Content-type: text/html Manpage of LCMAPS PLUGINS SCAS CLIENT


Section: gLite (8)
Updated: March 2009
Index Return to Main Contents



lcmaps-plugins-scas-client - LCMAPS plug-in Site Central Authorization Service

The LCMAPS plug-in SCAS Client utilizes the SAML2-XACML2 protocol to contact the SCAS daemon. It will send the user credentials, (if applicable) the pilot job credentials and extra information to the SCAS service.

The SCAS service will process the request and provide a Unix account in return. The Unix account must be composed of a Unix User ID and Unix Group ID. Optionally Unix Secondary GIDs may be returned. All of these IDs must be returned in numerical form. The results will then be published in the LCMAPS framework.



-actiontype queue|execute-now|access
The action type option will declare the type of action that is intended to be performed. The queue option signifies an execution to a queue. That's mostly due to a submission of a computer job to a queue. The execute-now option signifies the direct execution of a command or a job. Use cases for this action are the LCG-CE's fork-queue or gLExec where there is no (significant) delay for the operation's execution.. The access option signifies the access of a file at a storage facility of any kind. The true type of (file) access, like reading, writing, execution or listing, is not declared because this would be too detailed and poses practical limitation in the interaction with different storage system.
--capath <CA and CRL path>
Directory where the CA and CRL files are to be found. This is needed to verify the SCAS service credentials when contacting the service.
--cert <path to certificate file>
Public certificate file belonging to the service or host to identify itself with in the SSL handshake when connecting to the SCAS service.
--endpoint <url>
This will configure the plugin to contact the SCAS service at <url>.
--endpoint-strategy round-robin|round-robin-random-start|random
The endpoint strategy tells the client in which order the configured endpoints should be tried to be contacted. With round-robin the list of endpoints will be tried from top to bottom as written in the lcmaps.db file. The option round-robin-random-start will follow the list of endpoints as written in the lcmaps.db file, but it will randomly start somewhere in the list of endpoints. The random option will randomly choose an endpoint to try. When unlucky the same endpoint could be tried twice. This is true pseudo-random. The round-robin-random-start is made default. This will automagically provide a load balancing effect by randomly selecting a configured endpoints.
--key <path to private key file>
Private key file belonging to the certificate file for the SSL connection to the SCAS service.
-resourcetype rb|ce|se|wn
The resource type option will identify this plugin by its type of resource. The possible types that can be signified are rb, ce, se and wn. The rb option is to signify a Resource Broker or Workload Managment System or an differently named high level scheduler. The ce is to signify a Computing Element as a front-end node to a compute cluster like a LCG-CE or CREAM-CE. The se option is to signify a Storage Element, like DPM, dCache, Castor, StoRM or something else. The wn is to signify a Worker Node, like an LCG-WN, a compute node with gLExec on it for example.
--retry <0-9+>
This will alter the retry count when interacting with an SCAS endpoint. By default each endpoint is tried twice by default before any other endpoint is tried (this excludes the various TCP/IP layer retries that are always performed at a lower level). This option can alter this default behavior. It can be set to any number as long as its more then '1'. Between two tries there is a small amount of time of delay build-in.



This variable will be used for the SSL handshake to the SCAS service. In this case the user proxy certificate file (must include the private key) will be used to establish the SSL connection. In a gLExec-on-WNs scenario, this is the identity of the pilot job framework executor, not the real user job. This variable will be read in the plug-in run phase to trigger a proper authz failure in gLExec and when not used,the X509_USER_CERT, X509_USER_PROXY, --cert or --key must be set. If those are not properly setup a failure will occure in the initialization phase of the plug-in.
Same value as the option --cert <path to certificate file>
Same value as the option --key <path to private key file>



The following example config file can be used for LCMAPS:

### gLExec on the WN for the SCAS client to SCAS service interaction only
# default path for the modules
path = /opt/glite/lib/modules

# Plugin definitions:
posix_enf = "lcmaps_posix_enf.mod"

        "-maxuid 1"

        "-maxpgid 1"

        "-maxsgid 32"

verifyproxy = "lcmaps_verify_proxy.mod"

        "-certdir /etc/grid-security/certificates"

scasclient = "lcmaps_scas_client.mod"

             "-resourcetype wn"

             "-actiontype execute-now"

             "-capath /etc/grid-security/certificates"
# " -cert /etc/grid-security/hostcert.pem"
# " -key /etc/grid-security/hostkey.pem"


# "--endpoint-strategy round-robin"

             "--endpoint-strategy round-robin-random-start"
# "--endpoint-strategy random"

# Policies:

verifyproxy -> scasclient
scasclient -> posix_enf



None so far.






lcmaps(3), glexec(1), scas(8), scas.conf(5)



Writen by Oscar Koeroo



Copyright © 2009, EGEE




This document was created by man2html, using the manual pages.
Time: 10:14:43 GMT, May 15, 2009