EMI Argus
This log refers to EMI 1 Argus, Update 15.
(0) Documenation
EMI
Simplified
Policy language
(1) Repositories
wget http://repository.egi.eu/sw/production/cas/1/current/repo-files/egi-trustanchors.repo -O /etc/yum.repos.d/egi-trustanchors.repo
wget http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
rpm -i epel-release-5-4.noarch.rpm
wget http://emisoft.web.cern.ch/emisoft/dist/EMI/1/sl5/x86_64/updates/emi-release-1.0.1-1.sl5.noarch.rpm
rpm -i emi-release-1.0.1-1.sl5.noarch.rpm
(2) Software install
yum install yum-protectbase.noarch
yum install yum-priorities
yum install ca-policy-egi-core
yum install emi-argus
yum install fetch-crl
This package is missing in the meta rpm and needs to be installed by hand:
yum install lcg-expiregridmapdir
(3) Host certificates
cd /etc/grid-security
openssl pkcs12 -clcerts -nokeys -out hostcert.pem -in lt2argus00.p12
openssl pkcs12 -clcerts -nokeys -out hostcert.pem -in lt2argus00.p12
(4) Configuration
(a) yaim
/opt/glite/yaim/bin/yaim -v -s
/opt/glite/yaim/siteinfo/siteinfo-lt2argus00.def
-n ARGUS_server
(b) policies
This policy is meant to reproduce the settings on my test CE (cetest00).
It supports three VOs (dteam, ops, vo.londongrid.ac.uk), dteam has no special
roles, ops has pilot and sgm roles and londongrid just the sgm role.
(b1) Writing policies
The name of the CE is constructed: http://[domain name]/[cename]. Here's teh
line for cetest00.grid.hep.ph.ic.ac.uk:
resource "http://grid.hep.ph.ic.ac.uk/cetest00"
The obligation (which seems more or less compulsory) translates into "let Argus
assign a UID": obligation
"http://glite.org/xacml/obligation/local-environment-map" {}
I haven't worked out yet, what 'actions' are valid on a CE, so currently
I allow them all. The resulting policy looks like this.
(b2) Manipulating policies
List all policies: pap-admin lp
Remove a policy:
pap-admin lp --show-all-ids
pap-admin remove-policy [id from command above]
Add policy from file: pap-admin add-policies-from-file cetest00.policy
Make sure the policy is propagated everywhere:
/etc/init.d/argus-pepd clearcache
/etc/init.d/argus-pdp reloadpolicy
(c) open ports
-A RH-Firewall-1-INPUT --source 146.179.246.0/23 -m state --state NEW -m tcp -p tcp --dport 8154 -j ACCEPT
(d) on the CE
Add the following threee variables to siteinfo.def:
USE_ARGUS=yes
CREAM_PEPC_RESOURCEID="http://grid.hep.ph.ic.ac.uk/cetest00"
ARGUS_PEPD_ENDPOINTS="https://lt2argus00.grid.hep.ph.ic.ac.uk:8154/authz"
The ARGUS_PEPD_ENDPOINTS is constructed by https://[argus host name]::8154/authz.
CREAM_PEPC_RESOURCEID must match the resource id for this machine in the Argus
policies.
Rerun yaim: opt/glite/yaim/bin/yaim -c -s
/opt/glite/yaim/siteinfo/siteinfo_cetest00.def -n creamCE -n SGE_utils
Yaim puts these setting in cream-config.xml.