Roles
The roles used to be defined in LDAP using a special LDAP schema developed for this purpose.
The drawback of this approach was that operating system security mechanism (PAM) could not access easily the roles information. The NIS netgroups defined in LDAP are used by several PAM modules (pam_access for example) and, in the same time, they have the aggregation ability which may be used to implement the roles hierarchy.
In this TDAQ release the roles are defined using NIS netgroups in LDAP.
-
The roles defined as NIS netgroups can be used now to define access control policies with various OS tools:
- sudo: the execution of some applications can be restricted to roles
- remote access: remote login (ssh) to nodes can be restricted to a set of roles
-
The roles hierarchy is defined in LDAP using the netgroups inclusion mechanism.
Policies
The Policy Access Point code has been reviewed and one of the changes is that the roles hierarchy is looked up in LDAP.
Changes and additions:
-
The PMG policy has one more attribute to specify if the requestor is also the owner of the process to be accessed.
-
There is a new resource category (Operating System) to be used for various policies regarding OS specific tools (e.g., open a shell, remote login through the application gateway).
Server
- Added the functionality to monitor the server load and to respond with SERVER_BUSY message when the load increases over a specified limit.
- When the SERVER_BUSY message is sent, a list of secondary AM servers is attached to the message so the clients may try to contact the other servers to get a valid response for their authorization request.
Client API (Java and C++)
The API accepts a list of AM servers to be contacted: the servers provided in the environment variables are checked one after the other until one of them responds with a valid answer.
If a server responds with "server busy" message and provides a list of servers to be contacted, then this list is used before continuing to iterate through the client list of am servers.
Tools
-
The amRoles has been replaced by amUserRoles script. The command line arguments are back compatible.
-
The amRolesManager script has been added to administer the roles and roles hierarchy in LDAP.
-
The amServer script has the functionality to set a cronjob to archive periodically the server logs.