1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
<!ENTITY cmdname "globus-k5">
<!ENTITY cmd "<command>globus-k5</command>">
]>
<!-- Canonical version of this document lives in
$Header$
-->
<refentry id="gram5-globus-k5">
<refmeta>
<refentrytitle>&cmdname;</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo class="author">University of Chicago</refmiscinfo>
</refmeta>
<refnamediv>
<refname>&cmdname;</refname>
<refpurpose>Acquire Kerberos Credentials for use with Grid Services</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
&cmd;
<arg choice="plain"><replaceable>SERVICE-COMMAND</replaceable></arg>
<arg rep="repeat"><replaceable>SERVICE-ARGS</replaceable></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1><title>Description</title>
<para>
The &cmd; program is an authorization module used by the
<command>globus-gatekeeper</command> program to acquire Kerberos 5
Credentials prior to executing a Grid Service. This may be accomplished
by running <command>kinit</command> with a password stored in the
<filename>globuskmap</filename> file, using the NCSA <command>krb525</command>
command, or the <command>sslk5</command> command to use the X509 user proxy.
</para>
<para>The arguments passed to &cmd; will not be used by it,
but will be passed onto the job manager. The first parameter
must be the path to the Grid Service.
</para>
<para>
It is expected that the environment will contain the variables
<envar>GLOBUSID</envar> and <envar>USER</envar> for the Grid and
local POSIX user identities. This program is normally run as root,
and will call seteuid() prior to executing the Grid Service.
</para>
<para>
The parameters to use and the mapping for the globus to K5 user are located in
the <filename>globuskmap</filename> file.
</para>
</refsect1>
<refsect1><title>Format of the globuskmap file</title>
<para>
The globuskmap file is a line-oriented file which each line containing a
command to run to acquire Kerberos 5 credentials for a Grid identity.
Each line consists of an optionally-quoted <replaceable>GLOBUSID</replaceable>
value followed by a command-line for running a process to acquire a Kerberos
credential. For example:
<screen>
"/O=Example/OU=Grid/CN=Joe User" /usr/afsws/bin/klog -principal juser -password mypasswd -cell infn.it
</screen>
</para>
</refsect1>
<refsect1><title>ENVIRONMENT</title>
<para>
If the following variables affect the execution of &cmd;:
<variablelist>
<varlistentry>
<term>GLOBUSKMAP</term>
<listitem><simpara>Path to the globuskmap file.</simpara></listitem>
</varlistentry>
<varlistentry>
<term>USER</term>
<listitem><simpara>POSIX username that the service will run
as.</simpara></listitem>
</varlistentry>
<varlistentry>
<term>KRB5CCNAME</term>
<listitem><simpara>Path to a Kerberos credential
cache.</simpara></listitem>
</varlistentry>
<varlistentry>
<term>GLOBUS_ID</term>
<listitem><simpara>Grid identity to generate Kerberos credentials
for.</simpara></listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1><title>Files</title>
<para>
<variablelist>
<varlistentry>
<term><filename>/etc/globuskmap</filename></term>
<listitem><simpara>Default file mapping Grid identities to Kerberos 5
principals.</simpara></listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1><title>See also</title>
<para>
<citerefentry><refentrytitle>globus-k5</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>globus-job-manager</refentrytitle><manvolnum>8</manvolnum></citerefentry>
</para>
</refsect1>
</refentry>
|
