-
Notifications
You must be signed in to change notification settings - Fork 20
ESGFNode|BDMSecurityDatanodeAdminGuide
| Wiki Reorganisation |
|---|
| This page has been classified for reorganisation. It has been given the category MOVE. |
| The content of this page will be revised and moved to one or more other pages in the new wiki structure. |
As a Data Node administrator, the tasks that are required are (in short), requesting BDM access from the Gateway administrator, making sure GridFTP has been installed, downloading and installing the BDM security module, configuring the BDM security module, and then (re-)starting the GridFTP server.
For anything on the page to work, the Globus GridFTP server must be installed on your system! For documentation on installing the GridFTP server, please consult this page:
Assuming that the GridFTP server is already installed on the Data Node (via Gavin's installation script), we first need to download and install the authz_bdm_callout module. The download link is provided below:
After downloading this package, extract and install it as follows (as root):
[root@vm-125-67 TMP]# wget http://rainbow.llnl.gov/dist/globus/gridftp/BDM/authz_bdm_callout-12-17-2009.tar.gz
...
[root@vm-125-67 TMP]# tar -xzf authz_bdm_callout-12-17-2009.tar.gz
[root@vm-125-67 TMP]# cd authz_bdm_callout/source/
[root@vm-125-67 source]# export GLOBUS_LOCATION=/usr/local/gt-current
[root@vm-125-67 source]# ./bootstrap
installing globus_automake_pre link
installing globus_automake_post link
installing globus_automake_pre_top link
installing globus_automake_post_top link
installing doxygen/Doxyfile.in link
installing doxygen/Doxyfile-internal.in link
installing Makefile.am link in doxygen
running aclocal -I /usr/local/gt-current/share/globus_aclocal
running libtoolize --copy --force
running automake --copy -add-missing --foreign
running gpt_create_automake_rules --excludes=doxygen
running autoconf
[root@vm-125-67 source]# ./configure --prefix=/usr/local/gt-current --with-flavor=gcc64dbg
checking whether to enable maintainer-specific portions of Makefiles... no
Dependencies Complete
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
configure: creating ./config.status
config.status: creating Makefile
config.status: creating version.h
config.status: creating pkgdata/Makefile
config.status: creating pkgdata/pkg_data_src.gpt
config.status: creating doxygen/Makefile
config.status: creating doxygen/Doxyfile
config.status: creating doxygen/Doxyfile-internal
config.status: executing default commands
# now run make and make install
[root@vm-125-67 source]# make && make install
... snip ...
make[2]: Leaving directory `/root/gsi/STAGING/TMP/authz_bdm_callout/source'
make[1]: Leaving directory `/root/gsi/STAGING/TMP/authz_bdm_callout/source'
At this point, the module has been installed, however GridFTP configuration remains to be done. Without this configuration, the BDM security module will never be used.
To configure the module, you need to copy the included configuration file _ authz_callouts_bdm.cfg _ (located in the source directory) to _ /etc/grid- security/gsi-authz.conf _ .
[root@vm-125-67 source]# cp authz_callouts_bdm.cfg /etc/grid-security/gsi-authz.conf
Also, you may need to edit this file after copying because it's configured by default for 64 bit systems.
[root@vm-125-67 source]# cat /etc/grid-security/gsi-authz.conf
globus_mapping libglobus_authz_bdm_callout_gcc64dbg.so globus_gsi_authz_bdm_gridmap_callout
If you are running a 32 bit system, edit the file and change the gcc64dbg part to be gcc32dbg .
If you need to use another location other than /etc/grid-security/gsi- authz.conf, set the environment variable GSI_AUTHZ_CONF to the appropriate location.
Now you can move on to the next section of creating/editing the module's configuration file.
By default, the BDM security module looks for its configuration file at _ /etc /grid-security/esg_gridmap_assist.conf _ . If you need to use another location for some reason, be sure to set the environment variable before starting the GridFTP server.
The contents of this file should be two lines (although comments are acceptable as shown below):
# Configuration file for ESG Gridmap Assist code
#
# the admin role to look for in the extension/assertion
attribute=group_BDM_role_publisher
# the local system account that the publisher attribute
# role will be mapped to
localAccount=bdmpub
Create this file with contents similar to the above.
Please make sure that the localAccount field is a valid user account on your local system. It also must have permissions to read the data to be transferred.
Once the BDM security module has been installed and configured as directed above, the GridFTP can be started in the usual manner, or manually. Regardless, it has been configured and will no longer be using the standard Gridmap file mapping.
I see the following error from the GridFTP server:
ERROR: No configuration file found!
If the server displays the above error (generally on stderr, not a log file), it is because the configuration file does not exist. If the configuration file does not exist, all transfers will fail with this error:
error: globus_ftp_client: the server responded with an error
530 530-Login incorrect. : globus_gss_assist: Error invoking callout
530-globus_callout_module: The callout returned an error
530-globus_gridmap_callout_error: Gridmap lookup failure: User is not a BDM administrator and cannot transfer this data.
530-
530-an unknown error occurred
530 End.
This error indicates that the user doesn't have the correct BDM administrator attribute present in their credential. Please check to be sure that the Gateway has added the user attempting the transfer to the proper group.
If the clients are still failing with this error, please run the GridFTP server in debug mode to see if any output is displayed.