Globus GRAM Authorization Alpha

This page is a combintation of the Globus instructions at http://www-unix.globus.org/gram_auth and instructions on how to build the Akenti callout module.

Developer Documentation

• Globus Callout Module Documentation
  Informational only, a callout developer should not have to use this API
• Globus GRAM Callout Errors
  This defines the Globus errors that when returned from a callout are propagated to the user. This package also provides a few macros which can be used for error generation (not documented in the above, see the example callout for usage examples)
• Example Globus GRAM Authorization Callout
  This is an example of a callout module that just prints some values to a log file.
• GRAM Akenti Authorization Callout Package
  GRAM callout to Akenti for authorization
• Example Globus GRAM Authorization Setup Package
  Please take a look at the actual setup package for details

• $GSI_AUTHZ_CONF
• /etc/grid-security/gsi-authz.conf
• $GLOBUS_LOCATION/etc/gsi-authz.conf
• $HOME/.gsi-authz.conf

Downloads

• Grid Packaging Toolkit
  Patched version (contains a updated Globus core package) of GPT for building the bundles below. If you already have a version 2.2.9 or later you can use it.
• Resource Management Client Source Bundle
  Client bundle with callout support
• Resource Management Server Source Bundle
  Server bundle with callout support
• GRAM Authorization Callout Example Package
  Example callout implementation
• GRAM Akenti Authorization Callout Package
  GRAM callout to Akenti for authorization.
• GRAM Authorization Callout Setup Example Package
  Setup package for the above example callout
• Akenti library source code
  The Akenti policy engine that the Akenti Authorization callout calls.

Server Installation

1. Download all the above listed items except for the resource management client bundle into the same directory which will be your GLOBUS_LOCATION directory
   
2. Build GPT (or use already installed 2.2.9 or later)
1. Untar the GPT distribution
2. Set the GPT_LOCATION environment variable to the directory you wish to install GPT to. Do not install GPT to a location containing a existing GPT installation or to GLOBUS_LOCATION.
3. cd gpt-2.2.9
4. Run build_gpt (./build_gpt)
5. cd ..
3. Set the GLOBUS_LOCATION environment variable to the directory you wish to install the below Globus bundle and packages to. Please make sure this directory does not contain a previous installation of the Globus Toolkit. That being said you may use the same GLOBUS_LOCATION used for the client side install below.
4. Build the resource managment server bundle. Assuming you are using gcc the following should work:
   $GPT_LOCATION/sbin/gpt-build -verbose globus-resource-management-server-gram-authz-src_bundle.tar.gz gcc32dbg
5. Build the Akenti libraries, linking them against the Globus ssl libraries that were just built and the globus LDAP libraries from your Globus installation. (see below for details)
6. Build a Akenti authorization callout package. To build the callout example package use (again assuming gcc):
   $GPT_LOCATION/sbin/gpt-build -verbose globus_gram_job_manager_akenti_callout-0.1.tar.gz gcc32dbg
   This module needs to build against the Akenti libraries that you just built, so run the gpt-build to do the various Globus package stuff and when the compilation of globus_gram_jobmanager_callout fails, edit the BUILD/globus_gram_job_manager_callout-0.1/Makefile to point to the correct places.
   1. AKENTIPATH = $GLOBUS_LOCATION/akentiDist-1.4/release/linux-gcc2
   2. LDAPLIBPATH = <standardGlobusInstallation>/lib
   3. XERCESLIBPATH = /usr/local/xerces/xerces-c-2_3_0/lib (whereever you have built xerces-c)
   Then just do make install
7. Build a authorization callout setup package. To build the callout example setup package use (again assuming gcc):
   $GPT_LOCATION/sbin/gpt-build -verbose globus_gram_job_manager_setup_callout-0.1.tar.gz gcc32dbg
   You may want to substitute a third party callout setup package in the above step. This one works fine with the Akenti callout module.
8. Run $GPT_LOCATION/sbin/gpt-postinstall
9. Run setup-gsi and setup-globus-job-manager-callout as root. Alternatively you may run these scripts with the -nonroot option (as the current user).
10. For other Globus Gatekeeper and GRAM Job Manger configuration issues (acquiring certificates, scheduler support) see the Admin Guide
    

Akenti Installation

1. in $GLOBUS_LOCATION, tar -zxf AK1.4-lib-src.tar.gz
2. cd akentiDist-1.4/src
3. edit configure.in to point to where you are installing things.
   1. Change master_top and SHAREDBASE to be where you are building
      master_top="$GLOBUS_LOCATION/akentiDist-1.4"
      SHAREDBASE="$GLOBUS_LOCATION/akentiDist-1.4/release"
   2. set SSLTOP and LDAPTOP to point to globus install areas.
      SSLTOP="$GLOBUS_LOCATION"
      LDAPTOP="<StandardGlobusInstall>"
   3. Edit the SSL_INCS and LDAP_INCS to add the flavor directory
      SSL_INCS="-I$SSLTOP/include/gcc32dbg"
      LDAP_INCS="-I$LDAPTOP/include/gcc32dbg"
   4. Edit to use the globus flavor names for the ssl and ldap libraries
      SSL_LIBS="-L$SSLTOP/lib -Xlinker -R$SSLTOP/lib -lssl_gcc32dbg -lcrypto_gcc32dbg"
      Assuming you are not trying to build with both gcc2.9x and gcc3.x just edit both of the LDAP_LIBS to just use lib rather than lib_gcc2 and lib_gcc3
      LDAP_LIBS="-L$LDAPTOP/lib -Xlinker -R$LDAPTOP/lib -lldap_gcc32dbg -llber_gcc32dbg -lsasl_gcc32dbg"
   5. If you want to build the Java parts of Akenti edit the additional variables.
      1. set JAVATOP=$GLOBUS_LOCATION/akentiDist-1.4/release/common/java-classes.
      2. set XERCESJ=$JAVATOP
      3. set JUNIT=$JAVATOP
      4. set JWSDPLIB=$JAVATOP
      5. set JAXBLIB=$JAVATOP
      6. set JSOAPLIB=$JAVATOP
      7. set JUNITLIB=$JAVATOP
      8. if using Java 1.3, set JSSELIB=$JAVATOP
      9. if using Java 1.3,set JCELIB=$JAVACTOP
4. run autoconf
5. cd ../build/linux-gcc2
6. Be sure your $GLOBUS_LOCATION variable is set correctly
7. ../../src/configure
8. The following two commands will build the whole system
   • make
   • make install
9. If you want to just build the libraries:
   • cd libsrc
   • make libinstall
10. You can test the Akenti build by:
    cd testcase/libsrc
    make test
11. When you run the job manager you need to have two enviroment variables set:
    AKENTI_CONFIG_FILE which is the file name of the Akenti configuruation file
    AUTH_CALLOUT_LOG_FILE -where the callout module will log things for debugging.

Akenti policy

Client Installation

1. Download the GPT distribution and the resource management client bundle.
2. Build GPT
1. Untar the GPT distribution
2. Set the GPT_LOCATION environment variable to the directory you wish to install GPT to. Do not install GPT to a location containing a existing GPT installation or to GLOBUS_LOCATION.
3. cd gpt-2.2.9
4. Run build_gpt (./build_gpt)
5. cd ..
3. Set the GLOBUS_LOCATION environment variable to the directory you wish to install the below Globus bundle and packages to. Please make sure this directory does not contain a previous installation of the Globus Toolkit. That being said you may use the same GLOBUS_LOCATION used for the server side install above.
   
4. Build the resource managment client bundle. Assuming you are using gcc the following should work:
   $GPT_LOCATION/sbin/gpt-build -verbose globus-resource-management-client-gram-authz-src_bundle.tar.gz gcc32dbg
5. Run $GPT_LOCATION/sbin/gpt-postinstall
6. For other Globus GRAM Client issues (e.g. acquiring certificates) see the Admin Guide and the GRAM documentation