TWiki> Sandbox Web>Sandbox Web? >JohnWeigandSandbox>WeigandGlideinAuthentication (2011/01/04, JohnWeigand)EditAttach

glideinWMS Installation

Overview

Security and authentication

Since Condor is the underlying system for communication between glideinWMS services, the following sections of the Condor manual may prove useful to review when making decisions on the establishment of user accounts and the use of certificates versus proxies in your glideinWMS configuration:

The above section on security is important but rather lengthy. The key parts of that document germaine to this section of glideinWMS are:

  • 3.6.3.1 GSI Authentication
  • 3.6.11 User Accounts in Condor
  • 3.6.12 Privilege Separation
The sections that follow will show the recommended settings and user accounts.

User Accounts

The table below shows the UNIX user accounts that will be required for each service. The column '/sbin/nologin' indicates those accounts that should not allow a user to login as. With the exception of the individual user accounts on the Submit node, all of these accounts must be established prior to installation.

Service User account /sbin/nologin Comments
WMS collector condor y This is a condor installation only and should be installed as root user.
Factory gfactory n This is the account the factory processes will run as. The factory should be installed as this user.
e.g., vo_cms, vo_dzero y A user account is required for each VOFrontend that the Factory is servicing.
User collector condor n This is a condor installation only and should be installed as root user.
Submit condor n This is a condor installation only and should be installed as root user.
individual accounts y These will be your end user accounts used for submitting jobs to the grid via glideinWMS.
VO Frontend e.g., vo_cms, vo_dzero y This is the account the VOFrontend processes will run as. The VOfrontend should be installed as this user.

Certificate/Proxies

The table below identifies the certificates/proxies needed for each service.

Service Certificate Proxy Comments
WMS collector host/service   Used by condor to identify itself.
Factory host/service   Although normally co-located with the WMS collector, the factory owns the Condor schedds.
User collector host/service   Used by condor to identify itself.
Submit host/service   The submit node owns the Condor schedds.
  user proxies All users submitting jobs on the submit node naturally require a proxy for authorization on the CE clusters the pilots will be running on.
VO Frontend   service/user This is the only glideinWMS service that has to use a proxy to identify itself to the other services. In many instances the WMS Collector/Factory will NOT be resident on the same site as the other services and OSG security policy prohibits sending the identity of a certificate off-site.
  pilot proxies These are the proxies that will be used by the glidein pilot jobs.

For those services requiring proxies, you will likely need to install the OSG client software if the proxy generation is to be performed on that platform. As an alternative, depending on how you set up access to the various service nodes, you can install the OSG client on the submit node only and distribute the proxy via, for example, an 'scp' to the other nodes.

Condor Authentication

In order for the various Condor daemons to communicate with one another in a secure manner, the identification of trusted users using their GSI identity (DN of the issuer/subject of a certificate or proxy is required in 2 Condor files. The installer will populate these files, and the necessary attributes where applicable, based on your use of a proxy or certificate.

condor_mapfile

Service WMS collector Factory User collector Submit VO Frontend Comments
WMS Collector cert proxy     Each frontend user
(not the pilots) 		 
User Collector     cert cert Each pilot proxy  
Submit     cert cert    
VO Frontend            

The format of the condor_mapfile will look like this for a WMS collector:

  1. GSI "^\/DC\=org\/DC\=doegrids\/OU\=Services\/CN\=cms\-xen21\.fnal\.gov$" condor
  2. GSI "^\/DC\=org\/DC\=doegrids\/OU\=Services\/CN\=cms\-xen22\.fnal\.gov$" vo_dzero
  3. GSI "^\/DC\=org\/DC\=doegrids\/OU\=Services\/CN\=glidein\/cms\-xen22\.fnal\.gov$" vo_cms
  4. GSI (.*) anonymous
  5. FS (.*) \1
  • 1st line: WMS collector proxy
  • 2nd line: VO Frontend CMS VO user
  • 3rd line: VO Frontend dzero VO user
  • The DN (3rd token) must be represented in a regex format, hence the backslashes.
Edit | Attach | Print version | History: r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r1 - 2011/01/04 - 20:26:58 - JohnWeigand
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback