Bug 2743 - grid-mapfile location should be in global security descriptor
: grid-mapfile location should be in global security descriptor
Status: RESOLVED FIXED
: Java WS Security
Authentication
: unspecified
: All All
: P3 major
: 4.0
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2005-02-15 14:30 by
Modified: 2005-04-06 13:50 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2005-02-15 14:30:50
For our Java services, the grid-mapfile location should be specified in the
global security descriptor to provide a good default and not in the services. If
I want to use an alternate grid-mapfile today, I have to set GRIDMAP for my C
tools and change the following services security configs:

[rynge@devrandom etc]$ grep -R /etc/grid-security/grid-mapfile * 2>/dev/null
globus_delegation_service/service-security-config.xml: <gridmap
value="/etc/grid-security/grid-mapfile"/>
globus_delegation_service/factory-security-config.xml: <gridmap
value="/etc/grid-security/grid-mapfile"/>
globus_wsrf_mds_index/factory-security-config.xml: <gridmap
value="/etc/grid-security/grid-mapfile"/>
globus_wsrf_mds_index/index-security-config.xml: <gridmap
value="/etc/grid-security/grid-mapfile"/>
globus_wsrf_replicator/security-config.xml: <gridmap
value="/etc/grid-security/grid-mapfile"/>
globus_wsrf_rft/security-config.xml: <gridmap
value="/etc/grid-security/grid-mapfile"/>
globus_wsrf_rft/factory-security-config.xml: <gridmap
value="/etc/grid-security/grid-mapfile"/>
gram-service/managed-job-factory-security-config.xml:    <gridmap
value="/etc/grid-security/grid-mapfile"/>


This should be fixed by

  1. adding <gridmap value="/etc/grid-security/grid-mapfile"/> 
     to globus security descriptor

  2. remove it for all the services

The idea is to have one place to edit if you want to change it, and if you want
a certain service to use a specific one, add a <gridmap> entry to only that service.
------- Comment #1 From 2005-03-18 14:06:57 -------
This is a high priority for gram automated testing.  There should be a setup
package that can be called 
to change the location of the grid-mapfile programatically.

e.g. ./setup-globus-core --grid-mapfile /home/user/grid-mapfile
------- Comment #2 From 2005-03-18 14:21:36 -------
Seems high overhead to create a setup package for what is essentially cat
<globus sec desc>|sed 's!/etc/grid-security/grid-mapfile!<your location here>!'

/Sam
------- Comment #3 From 2005-03-18 14:54:02 -------
> This is a high priority for gram automated testing.  There should be a setup 
> package that can be called 
> to change the location of the grid-mapfile programatically.
> 
> e.g. ./setup-globus-core --grid-mapfile /home/user/grid-mapfile

I'd argue that we don't need that. From the GRAM standpoint, if the services did
not explicitly name the grid-mapfile, I could easily use a different container
security description file on the command line to use a custom gridmap.

joe
------- Comment #4 From 2005-03-18 15:03:06 -------
Ok - sounds good to me.  no setup package required.
------- Comment #5 From 2005-04-06 13:50:21 -------
Changes have been committed to trunk.