Globus GRAM Authorization Alpha
The downloads on this page are considered
alpha quality. Use at your own risk and do not expect any support unless
you are part of the initial target community (Fusion).
This page is a combintation of the Globus instructions at http://www-unix.globus.org/gram_auth and instructions on how to build the Akenti callout module.
Developer Documentation
This section provides documentation resources for authorization callout developers.
Another useful piece of information is the locations the callout
configuration file is looked for. The current version of the code
checks the following places (in order):
- $GSI_AUTHZ_CONF
- /etc/grid-security/gsi-authz.conf
- $GLOBUS_LOCATION/etc/gsi-authz.conf
- $HOME/.gsi-authz.conf
Downloads
Server Installation
- Download all the above listed items except for the resource management client bundle into the same directory which will be your GLOBUS_LOCATION directory
- Build GPT (or use already installed 2.2.9 or later)
- Untar the GPT distribution
- Set the GPT_LOCATION environment variable to the directory you
wish to install GPT to. Do not install GPT to a location containing a
existing GPT installation or to GLOBUS_LOCATION.
- cd gpt-2.2.9
- Run build_gpt (./build_gpt)
- cd ..
- Set the GLOBUS_LOCATION environment variable to the directory you wish to install the below Globus bundle and packages to. Please make sure this directory does not contain a previous installation of the Globus Toolkit. That being said you may use the same GLOBUS_LOCATION used for the client side install below.
- Build the resource managment server bundle. Assuming you are using gcc the following should work:
$GPT_LOCATION/sbin/gpt-build -verbose globus-resource-management-server-gram-authz-src_bundle.tar.gz gcc32dbg
- Build the Akenti libraries, linking them against the Globus ssl libraries
that were just built and the globus LDAP libraries from your Globus installation. (see below for details)
- Build a Akenti authorization callout package. To build the callout example package use (again assuming gcc):
$GPT_LOCATION/sbin/gpt-build -verbose globus_gram_job_manager_akenti_callout-0.1.tar.gz gcc32dbg
This module needs to build against the Akenti libraries that you just built, so run the gpt-build to do the various Globus package stuff and when the compilation of globus_gram_jobmanager_callout fails, edit the BUILD/globus_gram_job_manager_callout-0.1/Makefile to point
to the correct places.
- AKENTIPATH = $GLOBUS_LOCATION/akentiDist-1.4/release/linux-gcc2
- LDAPLIBPATH = <standardGlobusInstallation>/lib
- XERCESLIBPATH = /usr/local/xerces/xerces-c-2_3_0/lib (whereever
you have built xerces-c)
Then just do make install
- Build a authorization callout setup package. To build the callout example setup package use (again assuming gcc):
$GPT_LOCATION/sbin/gpt-build -verbose globus_gram_job_manager_setup_callout-0.1.tar.gz gcc32dbg
You may want to substitute a third party callout setup package
in the above step. This one works fine with the Akenti callout module.
- Run $GPT_LOCATION/sbin/gpt-postinstall
- Run setup-gsi and setup-globus-job-manager-callout as root. Alternatively you may run these scripts
with the -nonroot option (as the current user).
- For other Globus Gatekeeper and GRAM Job Manger configuration issues (acquiring certificates, scheduler support) see the Admin Guide
Akenti Installation
For more details on building Akenti see the README-src file included in the
distribution. You can just build the Akenti libraries which is all the
callout module needs, or you can build the whole Akenti distribution which
inludes Java certificate generators, test cases and other tools for testing
and creating policy.
- in $GLOBUS_LOCATION, tar -zxf AK1.4-lib-src.tar.gz
- cd akentiDist-1.4/src
- edit configure.in to point to where you are installing things.
- Change master_top and SHAREDBASE to be where you are building
master_top="$GLOBUS_LOCATION/akentiDist-1.4"
SHAREDBASE="$GLOBUS_LOCATION/akentiDist-1.4/release"
- set SSLTOP and LDAPTOP to point to globus install areas.
SSLTOP="$GLOBUS_LOCATION"
LDAPTOP="<StandardGlobusInstall>"
- Edit the SSL_INCS and LDAP_INCS to add the flavor directory
SSL_INCS="-I$SSLTOP/include/gcc32dbg"
LDAP_INCS="-I$LDAPTOP/include/gcc32dbg"
- Edit to use the globus flavor names for the ssl and ldap libraries
SSL_LIBS="-L$SSLTOP/lib -Xlinker -R$SSLTOP/lib -lssl_gcc32dbg -lcrypto_gcc32dbg"
Assuming you are not trying to build with both gcc2.9x and gcc3.x just edit
both of the LDAP_LIBS to just use lib rather than lib_gcc2 and lib_gcc3
LDAP_LIBS="-L$LDAPTOP/lib -Xlinker -R$LDAPTOP/lib -lldap_gcc32dbg -llber_gcc32dbg -lsasl_gcc32dbg"
- If you want to build the Java parts of Akenti edit the additional variables.
- set JAVATOP=$GLOBUS_LOCATION/akentiDist-1.4/release/common/java-classes.
- set XERCESJ=$JAVATOP
- set JUNIT=$JAVATOP
- set JWSDPLIB=$JAVATOP
- set JAXBLIB=$JAVATOP
- set JSOAPLIB=$JAVATOP
- set JUNITLIB=$JAVATOP
- if using Java 1.3, set JSSELIB=$JAVATOP
- if using Java 1.3,set JCELIB=$JAVACTOP
- run autoconf
- cd ../build/linux-gcc2
- Be sure your $GLOBUS_LOCATION variable is set correctly
- ../../src/configure
- The following two commands will build the whole system
- If you want to just build the libraries:
- cd libsrc
- make libinstall
- You can test the Akenti build by:
cd testcase/libsrc
make test
- When you run the job manager you need to have two enviroment variables
set:
AKENTI_CONFIG_FILE which is the file name of the Akenti configuruation file
AUTH_CALLOUT_LOG_FILE -where the callout module will log things for debugging.
Akenti policy
The Akenti configuration file named by AKENTI_CONFIG_FILE identifies the
location of the policy certificates. There is an annotated example
configuration in akentiDist-1.4/eExampleResourceTree/conf/Akenti.conf.orig.
(I'll put together a sample of policy for TRANSPGRID and include it on
the Akenti download page)
Client Installation
- Download the GPT distribution and the resource management client bundle.
- Build GPT
- Untar the GPT distribution
- Set the GPT_LOCATION environment variable to the directory you
wish to install GPT to. Do not install GPT to a location containing a
existing GPT installation or to GLOBUS_LOCATION.
- cd gpt-2.2.9
- Run build_gpt (./build_gpt)
- cd ..
- Set the GLOBUS_LOCATION environment variable to the directory you wish to install the below Globus bundle and packages to. Please make sure this directory does not contain a previous installation of the Globus Toolkit. That being said you may use the same GLOBUS_LOCATION used for the server side install above.
- Build the resource managment client bundle. Assuming you are using gcc the following should work:
$GPT_LOCATION/sbin/gpt-build -verbose
globus-resource-management-client-gram-authz-src_bundle.tar.gz
gcc32dbg
- Run $GPT_LOCATION/sbin/gpt-postinstall
- For other Globus GRAM Client issues (e.g. acquiring certificates) see the Admin Guide and the GRAM documentation