1. Quick Reference Guide to GSI Authentication Setup
glideinWMS uses GSI for authentication/authorization of services and clients. The table below acts as a quick reference guide for configuring GSI in glideinWMS.
NOTE: Newer version of glideinWMS does not require factory to have proxy. Glideins can run using credentials supplied by frontend (prefered mode) but can also be configured to run with factory credentials. If the factory is configured to not use any gsi credentials, exclude factory from the list of condor_config and GSI_DAEMON_NAME in the table below.
| Service | Comments |
| glideinWMS Collector |
|
| Glidein (Through Glidein Factory) |
|
| Glidein Pool Collector |
|
| Glidein Frontend |
|
| User Schedd |
|
3. Installation instructions
The installation will assume you have installed Condor v7.0.5 or newer. The install directory is /opt/glidecondor. If you want to use a different setup, make the necessary changes.
Unless explicity mentioned, all operations are to be done as root.
3.1 Install OSG client
If you have not installed the OSG client in /opt/vdt already, do it now.
(Note: An EGEE/gLite Grid User Interface will work as well, but you need to
replace /opt/vdt with whatever is appropriate for that installation)
See the prerequisites page for instructions on installing the OSG client.
(Please notice that those installation instructions tell you to install in ~/client_directory, please use /opt/vdt instead)
3.2 Prepare the security directories and files
Create /opt/glidecondor/certs
mkdir /opt/glidecondor/certsThis directory will host the grid-mapfile and eventual service proxy (see below).
chmod a+rx /opt/glidecondor/certs
Now you need to select what proxy or certificate you will be used for authentication. You have essentially three options:
- You use the host certificates located in /etc/grid-security
- You request a service certificate for use with Condor, and put it in /opt/glidecondor/certs
- You create and maintain a valid proxy, obtained from a personal or service certificate, in /opt/glidecondor/certs. How you keep this proxy valid (via MyProxy, kx509, voms-proxy-init from a local certificate, scp from other nodes, or other methods), is beyond the scope of this document.
Anyhow, most of the examples in this collection will assume you use (3), with the proxy being named /opt/glidecondor/certs/x509_service_proxy.
Note: The proxy and/or the certificate key must bereadable by the owner only! If it is either group or world readable (and/or writable), Condor will refuse to use it (since it could have been stolen and/or compromised by now).
Once you have the proxy or the certificate, you need to create /opt/glidecondor/certs/grid-mapfile and insert the DN of the proxy/cert followed by a symbolic name.
Assuming the DN of the proxy/cert to be "/DC=org/DC=doegrids/OU=Service/CN=mycondor345", you would insert:
"/DC=org/DC=doegrids/OU=Service/CN=mycondor345" condorThe symbolic name is not really important, it has no meaning in Unix space. It is just a nickname you will use in configuration and log files.
In addition to its own DN, the grid-mapfile must contain also the DNs of all the clients and servers that will ever talk to this Condor installation:
- The DNs of other Condor nodes, i.e. the Condor Central Manager, the Condor Submit nodes and the Condor Execute nodes.
- If this is a Submit node or Execute node and your users use GSI authentication, you also need to list all the users' DNs.
In all other cases, the nicknames have no special meanin, and are there just for use in configuration and log files.
For example, assuming this is the Central Manager, and it has two Submit nodes, with DNs "/DC=org/DC=doegrids/OU=Service/CN=schedd34" and "/DC=org/DC=doegrids/OU=Service/CN=schedd98", while all the Execute nodes are glideins, and thus share the same DN "/DC=org/DC=doegrids/OU=Service/CN=work12", the /opt/glidecondor/certs/grid-mapfilecould be:
"/DC=org/DC=doegrids/OU=Service/CN=mycondor345" condor
"/DC=org/DC=doegrids/OU=Service/CN=schedd34" scondor1
"/DC=org/DC=doegrids/OU=Service/CN=schedd98" scondor2
"/DC=org/DC=doegrids/OU=Service/CN=work12" gcondor
3.3 Configure Condor security
Force GSI authentication in /etc/condor/condor_config, by adding:
############################################################Since all the security is now GSI based, we don't rely on IP checks anymore. Change HOSTALLOW_WRITE in /etc/condor/condor_config, to:
## Security config
############################################################
############################
# Authentication settings
############################
SEC_DEFAULT_AUTHENTICATION = REQUIRED
SEC_DEFAULT_AUTHENTICATION_METHODS = FS,GSI
SEC_READ_AUTHENTICATION = OPTIONAL
SEC_CLIENT_AUTHENTICATION = OPTIONAL
# Grid Certificate directory
GSI_DAEMON_TRUSTED_CA_DIR=/opt/vdt/globus/TRUSTED_CA
############################
# Privacy settings
############################
SEC_DEFAULT_ENCRYPTION = OPTIONAL
SEC_DEFAULT_INTEGRITY = REQUIRED
SEC_READ_INTEGRITY = OPTIONAL
SEC_CLIENT_INTEGRITY = OPTIONAL
SEC_READ_ENCRYPTION = OPTIONAL
SEC_CLIENT_ENCRYPTION = OPTIONAL
############################
# Set daemon cert location
############################
GSI_DAEMON_DIRECTORY = /opt/glidecondor/certs
# Keep this if you use a proxy
GSI_DAEMON_PROXY = $(GSI_DAEMON_DIRECTORY)/x509_service_proxy
# If you use a Certificate, uncomment below, pointing it to the right place, and comment the proxy line
#GSI_DAEMON_CERT = /etc/grid-security/hostcert.pem
#GSI_DAEMON_KEY = /etc/grid-security/hostkey.pem
############################
# Where to find DN->uid mappings
############################
GRIDMAP=$(GSI_DAEMON_DIRECTORY)/grid-mapfile
# do not use IP based controls
HOSTALLOW_WRITE = *