NAME

       globus-gatekeeper - Authorize and execute a grid service on behalf of a user

SYNOPSIS

       globus-gatekeeper [-help]

       globus-gatekeeper -conf PARAMETER_FILE [-test] [-d | -debug] [-inetd | -f] [-p PORT |
       -port PORT] [-l LOGFILE | -logfile LOGFILE] [-lf LOG_FACILITY] [-acctfile ACCTFILE] [-e
       LIBEXECDIR] [-launch_method { fork_and_exit | fork_and_wait | dont_fork }] [-grid_services
       SERVICEDIR] [-globusid GLOBUSID] [-gridmap GRIDMAP] [-x509_cert_dir TRUSTED_CERT_DIR]
       [-x509_cert_file TRUSTED_CERT_FILE] [-x509_user_cert CERT_PATH] [-x509_user_key KEY_PATH]
       [-x509_user_proxy PROXY_PATH] [-k] [-globuskmap KMAP] [-pidfile PIDFILE]

DESCRIPTION

       The globus-gatekeeper program is a meta-server similar to inetd or*xinetd* that starts
       other services after authenticating a TCP connection using GSSAPI and mapping the client’s
       credential to a local account.

       The most common use for the globus-gatekeeper program is to start instances of the
       globus-job-manager(8) service. A single globus-gatekeeper deployment can handle multiple
       different service configurations by having entries in the /etc/grid-services/ directory.

       Typically, users interact with the globus-gatekeeper program via client applications such
       as globusrun(1), globus-job-submit(1), or tools such as CoG jglobus or Condor-G.

       The full set of command-line options to globus-gatekeeper consists of:

       -help
           Display a help message to standard error and exit

       -conf PARAMETER_FILE
           Load configuration parameters from PARAMETER_FILE. The parameters in that file are
           treated as additional command-line options.

       -test
           Parse the configuration file and print out the POSIX user id of the globus-gatekeeper
           process, service home directory, service execution directory, and X.509 subject name
           and then exits.

       -d, -debug
           Run the globus-gatekeeper process in the foreground.

       -inetd
           Flag to indicate that the globus-gatekeeper process was started via inetd or a similar
           super-server. If this flag is set and the globus-gatekeeper was not started via inetd,
           a warning will be printed in the gatekeeper log.

       -f
           Flag to indicate that the globus-gatekeeper process should run in the foreground. This
           flag has no effect when the globus-gatekeeper is started via inetd.

       -p PORT, -port PORT
           Listen for connections on the TCP/IP port PORT. This option has no effect if the
           globus-gatekeeper is started via inetd or a similar service. If not specified and the
           gatekeeper is running as root, the default of 2119 is used. Otherwise, the gatekeeper
           defaults to an ephemeral port.

       -home PATH
           Sets the gatekeeper deployment directory to PATH. This is used to interpret relative
           paths for accounting files, libexecdir, certificate paths, and also to set the
           GLOBUS_LOCATION environment variable in the service environment. If not specified, the
           gatekeeper looks for service executables in /usr/sbin, configuration in /etc, and
           writes logs and accounting files to /var/log.

       -l LOGFILE, -logfile LOGFILE
           Write log entries to LOGFILE. If LOGFILE is equal to logoff or LOGOFF, then logging
           will be disabled, both to file and to syslog.

       -lf LOG_FACILITY
           Open syslog using the LOG_FACILITY. If not specified, LOG_DAEMON will be used as the
           default when using syslog.

       <option>-acctfile ACCTFILE</option>
           Set the path to write accounting records to ACCTFILE. If not set, records will be
           written to the log file.

       -e LIBEXECDIR
           Look for service executables in LIBEXECDIR. If not specified, the sbin subdirectory of
           the parameter to -home is used, or /usr/sbin if that is not set.

       -launch_method fork_and_exit | fork_and_wait | dont_fork
           Determine how to launch services. The method may be either fork_and_exit (the service
           runs completely independently of the gatekeeper, which exits after creating the new
           service process), fork_and_wait (the service is run in a separate process from the
           gatekeeper but the gatekeeper does not exit until the service terminates), or
           dont_fork, where the gatekeeper process becomes the service process via the exec()
           system call.

       -grid_services SERVICEDIR
           Look for service descriptions in SERVICEDIR.

       -globusid GLOBUSID
           Sets the GLOBUSID environment variable to GLOBUSID. This variable is used to construct
           the gatekeeper contact string if it can not be parsed from the service credential.

       -gridmap GRIDMAP
           Use the file at GRIDMAP to map GSSAPI names to POSIX user names.

       -x509_cert_dir TRUSTED_CERT_DIR
           Use the directory TRUSTED_CERT_DIR to locate trusted CA X.509 certificates. The
           gatekeeper sets the environment variable X509_CERT_DIR to this value.

       -x509_user_cert CERT_PATH
           Read the service X.509 certificate from CERT_PATH. The gatekeeper sets the
           X509_USER_CERT environment variable to this value.

       -x509_user_key KEY_PATH
           Read the private key for the service from KEY_PATH. The gatekeeper sets the
           X509_USER_KEY environment variable to this value.

       -x509_user_proxy PROXY_PATH
           Read the X.509 proxy certificate from PROXY_PATH. The gatekeeper sets the
           X509_USER_PROXY environment variable to this value.

       -k
           Use the <command>globus-k5</command> command to acquire Kerberos 5 credentials before
           starting the service.

       -globuskmap KMAP
           Use KMAP as the path to the Grid credential to kerberos initialization mapping file.

       -pidfile PIDFILE
           Write the process id of the globus-gatekeeper to the file named by PIDFILE.

ENVIRONMENT

       The following environment variables affect the execution of globus-gatekeeper:

       X509_CERT_DIR
           Directory containing X.509 trust anchors and signing policy files.

       X509_USER_PROXY
           Path to file containing an X.509 proxy.

       X509_USER_CERT
           Path to file containing an X.509 user certificate.

       X509_USER_KEY
           Path to file containing an X.509 user key.

       GLOBUS_LOCATION
           Default path to gatekeeper service files.

FILES

       The following files affect the execution of globus-gatekeeper:

       /etc/grid-services/SERVICENAME
           Service configuration for SERVICENAME.

       /etc/grid-security/grid-mapfile
           Default file mapping Grid identities to POSIX identities.

       /etc/globuskmap
           Default file mapping Grid identities to Kerberos 5 principals.

       /etc/globus-nologin
           File to disable the globus-gatekeeper program.

       /var/log/globus-gatekeeper.log
           Default gatekeeper log.

SEE ALSO

       globus-k5(8), globusrun(1), globus-job-manager(8)

AUTHOR

       Copyright © 1999-2016 University of Chicago