'\" t
.\"     Title: globus-gatekeeper
.\"    Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\"      Date: 03/31/2018
.\"    Manual: Grid Community Toolkit Manual
.\"    Source: Grid Community Toolkit 6
.\"  Language: English
.\"
.TH "GLOBUS\-GATEKEEPER" "8" "03/31/2018" "Grid Community Toolkit 6" "Grid Community Toolkit Manual"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
globus-gatekeeper \- Authorize and execute a grid service on behalf of a user
.SH "SYNOPSIS"
.sp
\fBglobus\-gatekeeper\fR [\-help]
.sp
\fBglobus\-gatekeeper\fR \-conf \fIPARAMETER_FILE\fR [\-test] [\-d | \-debug] [\-inetd | \-f] [\-p \fIPORT\fR | \-port \fIPORT\fR] [\-l \fILOGFILE\fR | \-logfile \fILOGFILE\fR] [\-lf \fILOG_FACILITY\fR] [\-acctfile \fIACCTFILE\fR] [\-e \fILIBEXECDIR\fR] [\-launch_method { \fIfork_and_exit\fR | \fIfork_and_wait\fR | \fIdont_fork\fR }] [\-grid_services \fISERVICEDIR\fR] [\-globusid \fIGLOBUSID\fR] [\-gridmap \fIGRIDMAP\fR] [\-x509_cert_dir \fITRUSTED_CERT_DIR\fR] [\-x509_cert_file \fITRUSTED_CERT_FILE\fR] [\-x509_user_cert \fICERT_PATH\fR] [\-x509_user_key \fIKEY_PATH\fR] [\-x509_user_proxy \fIPROXY_PATH\fR] [\-k] [\-globuskmap \fIKMAP\fR] [\-pidfile \fIPIDFILE\fR]
.SH "DESCRIPTION"
.sp
The \fBglobus\-gatekeeper\fR program is a meta\-server similar to \fBinetd\fR or*xinetd* that starts other services after authenticating a TCP connection using GSSAPI and mapping the client\(cqs credential to a local account\&.
.sp
The most common use for the \fBglobus\-gatekeeper\fR program is to start instances of the \fBglobus\-job\-manager\fR(8) service\&. A single \fBglobus\-gatekeeper\fR deployment can handle multiple different service configurations by having entries in the /etc/grid\-services/ directory\&.
.sp
Typically, users interact with the \fBglobus\-gatekeeper\fR program via client applications such as \fBglobusrun\fR(1), \fBglobus\-job\-submit\fR(1), or tools such as CoG jglobus or Condor\-G\&.
.sp
The full set of command\-line options to \fBglobus\-gatekeeper\fR consists of:
.PP
\fB\-help\fR
.RS 4
Display a help message to standard error and exit
.RE
.PP
\fB\-conf \fR\fB\fIPARAMETER_FILE\fR\fR
.RS 4
Load configuration parameters from
\fIPARAMETER_FILE\fR\&. The parameters in that file are treated as additional command\-line options\&.
.RE
.PP
\fB\-test\fR
.RS 4
Parse the configuration file and print out the POSIX user id of the
\fBglobus\-gatekeeper\fR
process, service home directory, service execution directory, and X\&.509 subject name and then exits\&.
.RE
.PP
\fB\-d, \-debug\fR
.RS 4
Run the
\fBglobus\-gatekeeper\fR
process in the foreground\&.
.RE
.PP
\fB\-inetd\fR
.RS 4
Flag to indicate that the
\fBglobus\-gatekeeper\fR
process was started via
\fBinetd\fR
or a similar super\-server\&. If this flag is set and the
\fBglobus\-gatekeeper\fR
was not started via inetd, a warning will be printed in the gatekeeper log\&.
.RE
.PP
\fB\-f\fR
.RS 4
Flag to indicate that the
\fBglobus\-gatekeeper\fR
process should run in the foreground\&. This flag has no effect when the
\fBglobus\-gatekeeper\fR
is started via inetd\&.
.RE
.PP
\fB\-p \fR\fB\fIPORT\fR\fR\fB, \-port \fR\fB\fIPORT\fR\fR
.RS 4
Listen for connections on the TCP/IP port
\fIPORT\fR\&. This option has no effect if the
\fBglobus\-gatekeeper\fR
is started via inetd or a similar service\&. If not specified and the gatekeeper is running as root, the default of
2119
is used\&. Otherwise, the gatekeeper defaults to an ephemeral port\&.
.RE
.PP
\fB\-home \fR\fB\fIPATH\fR\fR
.RS 4
Sets the gatekeeper deployment directory to
\fIPATH\fR\&. This is used to interpret relative paths for accounting files, libexecdir, certificate paths, and also to set the
GLOBUS_LOCATION
environment variable in the service environment\&. If not specified, the gatekeeper looks for service executables in
/usr/sbin, configuration in
/etc, and writes logs and accounting files to
/var/log\&.
.RE
.PP
\fB\-l \fR\fB\fILOGFILE\fR\fR\fB, \-logfile \fR\fB\fILOGFILE\fR\fR
.RS 4
Write log entries to
\fILOGFILE\fR\&. If
\fILOGFILE\fR
is equal to
logoff
or
LOGOFF, then logging will be disabled, both to file and to syslog\&.
.RE
.PP
\fB\-lf \fR\fB\fILOG_FACILITY\fR\fR
.RS 4
Open syslog using the
\fILOG_FACILITY\fR\&. If not specified,
LOG_DAEMON
will be used as the default when using syslog\&.
.RE
.PP
\fB<option>\-acctfile \fR\fB\fIACCTFILE\fR\fR\fB</option>\fR
.RS 4
Set the path to write accounting records to
\fIACCTFILE\fR\&. If not set, records will be written to the log file\&.
.RE
.PP
\fB\-e \fR\fB\fILIBEXECDIR\fR\fR
.RS 4
Look for service executables in
\fILIBEXECDIR\fR\&. If not specified, the
sbin
subdirectory of the parameter to
\fI\-home\fR
is used, or
/usr/sbin
if that is not set\&.
.RE
.PP
\fB\-launch_method \fR\fBfork_and_exit\fR\fB | \fR\fBfork_and_wait\fR\fB | \fR\fBdont_fork\fR
.RS 4
Determine how to launch services\&. The method may be either
fork_and_exit
(the service runs completely independently of the gatekeeper, which exits after creating the new service process),
fork_and_wait
(the service is run in a separate process from the gatekeeper but the gatekeeper does not exit until the service terminates), or
dont_fork, where the gatekeeper process becomes the service process via the
\fBexec\fR() system call\&.
.RE
.PP
\fB\-grid_services \fR\fB\fISERVICEDIR\fR\fR
.RS 4
Look for service descriptions in
\fISERVICEDIR\fR\&.
.RE
.PP
\fB\-globusid \fR\fB\fIGLOBUSID\fR\fR
.RS 4
Sets the
GLOBUSID
environment variable to
\fIGLOBUSID\fR\&. This variable is used to construct the gatekeeper contact string if it can not be parsed from the service credential\&.
.RE
.PP
\fB\-gridmap \fR\fB\fIGRIDMAP\fR\fR
.RS 4
Use the file at
\fIGRIDMAP\fR
to map GSSAPI names to POSIX user names\&.
.RE
.PP
\fB\-x509_cert_dir \fR\fB\fITRUSTED_CERT_DIR\fR\fR
.RS 4
Use the directory
\fITRUSTED_CERT_DIR\fR
to locate trusted CA X\&.509 certificates\&. The gatekeeper sets the environment variable
X509_CERT_DIR
to this value\&.
.RE
.PP
\fB\-x509_user_cert \fR\fB\fICERT_PATH\fR\fR
.RS 4
Read the service X\&.509 certificate from
\fICERT_PATH\fR\&. The gatekeeper sets the
X509_USER_CERT
environment variable to this value\&.
.RE
.PP
\fB\-x509_user_key \fR\fB\fIKEY_PATH\fR\fR
.RS 4
Read the private key for the service from
\fIKEY_PATH\fR\&. The gatekeeper sets the
X509_USER_KEY
environment variable to this value\&.
.RE
.PP
\fB\-x509_user_proxy \fR\fB\fIPROXY_PATH\fR\fR
.RS 4
Read the X\&.509 proxy certificate from
\fIPROXY_PATH\fR\&. The gatekeeper sets the
X509_USER_PROXY
environment variable to this value\&.
.RE
.PP
\fB\-k\fR
.RS 4
Use the <command>globus\-k5</command> command to acquire Kerberos 5 credentials before starting the service\&.
.RE
.PP
\fB\-globuskmap \fR\fB\fIKMAP\fR\fR
.RS 4
Use
\fIKMAP\fR
as the path to the Grid credential to kerberos initialization mapping file\&.
.RE
.PP
\fB\-pidfile \fR\fB\fIPIDFILE\fR\fR
.RS 4
Write the process id of the
\fBglobus\-gatekeeper\fR
to the file named by
\fIPIDFILE\fR\&.
.RE
.SH "ENVIRONMENT"
.sp
The following environment variables affect the execution of \fBglobus\-gatekeeper\fR:
.PP
\fBX509_CERT_DIR\fR
.RS 4
Directory containing X\&.509 trust anchors and signing policy files\&.
.RE
.PP
\fBX509_USER_PROXY\fR
.RS 4
Path to file containing an X\&.509 proxy\&.
.RE
.PP
\fBX509_USER_CERT\fR
.RS 4
Path to file containing an X\&.509 user certificate\&.
.RE
.PP
\fBX509_USER_KEY\fR
.RS 4
Path to file containing an X\&.509 user key\&.
.RE
.PP
\fBGLOBUS_LOCATION\fR
.RS 4
Default path to gatekeeper service files\&.
.RE
.SH "FILES"
.sp
The following files affect the execution of \fBglobus\-gatekeeper\fR:
.PP
\fB/etc/grid\-services/\fR\fB\fISERVICENAME\fR\fR
.RS 4
Service configuration for
\fISERVICENAME\fR\&.
.RE
.PP
\fB/etc/grid\-security/grid\-mapfile\fR
.RS 4
Default file mapping Grid identities to POSIX identities\&.
.RE
.PP
\fB/etc/globuskmap\fR
.RS 4
Default file mapping Grid identities to Kerberos 5 principals\&.
.RE
.PP
\fB/etc/globus\-nologin\fR
.RS 4
File to disable the
\fBglobus\-gatekeeper\fR
program\&.
.RE
.PP
\fB/var/log/globus\-gatekeeper\&.log\fR
.RS 4
Default gatekeeper log\&.
.RE
.SH "SEE ALSO"
.sp
\fBglobus\-k5\fR(8), \fBglobusrun\fR(1), \fBglobus\-job\-manager\fR(8)
.SH "AUTHOR"
.sp
Copyright \(co 1999\-2016 University of Chicago