Line: 1 to 1 | |||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
CREAM Service Reference Card | |||||||||||||||||||
Line: 8 to 8 | |||||||||||||||||||
The following processes should run on a CREAM CE: | |||||||||||||||||||
Changed: | |||||||||||||||||||
< < |
| ||||||||||||||||||
> > |
| ||||||||||||||||||
| |||||||||||||||||||
Line: 74 to 74 | |||||||||||||||||||
log4j.logger.org.glite=info, fileout | |||||||||||||||||||
Changed: | |||||||||||||||||||
< < |
| ||||||||||||||||||
> > | $ : with: | ||||||||||||||||||
log4j.logger.org.glite=debug, fileout | |||||||||||||||||||
Changed: | |||||||||||||||||||
< < |
| ||||||||||||||||||
> > | $ : You may also change the attributes log4j.appender.fileout.MaxFileSize and log4j.appender.fileout.MaxBackupIndex to change the maximum file size and the maximum number of log files to be kept. | ||||||||||||||||||
| |||||||||||||||||||
Deleted: | |||||||||||||||||||
< < | |||||||||||||||||||
* The gridftp log files (globus-gridftp.log and gridftp-session.log )
Open ports | |||||||||||||||||||
Line: 97 to 96 | |||||||||||||||||||
| |||||||||||||||||||
Changed: | |||||||||||||||||||
< < |
| ||||||||||||||||||
> > |
| ||||||||||||||||||
| |||||||||||||||||||
Changed: | |||||||||||||||||||
< < |
| ||||||||||||||||||
> > |
| ||||||||||||||||||
| |||||||||||||||||||
Changed: | |||||||||||||||||||
< < | C: Controllable Ephemeral range (e.g. 20000-25000). Note: In practice, although this port-range is locally configurable using the GLOBUS_TCP_PORT_RANGE environment variable, the values applying at a remote service cannot be predicted. Consequently reliable connection can only be established if all ports >1023 are left open for outbound connections. | ||||||||||||||||||
> > | C: Controllable Ephemeral range (e.g. 20000-25000). Note: In practice, although this port-range is locally configurable using the GLOBUS_TCP_PORT_RANGE environment variable, the values applying at a remote service cannot be predicted. Consequently reliable connection can only be established if all ports >1023 are left open for outbound connections. | ||||||||||||||||||
Possible unit test of the service | |||||||||||||||||||
Line: 142 to 139 | |||||||||||||||||||
| |||||||||||||||||||
Added: | |||||||||||||||||||
> > | Argus is a system meant to render consistent authorization decisions for distributed services (e.g. compute elements, portals). In order to achieve this consistency a number of points must be addressed. First, it must be possible to author and maintain consistent authorization policies. This is handled by the Policy Administration Point (PAP) component in the service. Second, authored policies must be evaluated in a consistent manner, a task performed by the Policy Decision Point (PDP). Finally, the data provided for evaluation against policies must be consistent (in form and definition) and this is done by the Policy Enforcement Point (PEP). Argus is also responsible to manage the Grid user - local user mapping. | ||||||||||||||||||
Changed: | |||||||||||||||||||
< < | Argus is a system meant to render consistent authorization decisions for distributed services (e.g. compute elements, portals). In order to achieve this consistency a number of points must be addressed. First, it must be possible to author and maintain consistent authorization policies. This is handled by the Policy Administration Point (PAP) component in the service. Second, authored policies must be evaluated in a consistent manner, a task performed by the Policy Decision Point (PDP). Finally, the data provided for evaluation against policies must be consistent (in form and definition) and this is done by the Policy Enforcement Point (PEP). Argus is also responsible to manage the Grid user - local user mapping. gJAF (Grid Java Authorization Framework) provides a way to invoke a chain of policy engines and get a decision result about the authorization of a user. The policy engines are divided in two types, depending on their functionality. They can be plugged into the framework in order to form a chain of policy engines as selected by the administrator in order to let him set up a complete authorization system. A policy engine may be either a PIP or a PDP. PIP collect and verify assertions and capabilities associated with the user, checking her role, group and VO attributes. PDP may use the information retrieved by a PIP to decide whether the user is allowed to perform the requested action, whether further evaluation is needed, or whether the evaluation should be interrupted and the user access denied. In CREAM CE VO based authorization is supported. In this scenario, implemented via the VOMS PDP, the administrator can specify authorization policies based on the VO the jobs' owners belong to (or on particular VO attributes). When gJAF is used as authorization mechanism, the Grid user - local user mapping is managed via glexec, | ||||||||||||||||||
> > | gJAF (Grid Java Authorization Framework) provides a way to invoke a chain of policy engines and get a decision result about the authorization of a user. The policy engines are divided in two types, depending on their functionality. They can be plugged into the framework in order to form a chain of policy engines as selected by the administrator in order to let him set up a complete authorization system. A policy engine may be either a PIP or a PDP. PIP collect and verify assertions and capabilities associated with the user, checking her role, group and VO attributes. PDP may use the information retrieved by a PIP to decide whether the user is allowed to perform the requested action, whether further evaluation is needed, or whether the evaluation should be interrupted and the user access denied. In CREAM CE VO based authorization is supported. In this scenario, implemented via the VOMS PDP, the administrator can specify authorization policies based on the VO the jobs' owners belong to (or on particular VO attributes). When gJAF is used as authorization mechanism, the Grid user - local user mapping is managed via glexec, | ||||||||||||||||||
For what concerns authorization on job operations, by default each user can manage (e.g. cancel, suspend, etc.) only her own jobs. However, the CREAM administrator can define specific super-users who are empowered to manage also jobs submitted by other users. |
Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
Changed: | ||||||||
< < | Service Reference Card | |||||||
> > | CREAM Service Reference Card | |||||||
|
Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Service Reference Card | ||||||||
Line: 116 to 116 | ||||||||
Cron jobs | ||||||||
Added: | ||||||||
> > | The cron jobs can be found in /etc/cron.d and are:
| |||||||
Security informationAccess control Mechanism description (authentication & authorization) | ||||||||
Added: | ||||||||
> > |
AuthenticationAuthentication in CREAM is managed via the trustmanager. The Trust Manager is the component responsible for carrying out authentication operations. It is an implementation of the J2EE security specifications. Authentication is based on PKI. Each user (and Grid service) wishing to access CREAM is required to present an X.509 format certificate. These certificates are issued by trusted entities, the Certificate Authorities (CA). The role of a CA is to guarantee the identity of a user. This is achieved by issuing an electronic document (the certificate) that contains the information about the user and is digitally signed by the CA with its private key. An authentication manager, such as the Trust Manager, can verify the user identity by decrypting the hash of the certificate with the CA public key. This ensures that the certificate was issued by that specific CA. The Trust Manager can then access the user data contained in the certificate and verify the user identity.Authorization for the CREAM serviceAuthorization in the CREAM CE can be implemented in two different ways (the choice is done at configuration time):
Authorization for gridftpdWhen the CREAM CE is configured to use Argus, ARGUS manages also the authorization for gridftp server If instead gJAF is used to manage the authorization, LCAS and LCMAPS are used to implement authorization for gridftp server. | |||||||
How to block/ban a user | ||||||||
Changed: | ||||||||
< < | Network UsageFirewall configuration | |||||||
> > |
If ARGUS is used as authorization system, ARGUS can be used to ban users.
If instead gJAF is used, add the DN of the user to be banned in /etc/lcas/ban_users.db . Please note that the DN must be in quotes in this file. | |||||||
Security recommendations | ||||||||
Changed: | ||||||||
< < | Security incompatibilitiesList of externals (packages are NOT maintained by Red Hat) | |||||||
> > |
| |||||||
Other security relevant comments | ||||||||
Changed: | ||||||||
< < | Utility scripts | |||||||
> > |
| |||||||
-- MassimoSgaravatto - 2011-04-07 |
Line: 1 to 1 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Service Reference Card | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Line: 65 to 62 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Logfile locations (and management) and other useful audit information | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Added: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> > | The relevant log files are:
log4j.logger.org.glite=info, fileout
log4j.logger.org.glite=debug, fileout
globus-gridftp.log and gridftp-session.log ) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Open ports | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Added: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> > |
GLOBUS_TCP_PORT_RANGE environment variable, the values applying at a remote service cannot be predicted. Consequently reliable connection can only be established if all ports >1023 are left open for outbound connections. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Possible unit test of the service | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Added: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> > | TBD | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Where is service state held (and can it be rebuilt) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Changed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
< < | Cron jobs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> > | CREAM job related information are kept in the CREAM DB and in the filesystem in the directory referred by CREAM_SANDBOX_DIR (default /var/glite/cream_sandbox ) in the CREAM configuration file (/etc/glite-ce-cream/cream-config.xml ). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Added: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> > | Cron jobs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Security information |
Line: 1 to 1 | |||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Service Reference Card | |||||||||||||
Line: 45 to 45 | |||||||||||||
Configuration files location with example or template | |||||||||||||
Changed: | |||||||||||||
< < |
| ||||||||||||
> > |
| ||||||||||||
Changed: | |||||||||||||
< < |
| ||||||||||||
> > |
| ||||||||||||
| |||||||||||||
Changed: | |||||||||||||
< < |
| ||||||||||||
> > |
| ||||||||||||
Changed: | |||||||||||||
< < |
| ||||||||||||
> > |
| ||||||||||||
Changed: | |||||||||||||
< < |
| ||||||||||||
> > |
| ||||||||||||
Changed: | |||||||||||||
< < |
| ||||||||||||
> > |
| ||||||||||||
Changed: | |||||||||||||
< < |
| ||||||||||||
> > |
| ||||||||||||
Changed: | |||||||||||||
< < |
| ||||||||||||
> > |
| ||||||||||||
Logfile locations (and management) and other useful audit information | |||||||||||||
Line: 87 to 87 | |||||||||||||
Utility scripts-- MassimoSgaravatto - 2011-04-07 | |||||||||||||
Added: | |||||||||||||
> > |
|
Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Added: | ||||||||
> > |
Service Reference Card
Daemons runningThe following processes should run on a CREAM CE:
Init scripts and options (start|stop|restart|...)
Configuration files location with example or templateLogfile locations (and management) and other useful audit informationOpen portsPossible unit test of the serviceWhere is service state held (and can it be rebuilt)Cron jobsSecurity informationAccess control Mechanism description (authentication & authorization)How to block/ban a userNetwork UsageFirewall configurationSecurity recommendationsSecurity incompatibilitiesList of externals (packages are NOT maintained by Red Hat)Other security relevant commentsUtility scripts-- MassimoSgaravatto - 2011-04-07 |