| LCMAPS_JOBREP.MOD(8) | Site Access Control | LCMAPS_JOBREP.MOD(8) |
lcmaps_jobrep.mod - jobrepository LCMAPS plug-in
lcmaps_jobrep.mod [--test] --dsn <Database Service Name> --username <database user> --password <database password>
The LCMAPS Jobrepository plug-in stores credentials and the resulting account mappings into a relational database. This plugin will link up all the known in-process information from LCMAPS core memory and stores it in a database. This plug-in uses ODBC (http://en.wikipedia.org/wiki/ODBC) to connect to the database.
The current state of the mappings between various credentials and Unix accounts is stored in an open database on disk, but this information can change over time through (regular) system administrative interventions. This state is now preserved in a relational database with the added benefit of being accessible by other systems, e.g. GridSAFE and build-up an easy to backup historic view on the mapping state.
Quite some systems seem to dig up data by trawling log files, e.g. to construct accounting data records. This method is subjected to the settings of the sub-systems which control the format of the log file output. Log trawling tools are interacting with the log files as a glorified API. This lowers the ability for tools, e.g. LCMAPS, to alter their log output. By offering the LCMAPS Jobrepository plug-in as an alternative with the added benefit of offering the data in a structured fine-grained database with the ability of an historic view the intend is to avoid the need and/or requirement for log file trawling.
The schema can be used to link up account mapping and/or credential mapping results originating from other credential types and link up more fine grained details from the specific work environment, i.e. a Gatekeeper and GridFTPd will be able to add service specific information together with the mapping results.
The LCMAPS Jobrepository plug-in is currently limited to MySQL and MariaDB despite its usage of the ODBC database interface. The intend is to remove this limitation and make the plug-in work with other database, e.g. PostgreSQL, Oracle and SQLite.
WARNING: Be careful to assess the read permissions on the lcmaps.db file to be exclusive to the service using this file, i.e. it's probably best to make the file exclusive to root:root.
Notice the --dsn <value> matches the DSN shown in the .ini section header. Also notice that the posix_enf plug-in is executed after the jobrep plug-in. The motivation is to be able to use privilege separation and with that protect the database password.
jobrep = "lcmaps_jobrep.mod"
"--dsn MySQL-test"
"--username root"
"--password worteltjes" example_plugin_policy: verifyproxy -> vomslocalgroup vomslocalgroup -> vomspoolaccount vomspoolaccount -> tracking_groupid tracking_groupid -> jobrep jobrep -> posix_enf
[MySQL-test] Description = MySQL test database Driver = MySQL SERVER = 127.0.0.1 PORT = 3306 DATABASE = jobrepository
The front-ends which do not use an LCMAPS interface that provides certificates can currently not be supported. It is a requirement for the 1.5 version to be able to work from a certificate chain.
Please report any errors to the Nikhef Grid Middleware Security Team <grid-mw-security-support@nikhef.nl>.
lcmaps(8), lcmaps_jobrep.mod(8), mysql(1).
More information can be found on-line at
https://wiki.nikhef.nl/grid/Site_Access_Control the Nikhef Wiki on
Site Access Control and https://wiki.nikhef.nl/grid/LCMAPS the Nikhef
Wiki on LCMAPS and other plug-ins.
The Jobrepository and the LCMAPS plug-ins were written by the Nikhef Grid Middleware Security Team <grid-mw-security@nikhef.nl>.
| August 31, 2012 | Nikhef |