A globus gsi-authz plug-in to run lcas and lcmaps
This is a plug-in to be loaded from a GSI-AuthZ capable Globus service. The feature was introduced in Globus GT4 and is available for GT5. The purpose of this call-out is to authorize a user by running the LCAS framework and map the user credentials to a Unix account based using the LCMAPS framework. Both LCAS and LCMAPS are frameworks that run configured plug-ins to do the real work.
Some of the plug-ins are capable of imposing certain policy on the user credentials, others are capable of off-loading the decision to a centralized service to make the decision or even provide an account mapping in the process.
This plug-in is dynamically loaded during each interaction that requires an account mapping in the GSI-AuthZ interface of a Globus service.
When this variable is set and it can be opened as file, log output will go to the given file instead of to syslog. When either $LCAS_LOG_FILE or $LCMAPS_LOG_FILE is unset, it will also be set to this same file.
Change the default logging facility with the $LLGT_LOG_FACILITY environment variable. Use the name of (standard syslog) facility names. Example: LOG_DAEMON, LOG_LOCAL1, etcetera
The $LLGT_LOG_IDENT can (optionally) be set as the Syslog ident value. This will be the identifying string in Syslog for the current process. Not using this option will let Syslog (or one of the GT services) to set these options. By default the Syslog ident will be set to the executable name.
Set the environment variable $LLGT_RUN_LCAS to "no", "disabled" or "disable" to avoid LCAS to run prior to the LCMAPS.
There is a matching ./configure option "--enable-lcas" which can be used to change the default behaviour to run LCAS or not. The $LLGT_RUN_LCAS environment variable can still influence the LCAS run.
Normally the callout, after LCMAPS has finished, checks whether it is (still) running with root privileges (uid, euid, gid or egid) and fails if that is the case. This is to prevent erroneous configurations to silently result in a root-account mapping in services that do not have their own checks for this.
When the environment variable LLGT_LIFT_PRIVILEGED_PROTECTION is set, this check is disabled. This is NEEDED for services that:
1.) don't user switch, and run as root.
2.) services that expect only a username to be returned and perform the user switch themselves, e.g. the Globus GSI-OpenSSHd.
Set the environment variable $LLGT_CACHE_CALLOUT to "no", "disabled" or "disable" to disable reusing the result of the `localname' callout for the `userok' callout. This results in calling the LCAS/LCMAPS authorization twice for e.g. gsisshd.
Set the environment variable $LLGT_DLCLOSE_LCMAPS to "no", "disabled" or "disable" to prevent calling dlclose() on the LCMAPS library. This might be needed as a workaround on RH5-based systems in an installation for gsisshd, when the use of PAM is enabled ("UsePAM Yes" in the /etc/gsissh/sshd_config). The underlying bug is a combination between the OpenSSL, VOMS and PAM libraries, which can trigger a segfault when VOMS is initialized twice.
Set the environment variable $LLGT_DLCLOSE_LCAS to "no", "disabled" or "disable" to prevent calling dlclose() on the LCAS library. This might be needed as a workaround on RH5-based systems. The underlying bug is a combination between the OpenSSL, VOMS and Globus libraries, which can trigger a segfault when VOMS is initialized twice, which can happen when LCAS is using a VOMS based plugin. Normally should not be needed as LCAS is now dlclosed and terminated after LCMAPS.
Depreciated $LLGT_NO_CHANGE_USER in favour of $LLGT_LIFT_PRIVILEGED_PROTECTION. (Depreciation does not mean non-functional anymore)
Depreciated $LLGT4_NO_CHANGE_USER in favour of $LLGT_LIFT_PRIVILEGED_PROTECTION. (Depreciation does not mean non-functional anymore)
The VOMS credentials are verified by the LCMAPS framework before further processing is done in the plug-ins. The LCMAPS framework has an API to enable or disable the verification of the VOMS credentials and this option will disable the verification of the VOMS credentials. A vanilla LCMAPS build will verify the VOMS credentials by default.
Similar to the $LLGT_VOMS_DISABLE_CREDENTIAL_CHECK environment variable, this setting will enable the verification of the VOMS credentials, overriding the LCMAPS default setting to have the verification of VOMS credentials to be disabled. A vanilla LCMAPS build will verify the VOMS credentials by default, the OSG build has is disabled by default.
Support for an alternative LCAS_LIBDIR as a run-time setting by exporting $LLGT_LCAS_LIBDIR="/usr/local/lib/liblcas.so"
Support for an alternative LCMAPS_LIBDIR as a run-time setting by exporting $LLGT_LCMAPS_LIBDIR="/usr/local/lib/liblcmaps.so"
If the $LLGT_ENABLE_DEBUG environment variable is set, then the debugging message logged at level LOG_DEBUG are passed to the log. The scope of this setting is only within the LCAS-LCMAPS-GT-interface
An environment variable that is internally set to uniquely identify this gatekeeper and the job manager.
Similar to the $GATEKEEPER_JM_ID value, but its purpose is for the LCMAPS job repository plug-in.
For LCMAPS 1.5.0 (and newer) the value "5" corresponds to Syslog LOG_DEBUG, "4" corresponds to LOG_INFO, "3" to LOG_NOTICE and so on. The LCMAPS default is to log up to LOG_INFO.
The user is authorized and a local Unix account was procured.
No mapping was possible.
From version 0.3.0 onwards, the interface tries to forward the requested username to LCMAPS (for version 1.6.0 and up). The mapping plugins can use this to support multiple username entries in the grid-mapfile, or enforcing poolaccount mappings to a specific poolaccount.
Please report any errors to the Nikhef Grid Middleware Security Team <[email protected]>.
lcas.db(5), lcas(3). lcmaps.db(5), lcmaps(3).
LCMAPS and the LCMAPS plug-ins were written by the Grid Middleware Security Team <[email protected]>.