• Installation: yum install glexec-wn yaim-glexec-wn

• At this point, the Argus services (PAP, PDP andP PEP Server, see Authorization Framework) must be configured, up and running:
  • information on The Simplified Policy Language.
  • information on pap-admin command line interface.
  • this is an example on the rules to set:

# pap-admin lp

action ".*" { rule permit { vo="ops" } rule permit { vo="dteam" } rule permit { vo="infngrid" } rule permit { vo="comput-er.it" } rule permit { vo="gridit" } rule permit { vo="igi.italiangrid.it" } rule permit { vo="drihm.eu" } rule deny { vo="enmr.eu" } } }

resource "http://authz-interop.org/xacml/resource/resource-type/wn" { obligation "http://glite.org/xacml/obligation/local-environment-map" { }

action "http://glite.org/xacml/action/execute" { rule permit { fqan="/ops/Role=pilot" } } }

latest gLExec version

Briefly the steps are the following:

• Installation: yum install glexec-wn

• Configuration: set at least the mandatory variables (and in case some of the default ones if you need a different value for them)

GLEXEC_WN_ARGUS_ENABLED="yes"

GLEXEC_WN_OPMODE="setuid"

• Yaim: (example of WN with torque and MPI) /opt/glite/yaim/bin/yaim -c -s site-info.def -n MPI_WN -n WN -n TORQUE_client -n GLEXEC_wn

4 - enable gLexec monitoring

A guideline on how to deploy ARGUS and gLexec on own grid site

It was sent the following broadcast It was sent the following broadcast

<--/twistyPlugin twikiMakeVisibleInline-->

Dear site admins,
this message is relevant for sites supporting one or more LHC experiments,
i.e. any of the VOs "alice", "atlas", "cms" or "lhcb".

These VOs submit Multi User Pilot Jobs that are foreseen to make use of
the "glexec" utility to run payloads of individual users.

Deployment
----------

Please proceed with the deployment of gLExec as detailed on this page:

    https://twiki.cern.ch/twiki/bin/view/LCG/GlexecDeployment

Monitoring
----------

The glexec setup of any EGI partner site can be monitored by the SAM-Nagios
instance of the site's NGI or ROC:

1. The NGI/ROC needs to run SAM-Nagios Update-10 or later and configure it
   to run glexec tests (e.g. apply for "pilot" role in "ops" VO).

2. The _site_ should declare its CEs with the "gLExec" type in the GOC DB.

These matters are further explained here:

https://twiki.cern.ch/twiki/bin/view/LCG/GlexecDeployment#Monitoring_of_gLExec_tests

Please apply the necessary configurations such that your CEs appear on the
MyWLCG gLExec summary page (the link marked "NEW" on that page).

<--/twistyPlugin-->

thereby all the sites that belong to WLCG federation should install gLexec on their farm and make monitor it. Here you can see how to do it

1 - Install an ARGUS server

We recommend to install the EMI Argus.

EMI Case

Use the following repository settings, instead in the EMI-1 generic installation and configuration guide you can find an Argus specific installation guide that you may follow to install and configure this service

The Mandatory genral variables are the following

• USERS_CONF
• GROUPS_CONF
• VOS List of supported VO names
• VO_<vo-name>_VOMS_CA_DN VOMS CA DN for each VO name listed in VOS
• VO_<vo-name>_VOMSES VOMS definition for each VO name listed in VOS

The mandatory service specific variables can be found in /opt/glite/yaim/examples/siteinfo/services/glite-authz_server

• ARGUS_HOST Hostname of the Argus node
• PAP_ADMIN_DN User certificate DN of the user that will be the PAP administrator

Moreover, have a look at the Administrators guide in order to see how to create and manage the authorization policies (an example will be provided soon).

Briefly the steps are the following:

• Installation: yum install emi-argus

• Configuration create a site.def with only the mandatory variables (and in case some of the default ones if you need a different value for them)

• Yaim: /opt/glite/yaim/bin/yaim -c -s site-info.def -n ARGUS_server

• At this point, the Argus services (PAP, PDP and PEP Server) must be configured, up and running

gLite Case

In case you want to install the ARGUS server on gLite, follow this guide; the yaim variables are the same

2 - Install and configure gLexec on your WNs

We recommend to install the EMI version of gLexec (and obviously EMI WN!). So that plan the migration to EMI of your farm

EMI Case

gLite Case

guide

3 - properly configure your CREAM

You have to properly set 3 yaim variable in the site.def related to CREAM/ARGUS interaction

• USE_ARGUS
• ARGUS_PEPD_ENDPOINTS
• CREAM_PEPC_RESOURCEID

Here an exeample on how to set them:

#########################################
# ARGUS authorisation framework control #
#########################################

# Set USE_ARGUS to yes to enable the configuration of ARGUS
USE_ARGUS=yes

# In case ARGUS is to be used the following should be set
# The ARGUS service PEPD endpoints as a space separated list:
#ARGUS_PEPD_ENDPOINTS="http://pepd.example.org:8154/authz"
ARGUS_PEPD_ENDPOINTS="https://vgrid06.cnaf.infn.it:8154/authz"

# ARGUS resource identities: The resource ID can be set
# for the cream CE, WMS and other nodes respectively.
# If a resource ID is left unset the ARGUS configuration
# will be skipped on the associated node.
# CREAM_PEPC_RESOURCEID=urn:mysitename.org:resource:ce
# WMS_PEPC_RESOURCEID=urn:mysitename.org:resource:wms
# GENERAL_PEPC_RESOURCEID=urn:mysitename.org:resource:other
CREAM_PEPC_RESOURCEID="http://cnaf.infn.it/cremino"

Don't forget to set in CE_CAPABILITY the glexec parameter, for example:

CE_CAPABILITY="CPUScalingReferenceSI00=1039 glexec"

Then reconfigure with yaim your CREAM as usual

*4 - enable gLexec monitoring

go on https://gocdb4.esc.rl.ac.uk/portal/ and add the service endpoint "gLExec" to your CREAM

-- AlessandroPaolini - 2012-02-24