ViewVC logotype

Contents of /trunk/lcas-lcmaps-gt4-interface/NEWS

Parent Directory Parent Directory | Revision Log Revision Log

Revision 18778 - (show annotations) (download)
Mon Oct 29 09:49:30 2018 UTC (2 months, 3 weeks ago) by msalle
File size: 9734 byte(s)
Protect against NULL service name

1 Version 0.3.2:
2 - Update structs for OpenSSL1.1 fixes in GT6
3 - Protect against NULL service name
5 Version 0.3.1:
6 - General code cleanup and cleanup of gt4-interface-install:
7 Previous README file is now manpage for gt4-interface-install which is
8 renamed from gt4-interface-install.sh and updated for flavor-less globus.
9 Previous outdated examples are either removed or updated.
10 - Implement support for the 'sharing' service: when the service name is
11 'sharing' the callout receives an additional argument (a PEM-string),
12 which contains the credential on which the mapping should be based.
13 - Bug fix: setting LLGT_ENABLE_DEBUG should also work for logging to file.
14 - Bug fix: certain log entries are missing the last character.
16 Version 0.3.0:
17 - When a 'desired_identity' is passed in from the Globus framework (e.g.
18 gsissh), then this is passed to LCMAPS, iff the LCMAPS version >=1.6.0.
19 LCMAPS makes this available to its plugins, to provide support for
20 "/DN" user1,user2
21 or
22 "/FQAN" user1,user2
23 syntax in the grid-mapfile for the (voms)localaccount plugin.
24 - Bug fix: when callout runs twice with a logfile, it could cause a segfault.
26 Version 0.2.6:
27 - LCAS is terminated and dlclose()ed after LCMAPS. This prevents a segfault
28 appearing when VOMS is re-initialized after it is unloaded due to a dlclose
29 on RH5 based systems in a globus setup.
30 - Add env var LLGT_DLCLOSE_LCAS, when set to no, disable or disabled, do NOT
31 call dlclose() on lcas. This might further aid with the RH5
32 OpenSSL/VOMS/Globus dlclose bug.
34 Version 0.2.5:
35 - The result of LCMAPS mapping is stored. When a non-NULL 'desired identity'
36 is presented, a previous result is available, and the two results match,
37 LCMAPS is not run a second time.
38 This behaviour can be disabled by setting the new environment variable
39 LLGT_CACHE_CALLOUT to no, disable or disabled.
40 - Do not call globus_module_deactivate() since this might corrupt e.g. the
41 OpenSSL library, it should be called from the calling program.
42 - Add env var LLGT_DLCLOSE_LCMAPS, when set to no, disable or disabled, do NOT
43 call dlclose() on lcmaps. This is a workaround for a RH5-based bug relating
44 to gsisshd, which (could) run the callout twice.
45 - Include a manpage for the install script.
46 - Improve logging:
47 - When LLGT_LOG_FILE is provided and it can be opened, llgt internal
48 logging goes to this file. In that case LCAS_LOG_FILE and
49 LCMAPS_LOG_FILE when unset, will be set to the same file.
50 - In case of syslog, openlog() is only called when either the log facility or
51 the log ident is overridden (LLGT_LOG_FACILITY or LLGT_LOG_IDENT).
53 Version 0.2.4:
54 - Fix a bug with closing the log file.
56 Version 0.2.3:
57 - Sync headers with those specified in globus_internal.h headers in LCMAPS
58 - Fix remaining renaming of globus_internal.h into llgt_globus_internal.h
59 - Explicitly prefix globus_internal.h with llgt_ and insert macro to enforce
60 single inclusion.
61 - When an LCAS_LOG_FILE=<file> or LCMAPS_LOG_FILE=<file> is provided to the
62 LLGT, it opened a FILE handle (for each of the environments).
63 Now it also closes them.
64 - Prefix all files with llgt_. Rename configure options file into
65 llgt_config.h Add missing llgt_config.h header to all c and h files.
66 - Cleanup of code: splitup lcas and lcmaps dependent code in separate .c and
67 .h files, which are prefixed with llgt_ to prevent confusion with the
68 framework files. Further removal of dead code.
69 - Cleanup dead code: comment-out functions and their prototypes if they are
70 not being used. Also remove unused header files.
71 - Cleanup code to limit the handling of internal globus structs. All these
72 structs are now defined in globus_internal.h. The need for this arises
73 because there is no public way of obtaining a gss_cred_id_t from a
74 gss_ctx_id_t.
75 - Fix proper handling of --disable-lcas:
76 - use of AM_CONDITIONAL in configure.ac
77 - use of AC_DEFINE and #if(n)def to skip LCAS code
78 - don't compile lcas.c (not even as empty file) Add some comments on globus
79 modules.
80 - Fix use of LCMAPS_POLICY_NAME, it wasn't used by llgt4 since it called
81 lcmaps_run_and_return_username with policies==NULL meaning parse all
82 policies. The LCMAPS_POLICY_NAME is now split into an array of policy
83 names using new function llgt4_policy_tokenize() similar to lcmaps_tokenize
84 - fix two memory leaks: liblcmaps_path (in lcmaps.c) and client name (in
85 lcmaps_gt4_front.c). At the same time client name is only determined once
86 from context.
87 - fix typos: lcas instead of lcmaps (in lcmaps.c)
91 Version 0.2.0:
92 - Changed the copyright to The Initiative for Globus in Europe project.
93 - Moved the default logging facility from LOG_LOCAL1 to LOG_DAEMON.
94 - Change the default logging facility with the $LLGT_LOG_FACILITY environment
95 variable. Use the name of (standard syslog) facility names. Example:
96 LOG_DAEMON, LOG_LOCAL1, etcetera
97 - The $LLGT_LOG_IDENT can (optionally) be set as the Syslog ident value. This
98 will be the identifying string in Syslog for the current process. Not using
99 this option will let Syslog (or one of the GT services) to set these
100 options. By default the Syslog ident will be set to the executable name.
101 - Changed the default LCAS_DEBUG_LEVEL value to the build in number 4. Which
102 equal to a cut off at the LOG_INFO Syslog priority. Setting it on 5 will
103 let it run with LOG_DEBUG enabled.
104 - Switched internal time from localtime() to gmtime() to generate a
106 - Set the environment variable $LLGT_RUN_LCAS to "no", "disabled" or
107 "disable" to avoid LCAS to run prior to the LCMAPS.
108 - There is a matching ./configure option "--enable-lcas" which can be used to
109 change the default behaviour to run LCAS or not. The $LLGT_RUN_LCAS
110 environment variable can still influence the LCAS run.
111 - Added ./configure options similar gLExec to manipulate LCAS and LCMAPS
112 usage, e.g. --with-lcas-db=FILE, --with-lcas-moduledir-sfx=path,
113 --with-lcas-moduledir=path, --with-lcmaps-db=FILE,
114 --with-lcmaps-moduledir-sfx=path, --with-lcmaps-moduledir=path
115 - When the variable LLGT_LIFT_PRIVILEGED_PROTECTION is set the post-LCMAPS
116 mapping to the 'root' user and group check is disabled. This check is
117 implicitly enable to prevent erroneous configuration to silently result
118 into a root-account mapping in services that don't have preventions for
119 this of themselves. This setting is NEEDED in services that:
120 1.) don't user switch, and run as root.
121 2.) services that expect only a username to be returned and perform the
122 user switch themselves, e.g. the Globus GSI-OpenSSHd.
124 (Depreciation does not mean non-functional anymore)
126 (Depreciation does not mean non-functional anymore)
127 - Set the environment variable $LLGT_VOMS_DISABLE_CREDENTIAL_CHECK to disable
128 the VOMS verification at run-time in LCMAPS, provided that LCMAPS has the
129 feature to select it at run-time.
130 - Set the environment variable $LLGT_VOMS_ENABLE_CREDENTIAL_CHECK explicitly
131 enable the VOMS attribute verification. It will override the LCMAPS
132 build-in default, which could be disabled with certain build flags.
133 - Support for a CFLAGS setting for LCAS_LIBDIR to open the liblcas.so library
134 from an alternative location at build-time to override it's default.
135 Example: export CFLAGS='-DLCAS_LIBDIR=\"/usr/local/lib/\"'
136 - Support for an alternative LCAS_LIBDIR as a run-time setting by exporting
137 $LLGT_LCAS_LIBDIR="/usr/local/lib/liblcas.so"
138 - Support for a CFLAGS setting for LCMAPS_LIBDIR to open the liblcmaps.so library
139 from an alternative location at build-time to override it's default.
140 Example: export CFLAGS='-DLCMAPS_LIBDIR=\"/usr/local/lib/\"'
141 - Support for an alternative LCMAPS_LIBDIR as a run-time setting by exporting
142 $LLGT_LCMAPS_LIBDIR="/usr/local/lib/liblcmaps.so"
143 - If the $LLGT_ENABLE_DEBUG environment variable is set, then the debugging
144 message logged at level LOG_DEBUG are passed to the log. The scope of this
145 setting is only within the LCAS-LCMAPS-GT-interface
149 Version 0.1.5:
150 Applying Brian Bockelman's patch for the services that can handle an account
151 change itself. For instance, GSISSH and Condor.
153 The scenario is as follows: LCMAPS resolves an account and typically enforced
154 it into the process by changing to the resolved account. The enforcement step
155 can be disabled by simply not running the posix_enf plug-in. In effect the
156 process is still running as root after the LCMAPS account resolvement and the
157 LCAS LCMAPS GT4/GT5 Callout kicks to throw an error on the (effective) user ID
158 or (effective) group ID being root.
160 The patch allows for an exception to this safety measure when the environment
161 variable "LLGT4_NO_CHANGE_USER" is set. The final check in the GT4/GT5 call-out
162 is bypassed and continues to pass the Username to the GT4/GT5 Call-out
163 framework of the service.
165 With some more time and concideration the need for this environment variable
166 might disappear as I currently think that these checks in the GT4/GT5 Call-out
167 could be safely regarded as pedantic.
171 Version 0.1.4:
172 Fix to use the GSS interface to LCAS again. LCMAPS was changed to use it, but
173 LCAS wasn't yet. This is now fixed and the services work reliably again.
174 Error appeared in the logs indicating that LCAS couldn't read the credentials
175 as input.

ViewVC Help
Powered by ViewVC 1.1.26