wiki:manuals/grid-mapfile
Last modified 5 years ago

Getting a grid-mapfile file on SL 4

To install dCache with VOMS you should not need to follow this guide, but if you need a Gridmap file or your authorization is based upon LDAP rather than VOMS you may need a "dcache.kpwd" generated from a "grid-mapfile" .

Getting The RPM's

To install the RPM's you should use the same yum repositories as YAIM uses to install dcache.

Once these repositories have been added you can now install the required rpms with YUM as shown below. 

yum install lcg-expiregridmapdir 
edg-mkgridmap 
edg-mkgridmap-conf 
fetch-crl 
d-cache-lcg

This should bring in these RPM's and lots of their dependencies onto the system.

Testing the install

Once installation is is completed you should be able to run the following command line 

/opt/edg/sbin/edg-mkgridmap --output=/etc/grid-security/grid-mapfile --safe ; /opt/d-cache/bin/grid-mapfile2dcache-kpwd

This will generate 2 files 

/etc/grid-security/grid-mapfile
/opt/d-cache/etc/dcache.kpwd

Containing all of the users for the supported VO's Please verify that a known user is present,

Updating authorization via cron

The correct cron line for this operation should be. 

47 3,9,15,21 * * * root /opt/edg/sbin/edg-mkgridmap --output=/etc/grid-security/grid-mapfile --safe ; /opt/d-cache/bin/grid-mapfile2dcache-kpwd

This should be used to keep you user lists up to date.

Telling dCache to use your new authenticated users list

Now this is done the "dcache.kpwd" file should be upto date. dCache now needs to be told to use this file. this is done in the file 

/opt/d-cache/etc/dcachesrm-gplazma.policy

This file is documented in the book, but for speed and simplicity here are the settings I used in my test example. 

# Switches
saml-vo-mapping="OFF"
#kpwd="ON"
kpwd="ON"
grid-mapfile="OFF"
#gplazmalite-vorole-mapping="OFF"
gplazmalite-vorole-mapping="ON"

# Priorities
saml-vo-mapping-priority="3"
kpwd-priority="1"
grid-mapfile-priority="4"
gplazmalite-vorole-mapping-priority="2"

# Configurable Options for Plugins|Services
# #################################################################################
# Path to local or remotely accessible authorization repositories|services.
# A valid path is required if corresponding switch is ON.

# dcache.kpwd
kpwdPath="/opt/d-cache/etc/dcache.kpwd"

# grid-mapfile
gridMapFilePath="/etc/grid-security/grid-mapfile"
storageAuthzPath="/etc/grid-security/storage-authzdb"

# SAML-based grid VO role mapping 
mappingServiceUrl="https://fledgling09.fnal.gov:8443/gums/services/GUMSAuthorizationServicePort"
# Time in seconds to cache the mapping in memory
#saml-vo-mapping-cache-lifetime="0"

# Built-in gPLAZMAlite grid VO role mapping
gridVoRolemapPath="/etc/grid-security/grid-vorolemap"
gridVoRoleStorageAuthzPath="/etc/grid-security/storage-authzdb"
vomsValidation="false"

# SAZ Settings
saz-client="OFF"
SAZ_SERVER_HOST="saz-server.oursite.edu"
SAZ_SERVER_PORT="8888"

# #################################################################################
# END

Please note their is an option within this file to use the grid-mapfile directly this has not been tested by this author so has not been recommended by the author, further experience may move in this direction. This is not yet urgent but the package d-cache-lcg is deprecated as the author has move on to tasks other than dCache so gplasma calling the grid-map-file directly will be the preferred option once verification is complete.