Bug 2743

Summary:	grid-mapfile location should be in global security descriptor
Product:	Java WS Security	Reporter:	Mats Rynge <rynge@isi.edu>
Component:	Authentication	Assignee:	Rachana Ananthakrishnan <ranantha@mcs.anl.gov>
Status:	RESOLVED FIXED
Severity:	major	CC:	bester@mcs.anl.gov, gawor@mcs.anl.gov, lane@mcs.anl.gov, meder@mcs.anl.gov, millerjj@us.ibm.com, paxhia@us.ibm.com, seelbach@us.ibm.com, slang@mcs.anl.gov, smartin@mcs.anl.gov, tboehm@de.ibm.com
Priority:	P3
Version:	unspecified
Target Milestone:	4.0
Hardware:	All
OS:	All

Description From Mats Rynge 2005-02-15 14:30:50

For our Java services, the grid-mapfile location should be specified in the
global security descriptor to provide a good default and not in the services. If
I want to use an alternate grid-mapfile today, I have to set GRIDMAP for my C
tools and change the following services security configs:

[rynge@devrandom etc]$ grep -R /etc/grid-security/grid-mapfile * 2>/dev/null
globus_delegation_service/service-security-config.xml: <gridmap
value="/etc/grid-security/grid-mapfile"/>
globus_delegation_service/factory-security-config.xml: <gridmap
value="/etc/grid-security/grid-mapfile"/>
globus_wsrf_mds_index/factory-security-config.xml: <gridmap
value="/etc/grid-security/grid-mapfile"/>
globus_wsrf_mds_index/index-security-config.xml: <gridmap
value="/etc/grid-security/grid-mapfile"/>
globus_wsrf_replicator/security-config.xml: <gridmap
value="/etc/grid-security/grid-mapfile"/>
globus_wsrf_rft/security-config.xml: <gridmap
value="/etc/grid-security/grid-mapfile"/>
globus_wsrf_rft/factory-security-config.xml: <gridmap
value="/etc/grid-security/grid-mapfile"/>
gram-service/managed-job-factory-security-config.xml:    <gridmap
value="/etc/grid-security/grid-mapfile"/>


This should be fixed by

  1. adding <gridmap value="/etc/grid-security/grid-mapfile"/> 
     to globus security descriptor

  2. remove it for all the services

The idea is to have one place to edit if you want to change it, and if you want
a certain service to use a specific one, add a <gridmap> entry to only that service.

------- Comment #1 From Stuart Martin 2005-03-18 14:06:57 -------

This is a high priority for gram automated testing.  There should be a setup
package that can be called 
to change the location of the grid-mapfile programatically.

e.g. ./setup-globus-core --grid-mapfile /home/user/grid-mapfile

------- Comment #2 From Sam Meder 2005-03-18 14:21:36 -------

Seems high overhead to create a setup package for what is essentially cat
<globus sec desc>|sed 's!/etc/grid-security/grid-mapfile!<your location here>!'

/Sam

------- Comment #3 From Joe Bester 2005-03-18 14:54:02 -------

> This is a high priority for gram automated testing.  There should be a setup 
> package that can be called 
> to change the location of the grid-mapfile programatically.
> 
> e.g. ./setup-globus-core --grid-mapfile /home/user/grid-mapfile

I'd argue that we don't need that. From the GRAM standpoint, if the services did
not explicitly name the grid-mapfile, I could easily use a different container
security description file on the command line to use a custom gridmap.

joe

------- Comment #4 From Stuart Martin 2005-03-18 15:03:06 -------

Ok - sounds good to me.  no setup package required.

------- Comment #5 From Rachana Ananthakrishnan 2005-04-06 13:50:21 -------

Changes have been committed to trunk.