NAME

       lcmaps_jobrep.mod - jobrepository LCMAPS plug-in

SYNOPSIS

       lcmaps_jobrep.mod   [--test]   --dsn   <Database Service Name>   --username   <database user>  --password
       <database password>

DESCRIPTION

       The LCMAPS Jobrepository plug-in stores credentials and the resulting account mappings into a  relational
       database.  This  plugin  will  link  up  all the known in-process information from LCMAPS core memory and
       stores it in a database. This plug-in uses ODBC (http://en.wikipedia.org/wiki/ODBC)  to  connect  to  the
       database.

       The  current  state  of  the  mappings between various credentials and Unix accounts is stored in an open
       database on disk, but this information can change  over  time  through  (regular)  system  administrative
       interventions.  This  state  is  now  preserved  in a relational database with the added benefit of being
       accessible by other systems, e.g. GridSAFE and build-up an easy to backup historic view  on  the  mapping
       state.

       Quite  some systems seem to dig up data by trawling log files, e.g. to construct accounting data records.
       This method is subjected to the settings of the sub-systems which control the  format  of  the  log  file
       output. Log trawling tools are interacting with the log files as a glorified API. This lowers the ability
       for  tools,  e.g.  LCMAPS,  to alter their log output. By offering the LCMAPS Jobrepository plug-in as an
       alternative with the added benefit of offering the data in a structured fine-grained  database  with  the
       ability of an historic view the intend is to avoid the need and/or requirement for log file trawling.

DATABASE SCHEMA EXTENSIONS

       The  schema  can  be  used  to link up account mapping and/or credential mapping results originating from
       other credential types and link up more fine grained details from the specific work environment,  i.e.  a
       Gatekeeper  and  GridFTPd  will  be  able  to  add service specific information together with the mapping
       results.

FUTURE

       The LCMAPS Jobrepository plug-in is currently limited to MySQL and MariaDB despite its usage of the  ODBC
       database  interface.  The  intend  is  to  remove  this  limitation  and make the plug-in work with other
       database, e.g. PostgreSQL, Oracle and SQLite.

OPTIONS

       --test When enabled the plug-in will only test if the connection  to  the  database  can  be  established
              through  the ODBC coupling. The test will verify the correctness of the DSN, Username and Password
              combination. The plug-in will announce an LCMAPS SUCCESS when the connection was established,  and
              a FAILURE when it was not able to establish the connection.

       --dsn <Database Service Name>
              This will select the Data Source Name (DSN) that has been set in a odbc.ini file. Use the odbc.ini
              file  to  configure the database driver, server/host, port number and database name. See below for
              an example odbc.ini file.

       --username <database username>
              Specifies the database username that the LCMAPS module must  use  to  authorize  itself  with  the
              database.

       --password <database password>
              Specifies  the database password that the LCMAPS module must use to authorize itself with. You can
              omit the setting if you set the password in the odbc.ini file.

              WARNING: Be careful to assess the read permissions on the lcmaps.db file to be  exclusive  to  the
              service using this file, i.e. it's probably best to make the file exclusive to root:root.

RETURN VALUES

       LCMAPS_MOD_SUCCESS
              Success.

       LCMAPS_MOD_FAIL
              Failure.

EXAMPLES

       Notice the --dsn <value> matches the DSN shown in the .ini section header. Also notice that the posix_enf
       plug-in  is  executed  after the jobrep plug-in. The motivation is to be able to use privilege separation
       and with that protect the database password.

       Example lcmaps.db
              jobrep      = "lcmaps_jobrep.mod"
                            "--dsn MySQL-test"
                            "--username root"
                            "--password worteltjes"

              example_plugin_policy:
              verifyproxy -> vomslocalgroup
              vomslocalgroup -> vomspoolaccount
              vomspoolaccount -> tracking_groupid
              tracking_groupid -> jobrep
              jobrep -> posix_enf

       Example /etc/odbc.ini file:
              [MySQL-test]
              Description = MySQL test database
              Driver      = MySQL
              SERVER      = 127.0.0.1
              PORT        = 3306
              DATABASE    = jobrepository

SUPPORTED INSTALLATIONS

       Tested front-end tools and services
              gLExec
              globus-gridftp-server
              globus-gatekeeper

       Likely to work
              SCAS
              lcmaps-rest (only the Full-SSL interface)
              gsi-openssh-server

       Front-ends that will likely NOT work
              WMProxy
              StoRM backend

LIMITATIONS

       The front-ends which do not use an LCMAPS interface that  provides  certificates  can  currently  not  be
       supported.  It is a requirement for the 1.5 version to be able to work from a certificate chain.

BUGS

       Please   report   any   errors   to   the   Nikhef   Grid  Middleware  Security  Team  <grid-mw-security-
       support@nikhef.nl>.

SEE ALSO

       lcmaps(8), lcmaps_jobrep.mod(8), mysql(1).
       More information can be found on-line at  the Nikhef Wiki on Site Access Control  and  the Nikhef Wiki on
       LCMAPS and other plug-ins.

AUTHORS

       The Jobrepository and the LCMAPS plug-ins were written by the Nikhef Grid Middleware Security Team <grid-
       mw-security@nikhef.nl>.

LCMAPS                                           August 31, 2012                            LCMAPS_JOBREP.MOD(8)