lcas_lcmaps_gt_interface

lcas_lcmaps_gt_interface(8)   Site Access Control  lcas_lcmaps_gt_interface(8)



NAME
       lcas_lcmaps_gt_interface - A Globus GSI-AuthZ plug-in to run LCAS and
       LCMAPS

SYNOPSIS
       lcas_lcmaps_gt_interface.so

       lcas_lcmaps_gt4_interface.so


DESCRIPTION
       This is a plug-in to be loaded from a GSI-AuthZ capable Globus service.
       The feature was introduced in Globus GT4 and is available for GT5 and
       GT6. The purpose of this call-out is to authorize a user by optionally
       running the LCAS framework and subsequently running the LCMAPS
       framework to map the user credentials to a Unix account. Both LCAS and
       LCMAPS are plug-in frameworks, where the plug-ins to do the real work.

       Some of these plug-ins are capable of imposing a certain policy on the
       user credentials, others are capable of off-loading the decision to a
       centralized service to make the decision or even provide an account
       mapping in the process.

       This plug-in is dynamically loaded during each interaction that
       requires an account mapping in the GSI-AuthZ interface of a Globus
       service. It has no configuration file for itself, it is configured via
       environment variables and the LCAS and LCMAPS configuration files. It
       can be enabled for use in the GSI-AuthZ interface using the gsi-
       authz.conf file, by configuring it to call the function
       lcmaps_callout(), which can be done using gt4-interface-install(8).


ENVIRONMENT VARIABLES
       LLGT_LOG_FILE
              When this variable is set and it can be opened as file, log
              output will go to the given file instead of to syslog. When
              either $LCAS_LOG_FILE or $LCMAPS_LOG_FILE is unset, it will also
              be set to this same file.

       LLGT_LOG_FACILITY
              Change the default logging facility with the $LLGT_LOG_FACILITY
              environment variable. Use the name of (standard syslog) facility
              names. Example: LOG_DAEMON, LOG_LOCAL1, etc.

       LLGT_LOG_IDENT
              The $LLGT_LOG_IDENT can (optionally) be set as the syslog ident
              value. This will be the identifying string in syslog for the
              current process. Not using this option will let syslog (or one
              of the GT services) to set these options.  By default the syslog
              ident will be set to the executable name.

       LLGT_RUN_LCAS
              Set the environment variable $LLGT_RUN_LCAS to "no", "disabled"
              or "disable" to avoid LCAS to run prior to the LCMAPS.

              There is a matching ./configure option "--enable-lcas" which can
              be used to change the default behaviour to run LCAS or not. The
              $LLGT_RUN_LCAS environment variable can still influence the LCAS
              run.

       LLGT_LIFT_PRIVILEGED_PROTECTION
              Normally the callout, after LCMAPS has finished, checks whether
              it is (still) running with root privileges (uid, euid, gid or
              egid) and fails if that is the case. This is to prevent
              erroneous configurations to silently result in a root-account
              mapping in services that do not have their own checks for this.

              When the environment variable $LLGT_LIFT_PRIVILEGED_PROTECTION
              is set, this check is disabled. This is NEEDED for services
              that:

              1.) don't user switch, and run as root.

              2.) services that expect only a username to be returned and
              perform the user switch themselves, e.g. the Globus GSI-
              OpenSSHd.

       LLGT_CACHE_CALLOUT
              Set the environment variable $LLGT_CACHE_CALLOUT to "no",
              "disabled" or "disable" to disable reusing the result of the
              `localname' callout for the `userok' callout. This results in
              calling the LCAS/LCMAPS authorization twice for e.g. gsisshd.

       LLGT_DLCLOSE_LCMAPS
              Set the environment variable $LLGT_DLCLOSE_LCMAPS to "no",
              "disabled" or "disable" to prevent calling dlclose() on the
              LCMAPS library. This might be needed as a workaround on
              RH5-based systems in an installation for gsisshd, when the use
              of PAM is enabled ("UsePAM Yes" in the /etc/gsissh/sshd_config).
              The underlying bug is a combination between the OpenSSL, VOMS
              and PAM libraries, which can trigger a segfault when VOMS is
              initialized twice.

       LLGT_DLCLOSE_LCAS
              Set the environment variable $LLGT_DLCLOSE_LCAS to "no",
              "disabled" or "disable" to prevent calling dlclose() on the LCAS
              library. This might be needed as a workaround on RH5-based
              systems. The underlying bug is a combination between the
              OpenSSL, VOMS and Globus libraries, which can trigger a segfault
              when VOMS is initialized twice, which can happen when LCAS is
              using a VOMS based plugin.  Normally should not be needed as
              LCAS is now dlclosed and terminated after LCMAPS.

       LLGT_NO_CHANGE_USER (deprecated)
              Deprecated $LLGT_NO_CHANGE_USER in favour of
              $LLGT_LIFT_PRIVILEGED_PROTECTION.  (Deprecation does not mean
              non-functional anymore)

       LLGT4_NO_CHANGE_USER (deprecated)
              Deprecated $LLGT4_NO_CHANGE_USER in favour of
              $LLGT_LIFT_PRIVILEGED_PROTECTION.  (Depreciation does not mean
              non-functional anymore)

       LLGT_VOMS_DISABLE_CREDENTIAL_CHECK
              The VOMS credentials are verified by the LCMAPS framework before
              further processing is done in the plug-ins. The LCMAPS framework
              has an API to enable or disable the verification of the VOMS
              credentials and this option will disable the verification of the
              VOMS credentials. A vanilla LCMAPS build will verify the VOMS
              credentials by default.

       LLGT_VOMS_ENABLE_CREDENTIAL_CHECK
              Similar to the $LLGT_VOMS_DISABLE_CREDENTIAL_CHECK environment
              variable, this setting will enable the verification of the VOMS
              credentials, overriding the LCMAPS default setting to have the
              verification of VOMS credentials to be disabled. A vanilla
              LCMAPS build will verify the VOMS credentials by default, the
              OSG build has is disabled by default.

       LLGT_LCAS_LIBDIR
              Support for an alternative LCAS_LIBDIR as a run-time setting by
              exporting such as $LLGT_LCAS_LIBDIR="/usr/lib/x86_64-linux-
              gnu/liblcas.so"

       LLGT_LCAS_MODULEDIR_SFX
              When set, used as suffix instead of the default /lcas when
              setting the $LCAS_MODULES_DIR variable based on the
              $LLGT_LCAS_LIBDIR variable. Default /lcas. NOTE: current
              versions of LCAS do not yet use the $LCAS_MODULES_DIR variable.

       LLGT_LCMAPS_LIBDIR
              Support for an alternative LCMAPS_LIBDIR as a run-time setting
              by exporting such as $LLGT_LCMAPS_LIBDIR="/usr/lib/x86_64-linux-
              gnu/liblcmaps.so". Must be an absolute path.  Setting this
              variable will also set the LCMAPS variable $LCMAPS_MODULES_DIR
              to the given libdir followed by either the default /lcmaps or
              the value of $LLGT_LCMAPS_MODULEDIR_SFX.

       LLGT_LCMAPS_MODULEDIR_SFX
              When set, used as suffix instead of the default /lcmaps when
              setting the $LCMAPS_MODULES_DIR variable based on the
              $LLGT_LCMAPS_LIBDIR variable. Default /lcmaps.

       LLGT_ENABLE_DEBUG
              If the $LLGT_ENABLE_DEBUG environment variable is set, then the
              debugging message logged at level LOG_DEBUG are passed to the
              log. The scope of this setting is only within the LCAS-LCMAPS-
              GT-interface


INTERNAL ENVIRONMENT VARIABLES
       GATEKEEPER_JM_ID
              An environment variable that is internally set to uniquely
              identify this gatekeeper and the job manager.

       JOB_REPOSITORY_ID
              Similar to the $GATEKEEPER_JM_ID value, but its purpose is for
              the LCMAPS job repository plug-in.


LCAS ENVIRONMENT VARIABLES
       The following list of LCAS environment variables are handled specially
       by the interface.

       LCAS_MODULES_DIR
              Default directory for LCAS to look for in plug-ins (not yet
              supported by LCAS).  Will be set based on the values of
              $LLGT_LCAS_LIBDIR and $LLGT_LCAS_MODULEDIR_SFX or their
              defaults.

       LCAS_LOG_FILE
              When set, LCAS will log there instead of syslog. When unset, it
              will get the value of $LLGT_LOG_FILE when that one is set. When
              compiled with LCAS_LCMAPS_FORCE_LOG_TO_FILE defined, it will get
              set to /var/log/gt_lcas_lcmaps.log.

       LCAS_DEBUG_LEVEL
              LCAS log level. Default: 3.

       LCAS_DB_FILE
              Location of the LCAS configuration file. Default for the
              interface: /etc/lcas/lcas.db


LCMAPS ENVIRONMENT VARIABLES
       The following list of LCMAPS environment variables are handled
       specially by the interface.

       LCMAPS_MODULES_DIR
              Default directory for LCMAPS to look for in plug-ins. Will be
              set based on the values of $LLGT_LCMAPS_LIBDIR and
              $LLGT_LCMAPS_MODULEDIR_SFX or their defaults.

       LCMAPS_LOG_FILE
              When set, LCMAPS will log there instead of syslog. When unset,
              it will get the value of $LLGT_LOG_FILE when that one is set.
              When compiled with LCAS_LCMAPS_FORCE_LOG_TO_FILE defined, it
              will get set to /var/log/gt_lcas_lcmaps.log.

       LCMAPS_DEBUG_LEVEL
              For LCMAPS 1.5.0 (and newer) the value "5" corresponds to syslog
              LOG_DEBUG, "4" corresponds to LOG_INFO, "3" to LOG_NOTICE and so
              on. The LCMAPS default is to log up to LOG_INFO.

       LCMAPS_DB_FILE
              Location of the LCMAPS configuration file. Default for the
              interface: /etc/lcmaps/lcmaps.db



RETURN VALUES
       True   The user is authorized and a local Unix account was procured.

       False  No mapping was possible.

NOTES
       From version 0.3.1 onwards, the interface supports the 'sharing'
       service: it then expects an additional argument, (a PEM string)
       containing the credential on which the mapping should be based.

       From version 0.3.0 onwards, the interface tries to forward the
       requested username to LCMAPS (for version 1.6.0 and up). The mapping
       plugins can use this to support multiple username entries in the grid-
       mapfile, or enforcing pool account mappings to a specific pool account.

BUGS
       Please report any errors to the Nikhef Grid Middleware Security Team
       <grid-mw-security-support@nikhef.nl>.

SEE ALSO
       gt4-interface-install(8), lcas.db(5), lcas(3), lcmaps.db(5), lcmaps(3).

AUTHORS
       LCMAPS and the LCMAPS plug-ins were written by the Grid Middleware
       Security Team <grid-mw-security@nikhef.nl>.



lcas-lcmaps-gt4-interface 0.3.1February 11, 2015   lcas_lcmaps_gt_interface(8)