dcachesrm-gplazma.policy

1. # ######                   dcachesrm-gplazma.policy                         #######
2. # ######      gPLAZMA: grid-aware PLuggable AuthoriZation MAnagement.       #######
3. # ######      gPLAZMAlite Suite: Built-in light-weight services for         #######
4. # ######       grid legacy mapping & VO Role fine-grain security.           #######
5. # ######                        Version 0.1-1                               #######
6.  
7. # This file contains gPLAZMA module's policy configuration in dCache-SRM.
8. # Operational with: SRM, GridFTP.
9.  
10. # CAUTION: Commenting out a switch|priority|configuration line (with a # sign) in
11. # this file is equivalent to switching that plugin|service OFF. It is handled, but
12. # please exercise caution to maintain the marker intact for possible future use.
13. # Recommended way is to turn plugins|services OFF explicitly - using the switches.
14.  
15. # Assertion results in a Disallow|Allow decision.
16. # Authorization results in a Disallow|Allow decision with Authorization Record.
17.  
18. # Switches and Priorities for Loadable Assertion Plugins|Services - Not supported -
19. # #################################################################################
20. # #site-assertion=
21.  
22. # Switches and Priorities for Loadable Authorization Plugins|Services
23. # #################################################################################
24. # A valid switch is from { "OFF" | "ON" }.
25. # A priority (based on site|VO policies) is required if switch is ON.
26. # A valid priority is from { "1" | "2" | "3" | "4" } and must be unique.
27.  
28. # Please note -
29. # Each plugin returns a decision based on a different authorization repository|
30. # service. Priorities are translated into priority of access (as compared to priority
31. # of denial). A well-defined Over-riding Policy can be enforced while using multiple
32. # authorization services (multiple switches ON) by defining priorities differently.
33.  
34. # Turning all switches OFF leads the running system to a secure quasi-firewall mode.
35.  
36. # Switches
37. xacml-vo-mapping="OFF"
38. saml-vo-mapping="OFF"
39. kpwd="ON"
40. grid-mapfile="OFF"
41. # gplazmalite-vorole-mapping="OFF"  # 1.8 setting at PSI
42. gplazmalite-vorole-mapping="ON"
43.  
44. # Priorities
45. xacml-vo-mapping-priority="5"
46. saml-vo-mapping-priority="4"
47. kpwd-priority="2"
48. grid-mapfile-priority="3"
49. gplazmalite-vorole-mapping-priority="1"
50.  
51. # Configurable Options for Plugins|Services
52. # #################################################################################
53. # Path to local or remotely accessible authorization repositories|services.
54. # A valid path is required if corresponding switch is ON.
55.  
56. # dcache.kpwd
57. kpwdPath="/opt/d-cache/etc/dcache.kpwd"
58.  
59. # grid-mapfile
60. gridMapFilePath="/etc/grid-security/grid-mapfile"
61. storageAuthzPath="/etc/grid-security/storage-authzdb"
62.  
63. # XACML-based grid VO role mapping
64. XACMLmappingServiceUrl="https://fledgling09.fnal.gov:8443/gums/services/GUMSXACMLAuthorizationServicePort"
65. # Time in seconds to cache the mapping in memory
66. xacml-vo-mapping-cache-lifetime="180"
67.  
68. # SAML-based grid VO role mapping
69. mappingServiceUrl="https://fledgling09.fnal.gov:8443/gums/services/GUMSAuthorizationServicePort"
70. # Time in seconds to cache the mapping in memory
71. saml-vo-mapping-cache-lifetime="180"
72.  
73. # Built-in gPLAZMAlite grid VO role mapping
74. gridVoRolemapPath="/etc/grid-security/grid-vorolemap"
75. gridVoRoleStorageAuthzPath="/etc/grid-security/storage-authzdb"
76. # vomsValidation="false" # PSI 1.8 setting
77. vomsValidation="false"
78.  
79. # SAZ Settings
80. saz-client="OFF"
81. SAZ_SERVER_HOST="saz-server.oursite.edu"
82. SAZ_SERVER_PORT="8888"
83.  
84. # #################################################################################
85. # END