The combined installation of (glite-)gatekeeper+LCAS+LCMAPS and the workspace service
_____________________________________________________________________________________

These instructions are due to change.

The end result of this installation on the CE will be:
1.  The workspace management system, which provides a management interface to the local
    user accounts on the CE
2.  The (gsi-free) LCMAPS flavour that will be used as the backend to the workspace
    service.
3.  The (glite-)gatekeeper. This is essentially the gt2.4 gatekeeper, modified to call
    out to LCAS and LCMAPS.
4.  LCAS and gsi-flavour of LCMAPS that are used by the gatekeeper.



Prerequisites:
    0) Start from a clean RHE3 (or binary compatible, e.g. SL3, SLC3, CentOS) machine.
    1) Install the host certificate and key in /etc/grid-security
    2) Install the CA certificates in /etc/grid-security/certificates
       The CA rpms can be found in
       http://www.eugridpma.org/distribution/current/accredited/RPMS/
       (wget --no-directories -r -l1 --no-parent -A "noarch.rpm" http://www.eugridpma.org/distribution/current/accredited/RPMS/
        wget --no-directories -r -l1 --no-parent -A "noarch.rpm" http://www.eugridpma.org/distribution/current/)
    3) Update the CRLs using, e.g. the edg-fetch-crl script
    Look in http://glite.web.cern.ch/glite/packages/externals/bin/rhel30/RPMS/ for the
    relevant rpms.


I.  Installation and configuration of LCMAPS (both flavours)
____________________________________________________________

    1)  Install globus 2.4.3 from vdt, available from:
    http://egee-jra1-integration.web.cern.ch/egee-jra1-integration/repository/globus/2.4.3-VDT-1.2.0/rhel30_gcc32/RPMS/
    Needed package for LCMAPS:
        vdt_globus_essentials-VDT1.2.0rh9-1.i386.rpm

    2) Set up the gridmapdir in /etc/grid-security.
    You can use this script (on RedHat), but please have a look at it and edit it first!:
    http://www-unix.mcs.anl.gov/~tfreeman/local/pooled/admin/addpoolusers.sh
    In order to use it you have to do the following first:
        [root@kvasir root]# mkdir -p /etc/grid-security/gridmapdir
        [root@kvasir root]# mkdir /home/gpool
    
    NOTE: In a later stage, we make the gridmapdir directory owned by the globus user (now
    this user does not exist yet)

    3) Install the voms C-api library. Unfortunately this is not packaged separatately from the
    rest of the voms-core package, so install everything from:
    http://glite.web.cern.ch/glite/packages/N20041215/bin/rhel30/i386/RPMS/glite-security-voms-1.2.26-22_N20041215.i386.rpm

    The certificates of the voms servers you trust should be stored in
    /etc/grid-security/vomsdir.

    4) Install the lcmaps framework and plugins from org.glite.
    You need version 1.2.0 or higher, so you could take Nightly Build N20041215:
    http://glite.web.cern.ch/glite/packages/N20041215/bin/rhel30/i386/RPMS/
    You need the following packages:
        glite-security-lcmaps-1.2.0-1_N20041215.i386.rpm
        glite-security-lcmaps-interface-1.2.0-1_N20041215.i386.rpm
        glite-security-lcmaps-plugins-basic-1.2.0-1_N20041215.i386.rpm
        glite-security-lcmaps-plugins-voms-1.2.0-1_N20041215.i386.rpm
    Of course "N20041215" should be replaced by the relevant nightly-build/integration-build number.

    5) Unfortunately, the gsi-free version of LCMAPS that is needed for the workspace
    service is not packaged yet. It has to be built by hand from CVS, for which you
    can run this script:

    root@kvasir root]# cat build_lcmaps_gsifree.sh
    #!/bin/sh
    #
    mkdir -p /tmp/build_lcmaps_gsifree/EGEE
    cd /tmp/build_lcmaps_gsifree/EGEE
    export CVSROOT=":pserver:anonymous@jra1mw.cvs.cern.ch:/cvs/jra1mw"
    cvs co -r glite_branch_1_0_0_RC1 org.glite
    cvs co -r glite-security_branch_1_0_0_RC1 org.glite.security
    cvs co -r glite-security-lcmaps_branch_1_2_0_RC1 org.glite.security.lcmaps
    cvs co -r glite-security-lcmaps-interface_branch_1_2_0_RC1 org.glite.security.lcmaps-interface
    cvs co -r glite-security-lcmaps-plugins-basic_branch_1_2_0_RC1 org.glite.security.lcmaps-plugins-basic
    cvs co -r glite-security-lcmaps-plugins-voms_branch_1_2_0_RC1 org.glite.security.lcmaps-plugins-voms
    for i in lcmaps lcmaps-interface lcmaps-plugins-basic lcmaps-plugins-voms ; do \
            cp org.glite.security/project/lcmaps.m4 org.glite.security.$i/project; \
            cp org.glite/project/*m4 org.glite.security.$i/project; \
    done
    mkdir stage
    for i in lcmaps lcmaps-interface lcmaps-plugins-basic lcmaps-plugins-voms ; do \
            (cd org.glite.security.$i; \
            make distclean; \
            ./bootstrap; \
            ./configure  --prefix=/opt/glite --without-gsi-mode; \
            make install); \
    done
    [root@kvasir root]#

    This will checkout the lcmaps modules from the gLite RC1 (Release Candidate1)
    branch, build and install in /opt/glite

    6) Configure the lcmaps.db files:
    We need to configure two lcmaps.db files. One for the lcmaps instance used by the
    gatekeeper and one for the instance used by the workspace system.

    For the gatekeeper:
    ------------------------------------------------------------------
    root@kvasir root]# cat /opt/glite/etc/lcmaps/lcmaps.db
    # LCMAPS policy file/plugin definition
    #
    # default path
    path = /opt/glite/lib/modules
    
    # Plugin definitions:
    good             = "lcmaps_dummy_good.mod"
    bad              = "lcmaps_dummy_bad.mod"
    localaccount     = "lcmaps_localaccount.mod"
                           "-gridmapfile /etc/grid-security/grid-mapfile"
    vomslocalgroup   = "lcmaps_voms_localgroup.mod"
                           "-groupmapfile /etc/grid-security/groupmapfile"
                           "-mapmin 0"
    vomspoolaccount  = "lcmaps_voms_poolaccount.mod"
                           "-gridmapfile /etc/grid-security/grid-mapfile"
                           "-gridmapdir /etc/grid-security/gridmapdir"
                           "-do_not_use_secondary_gids"
    posix_enf        = "lcmaps_posix_enf.mod"
                           "-maxuid 1"
                           "-maxpgid 1"
                           "-maxsgid 32"
    
    # Policies:
    voms:
    localaccount -> posix_enf | vomslocalgroup
    vomslocalgroup -> vomspoolaccount
    vomspoolaccount -> posix_enf
    [root@kvasir root]#
    ------------------------------------------------------------------
    
    For the Workspace service:
    ------------------------------------------------------------------
    [root@kvasir root]# cat /opt/glite/etc/lcmaps/lcmaps.db.without_gsi
    # LCMAPS policy file/plugin definition
    #
    # default path
    path = /opt/glite/lib/modules
    
    # Plugin definitions:
    good             = "lcmaps_dummy_good.mod"
    bad              = "lcmaps_dummy_bad.mod"
    localaccount     = "lcmaps_localaccount.mod"
                           "-gridmapfile /etc/grid-security/grid-mapfile"
    vomslocalgroup   = "lcmaps_voms_localgroup_without_gsi.mod"
                           "-groupmapfile /etc/grid-security/groupmapfile"
                           "-mapmin 0"
    vomspoolaccount  = "lcmaps_voms_poolaccount_without_gsi.mod"
                           "-gridmapfile /etc/grid-security/grid-mapfile"
                           "-gridmapdir /etc/grid-security/gridmapdir"
                           "-do_not_use_secondary_gids"
    
    # Policies:
    das_voms:
    localaccount -> good | vomslocalgroup
    vomslocalgroup -> vomspoolaccount
    [root@kvasir root]#
    ------------------------------------------------------------------
    We don't need two lcmaps.db files anymore as soon as I have made some minor
    modificiations to the way the gatekeeper calls out to LCMAPS.

    More complex configurations are possible that enable the use of poolgroups (in a
    similar fassion to poolaccounts), AFS token acquisition and adding users to
    unix groups in a distributed authorization information db, such as ldap (an
    distributed alternative to /etc/passwd and /etc/group).
    Configuration examples will apear at: http://www.nikhef.nl/grid/lcaslcmaps/
    
    6) Configure the grid-mapfile.
    To the grid-mapfile (/etc/grid-security/grid-mapfile) VO-triplet lines have to be
    added for the supported VOMS VOs. To support the "EGEE" VO add the following
    line (FQAN format):
    "/EGEE/*" .gpool

    As soon as finer grained VOMS attributes are used, these can be used for finer
    grained mapping as well.

    7) Configure the groupmapfile
    To the groupmapfile (/etc/grid-security/groupmapfile) lines have to be added
    for the supported VOMS VOs. To support the "EGEE" VO add the following
    line (FQAN format):
    "/EGEE/*" egee

    This means all users with an attribute "/EGEE/*" will be mapped to the group name
    "egee". This group has to exist before LCMAPS is run, so do a
    [root@kvasir root]# groupadd egee

    As in the case of the grid-mapfile: As soon as finer grained VOMS attributes are
    used, these can be used for finer grained mapping as well.

    ---> IMPORTANT <---: The format of the VO triplets in the groupmapfile and
    grid-mapfile has changed from version 1.2.x for LCMAPS. From version 1.2 and
    higher standard FQANs are used instead of our own format, as illustrated by this
    example:
        Old: "VO=Atlas/GROUP=/Atlas/MonteCarlo/ROLE=admin/CAPABILITY=none"
        New: "/Atlas/MonteCarlo/Role=admin/Capability=none"

    End of LCMAPS installation and configuration.


II. Installation and configuration of LCAS
__________________________________________

    1) Install the globus and VOMS libraries as described for the LCMAPS installation

    2) Install gridsite for the GACL libraries needed by the LCAS VOMS plugin. Take for example:
    http://glite.web.cern.ch/glite/packages/externals/bin/rhel30/RPMS/gridsite-1.1.3-1.i386.rpm

    3) Install the lcas framework and plugins from org.glite.
    You need version 1.2.2 or higher (not yet available from a nightly build)
    You need the following packages:
        glite-security-lcas-1.2.2-1_<buildrelease>.i386.rpm
        glite-security-lcas-interface-1.2.2-1_<buildrelease>.i386.rpm
        glite-security-lcas-plugins-basic-1.2.2-1_<buildrelease>.i386.rpm
        glite-security-lcas-plugins-voms-1.2.2-1_<buildrelease>.i386.rpm
    The <buildrelease> tag should be replaced by the relevant nightly-build/integration-build number.

    4) Configuration of lcas.db
    In /opt/glite/etc/lcas/lcas.db the plug-ins are listed that lcas should call.
    It could look like:

    (version A)
    [root@kvasir glite]# cat /opt/glite/etc/lcas/lcas.db
    # LCAS database/plugin list
    #
    # Format of each line:
    # pluginname="<name/path of plugin>", pluginargs="<arguments>"
    #
    #
    pluginname="lcas_userban.mod",pluginargs="ban_users.db"
    pluginname="lcas_voms.mod",pluginargs="-vomsdir /etc/grid-security/vomsdir -certdir /etc/grid-security/certificates -authfile /etc/grid-security/grid-mapfile -authformat simple"
    [root@kvasir glite]#

    or:

    (version B)
    [root@kvasir glite]# cat /opt/glite/etc/lcas/lcas.db
    # LCAS database/plugin list
    #
    # Format of each line:
    # pluginname="<name/path of plugin>", pluginargs="<arguments>"
    #
    #
    pluginname="lcas_userban.mod",pluginargs="ban_users.db"
    pluginname="lcas_voms.mod",pluginargs="-vomsdir /etc/grid-security/vomsdir -certdir /etc/grid-security/certificates -authfile /opt/glite/etc/lcas/lcas_voms.gacl -authformat gacl -use_user_dn -gacl_use_voms_dn yes"
    [root@kvasir glite]#

    NOTE: Each plug-in definition can only occupy one line!


    5) Configuration of ban_users.db
    The file /opt/glite/etc/lcas/ban_users.db contains a list of the DNs of those users that
    the sysadmin wants to ban from his fabric. If the plugin is used in lcas.db this file has
    to exist:

    [root@kvasir glite]# cat /opt/glite/etc/lcas/ban_users.db
    #
    # This file contains the globus user ids that are BANNED from this fabric
    #
    "/O=GetRID/O=abusers/CN=Endless Job"
    [root@kvasir glite]#

    6) Configuration of grid-mapfile or lcas_voms.gacl
    - If site access is controlled by the grid-mapfile (lcas.db version A) nothing has to be
    done, since the grid-mapfile has aready been configured for LCMAPS.

    - If site access is controlled by a Grid ACL (GACL) the GACL file
    /opt/glite/etc/lcas/lcas_voms.gacl has to be created:
    [root@kvasir glite]# cat /opt/glite/etc/lcas/lcas_voms.gacl
    <?xml version="1.0"?>
    <gacl version="0.0.1">
            <entry>
                    <voms-cred>
                            <voms>/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl</voms>
                            <vo>EGEE</vo>
                            <group>/EGEE</group>
                    </voms-cred>
                    <allow><read/><write/></allow>
                    <deny><admin/></deny>
            </entry>
            <entry>
                    <voms-cred>
                            <voms>/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl</voms>
                            <vo>egtest</vo>
                            <group>/egtest</group>
                    </voms-cred>
                    <allow><read/><write/></allow>
                    <deny><admin/></deny>
            </entry>
    </gacl>
    [root@kvasir glite]#

    End of LCAS installation and configuration


III.Installation and configuration of the gatekeeper
____________________________________________________

    1)  Install globus 2.4.3 from vdt, available from:
    http://egee-jra1-integration.web.cern.ch/egee-jra1-integration/repository/globus/2.4.3-VDT-1.2.0/rhel30_gcc32/RPMS/
    Needed packages for the glite- and globus-gatekeeper:
        vdt_globus_essentials-VDT1.2.0rh9-1.i386.rpm
        vdt_globus_rm_essentials-VDT1.2.0rh9-1.i386.rpm
        vdt_globus_rm_server-VDT1.2.0rh9-1.i386.rpm
        vdt_globus_rm_client-VDT1.2.0rh9-1.i386.rpm (if client is needed)

    2)  Create the file /opt/glite/etc/
    root@kvasir glite]# cat /opt/glite/etc/gatekeeper.conf
      -x509_cert_dir /etc/grid-security/certificates
      -x509_user_cert /etc/grid-security/hostcert.pem
      -x509_user_key /etc/grid-security/hostkey.pem
      -gridmap "/etc/grid-security/grid-mapfile"
      -home /opt/globus
      -e libexec
      -port 2119
      -grid_services /opt/globus/etc/grid-services
      -logfile "/var/log/globus-gatekeeper.log"

      -acctfile /var/log/accountingtest.log
      -lcas_etc_dir "/opt/glite/etc/lcas/"
      -lcas_debug_level 0
      -lcas_db_file lcas.db
      -lcmaps_etc_dir "/opt/glite/etc/lcmaps/"
      -lcmaps_debug_level 0
      -lcmaps_db_file lcmaps.db
    root@kvasir glite]#

    3) For the rest of the gatekeeper and jobmanager configuration procedure, please follow:
        http://egee-jra1-wm.mi.infn.it/egee-jra1-wm/lsfnode_install.shtml

    4) Finally start the gatekeeper with:
    
        [root@kvasir glite]# /opt/glite/sbin/glite-gatekeeper -conf /opt/glite/etc/gatekeeper.conf.lcas
        GRAM contact: kvasir.nikhef.nl:2119:/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kvasir.nikhef.nl

    5) To create a VOMS proxy first on the client create the file
    /opt/glite/etc/vomses/EGEE-kuiken.nikhef.nl, such that:

        [martijn@kvasir martijn]$ cat /opt/glite/etc/vomses/EGEE-kuiken.nikhef.nl
        "EGEE" "kuiken.nikhef.nl" "15001" "/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl" "EGEE" "1"

    Furthermore you need to have the hostcert (.pem format) of this VO in
    /etc/grid-security/vomsdir.
        [root@kvasir glite]# cat /etc/grid-security/vomsdir/kuiken.nikhef.nl.pem
        -----BEGIN CERTIFICATE-----
        MIIE+jCCA+KgAwIBAgICAjwwDQYJKoZIhvcNAQEFBQAwUjELMAkGA1UEBhMCTkwx
        DzANBgNVBAoTBk5JS0hFRjEyMDAGA1UEAxMpTklLSEVGIG1lZGl1bS1zZWN1cml0
        eSBjZXJ0aWZpY2F0aW9uIGF1dGgwHhcNMDQxMjE1MDkwODQyWhcNMDUxMjE1MDkw
        ODQyWjBTMRIwEAYDVQQKEwlkdXRjaGdyaWQxDjAMBgNVBAoTBWhvc3RzMRIwEAYD
        VQQLEwluaWtoZWYubmwxGTAXBgNVBAMTEGt1aWtlbi5uaWtoZWYubmwwgZ8wDQYJ
        KoZIhvcNAQEBBQADgY0AMIGJAoGBANE7qRVIBoazrFoVBeVnSZVz3Wf9m7wdoi97
        YvbR4bPYQnrpYgdFNSSr5L5KMh0j3TQOKs3H5sUxtwMcAMYY9MTzKie94gm07ESp
        RPuR68Jg7nCRjKlqmww31wG4LSlFtORlNIltiqFkffsD64wti1jvcfKfabx3UNjA
        R1h4k+G7AgMBAAGjggJbMIICVzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE8DA+BgNV
        HR8ENzA1MDOgMaAvhi1odHRwOi8vY2VydGlmaWNhdGUubmlraGVmLm5sL21lZGl1
        bS9jYWNybC5wZW0wGgYDVR0gBBMwETAPBg0rBgEEAdFCBAICAQIBMHoGA1UdIwRz
        MHGAFFsFOpnG1SK9/ZSA/BGo0PFx1kukoVakVDBSMQswCQYDVQQGEwJOTDEPMA0G
        A1UEChMGTklLSEVGMTIwMAYDVQQDEylOSUtIRUYgbWVkaXVtLXNlY3VyaXR5IGNl
        cnRpZmljYXRpb24gYXV0aIIBADAdBgNVHQ4EFgQURRT6uiZ52z0HQOsvbHVGGFS/
        UJEwEQYJYIZIAYb4QgEBBAQDAgXgMDoGCWCGSAGG+EIBCAQtFitodHRwOi8vY2Vy
        dGlmaWNhdGUubmlraGVmLm5sL21lZGl1bS9wb2xpY3kvMIHZBglghkgBhvhCAQ0E
        gcsWgchDZXJ0aWZpY2F0ZSBpc3N1ZWQgdW5kZXIgRHV0Y2hHcmlkIGFuZCBOSUtI
        RUYgbWVkaXVtLXNlY3VyaXR5IHBvbGljeSB2ZXJzaW9uIDIuMTtsaW1pdGVkIGxp
        YWJpbGl0aWVzIGFwcGx5LCBzZWUgaHR0cDovL2NlcnRpZmljYXRlLm5pa2hlZi5u
        bC9tZWRpdW0vcG9saWN5LyBmb3IgZGV0YWlscztDZXJ0aWZpY2F0ZSBUYWc6IDQw
        OWJkN2E2LWQxM2JhOTAbBgNVHREEFDASghBrdWlrZW4ubmlraGVmLm5sMA0GCSqG
        SIb3DQEBBQUAA4IBAQCMcJtWXjTEYiQJfxc9S51bU9yNDOImWdwltxd/hPkLel5y
        hv3RHB3h1lo1WVffg10uxsvI1AQ8FCcJidl/eTfonFEV2JvC4ZnF1GS12jSWwPsb
        wlDEuBM8cB7zn/B1RFT2SKSUmxhnkBpW/r00ztNsJMe3fspoeEhxdPNfothno6du
        lVSJKyGVrA5zyLQh38HADOYoyhFTjzlJKcVhDc3zQJiYwxgO8BKAGqrVDyZIMcWR
        O1Bd93GfpmzgRk1XpwY0p46AEpwvXC+C1zS6J4kRxJ4Er2FPbwaSIu0E+aO4MG+q
        eZOUcAEz5WQDk0/FxdBWH5WyM0OzRXfP6a9jUzZ+
        -----END CERTIFICATE-----
        [root@kvasir glite]#
    
    Then create the proxy:

    [martijn@kvasir martijn]$ /opt/glite/bin/voms-proxy-init -voms EGEE
    Your identity: /O=dutchgrid/O=users/O=nikhef/CN=Martijn Steenbakkers
    Enter GRID pass phrase for this identity:
    Creating temporary proxy ........................................ Done
    /O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl
    /C=NL/O=NIKHEF/CN=NIKHEF medium-security certification auth
    Creating proxy .............................................. Done
    Your proxy is valid until Fri Dec 17 05:35:07 2004

    martijn@kvasir martijn]$ /opt/globus/bin/globus-job-run kvasir /usr/bin/id -a
    uid=9000(gpool000) gid=503(egee)

    Yes, the mapping based on VOMS attributes has worked!


IV. Installation and configuration of the workspace service
___________________________________________________________

    1) See http://www-unix.mcs.anl.gov/~tfreeman/workspace_service/ for the installation of the
    Workspace service.
    
    2) NOTE:
        - It is advised to start with a fresh gt3.9.3 installation.
        - Before building the lcmaps backend fill in the right LCMAPS configuration values in
        the config.h file:
           #define LCMAPS_LOG_FILE "/opt/glite/var/log/lcmaps_workspace.log"
           #define LCMAPS_DB_FILE "/opt/glite/etc/lcmaps/lcmaps.db.without_gsi"
           #define LCMAPS_GRIDMAPDIR "/etc/grid-security/gridmapdir"
           #define LCMAPS_DEBUG_LEVEL  "0"
           #define LCMAPS_POLICY_NAME  "das_voms"
           #define LCMAPS_LOG_STRING   "DAS poolindex"
        - The Makefile should use the right compilation flags:
            -I/opt/glite/include/glite/security/lcmaps/
            -L/opt/glite/lib


Links
_____

gLite:
http://glite.web.cern.ch/glite/

LCAS and LCMAPS:
http://www.nikhef.nl/grid/lcaslcmaps/

Workspace service:
http://www-unix.mcs.anl.gov/~tfreeman/workspace_service/


$Id: INSTALL_WITH_WORKSPACE_SERVICE 11755 2010-12-16 15:29:48Z dennisvd $
