki.nikhef.nl/grid/Site_Access_Control the Nikhef Wiki on Site Access Control and https://wiki.nikhef.nl/grid/LCMAPS the Nikhef Wiki on LCMAPS and other plug-ins.
The Jobrepository and the LCMAPS plug-ins were written by the Nikhef Grid Middleware Security Team <email@example.com>.
|August 31, 2012