NAME

       lcmaps_jobrep.mod - jobrepository LCMAPS plug-in

SYNOPSIS

       lcmaps_jobrep.mod   [--test]   --dsn  <Database Service Name>  --username  <database user>
       --password <database password>

DESCRIPTION

       The LCMAPS Jobrepository plug-in stores credentials and  the  resulting  account  mappings
       into  a relational database. This plugin will link up all the known in-process information
       from  LCMAPS  core  memory  and  stores  it  in  a  database.  This  plug-in   uses   ODBC
       (http://en.wikipedia.org/wiki/ODBC) to connect to the database.

       The  current state of the mappings between various credentials and Unix accounts is stored
       in an open database on disk, but this information can change over time  through  (regular)
       system  administrative interventions. This state is now preserved in a relational database
       with the added benefit of being accessible by other systems, e.g. GridSAFE and build-up an
       easy to backup historic view on the mapping state.

       Quite some systems seem to dig up data by trawling log files, e.g. to construct accounting
       data records. This method is subjected to the settings of the  sub-systems  which  control
       the  format  of the log file output. Log trawling tools are interacting with the log files
       as a glorified API. This lowers the ability for tools, e.g. LCMAPS,  to  alter  their  log
       output.  By  offering  the  LCMAPS  Jobrepository plug-in as an alternative with the added
       benefit of offering the data in a structured fine-grained database with the ability of  an
       historic view the intend is to avoid the need and/or requirement for log file trawling.

DATABASE SCHEMA EXTENSIONS

       The  schema  can  be  used  to  link  up account mapping and/or credential mapping results
       originating from other credential types and link up more fine  grained  details  from  the
       specific  work  environment,  i.e.  a  Gatekeeper and GridFTPd will be able to add service
       specific information together with the mapping results.

FUTURE

       The LCMAPS Jobrepository plug-in is currently limited to MySQL  and  MariaDB  despite  its
       usage of the ODBC database interface. The intend is to remove this limitation and make the
       plug-in work with other database, e.g. PostgreSQL, Oracle and SQLite.

OPTIONS

       --test When enabled the plug-in will only test if the connection to the  database  can  be
              established  through the ODBC coupling. The test will verify the correctness of the
              DSN, Username and Password combination. The plug-in will announce an LCMAPS SUCCESS
              when  the  connection  was  established,  and  a  FAILURE  when  it was not able to
              establish the connection.

       --dsn <Database Service Name>
              This will select the Data Source Name (DSN) that has been set in a  odbc.ini  file.
              Use  the  odbc.ini  file to configure the database driver, server/host, port number
              and database name. See below for an example odbc.ini file.

       --username <database username>
              Specifies the database username that the LCMAPS module must use to authorize itself
              with the database.

       --password <database password>
              Specifies the database password that the LCMAPS module must use to authorize itself
              with. You can omit the setting if you set the password in the odbc.ini file.

              WARNING: Be careful to assess the read permissions on  the  lcmaps.db  file  to  be
              exclusive  to the service using this file, i.e. it's probably best to make the file
              exclusive to root:root.

RETURN VALUES

       LCMAPS_MOD_SUCCESS
              Success.

       LCMAPS_MOD_FAIL
              Failure.

EXAMPLES

       Notice the --dsn <value> matches the DSN shown in the .ini  section  header.  Also  notice
       that  the  posix_enf plug-in is executed after the jobrep plug-in. The motivation is to be
       able to use privilege separation and with that protect the database password.

       Example lcmaps.db
              jobrep      = "lcmaps_jobrep.mod"
                            "--dsn MySQL-test"
                            "--username root"
                            "--password worteltjes"

              example_plugin_policy:
              verifyproxy -> vomslocalgroup
              vomslocalgroup -> vomspoolaccount
              vomspoolaccount -> tracking_groupid
              tracking_groupid -> jobrep
              jobrep -> posix_enf

       Example /etc/odbc.ini file:
              [MySQL-test]
              Description = MySQL test database
              Driver      = MySQL
              SERVER      = 127.0.0.1
              PORT        = 3306
              DATABASE    = jobrepository

SUPPORTED INSTALLATIONS

       Tested front-end tools and services
              gLExec
              globus-gridftp-server
              globus-gatekeeper

       Likely to work
              SCAS
              lcmaps-rest (only the Full-SSL interface)
              gsi-openssh-server

       Front-ends that will likely NOT work
              WMProxy
              StoRM backend

LIMITATIONS

       The front-ends which do not  use  an  LCMAPS  interface  that  provides  certificates  can
       currently  not  be  supported.  It is a requirement for the 1.5 version to be able to work
       from a certificate chain.

BUGS

       Please report any errors to the Nikhef Grid Middleware  Security  Team  <grid-mw-security-
       support@nikhef.nl>.

SEE ALSO

       lcmaps(8), lcmaps_jobrep.mod(8), mysql(1).
       More  information  can be found on-line at https://wiki.nikhef.nl/grid/Site_Access_Control
       the Nikhef Wiki on Site Access Control and https://wiki.nikhef.nl/grid/LCMAPS  the  Nikhef
       Wiki on LCMAPS and other plug-ins.

AUTHOR

       The  Jobrepository  and  the  LCMAPS  plug-ins  were written by the Nikhef Grid Middleware
       Security Team <grid-mw-security@nikhef.nl>.