1 |
Version 0.3.2: |
2 |
- Update structs for OpenSSL1.1 fixes in GT6 |
3 |
- Protect against NULL service name |
4 |
|
5 |
Version 0.3.1: |
6 |
- General code cleanup and cleanup of gt4-interface-install: |
7 |
Previous README file is now manpage for gt4-interface-install which is |
8 |
renamed from gt4-interface-install.sh and updated for flavor-less globus. |
9 |
Previous outdated examples are either removed or updated. |
10 |
- Implement support for the 'sharing' service: when the service name is |
11 |
'sharing' the callout receives an additional argument (a PEM-string), |
12 |
which contains the credential on which the mapping should be based. |
13 |
- Bug fix: setting LLGT_ENABLE_DEBUG should also work for logging to file. |
14 |
- Bug fix: certain log entries are missing the last character. |
15 |
|
16 |
Version 0.3.0: |
17 |
- When a 'desired_identity' is passed in from the Globus framework (e.g. |
18 |
gsissh), then this is passed to LCMAPS, iff the LCMAPS version >=1.6.0. |
19 |
LCMAPS makes this available to its plugins, to provide support for |
20 |
"/DN" user1,user2 |
21 |
or |
22 |
"/FQAN" user1,user2 |
23 |
syntax in the grid-mapfile for the (voms)localaccount plugin. |
24 |
- Bug fix: when callout runs twice with a logfile, it could cause a segfault. |
25 |
|
26 |
Version 0.2.6: |
27 |
- LCAS is terminated and dlclose()ed after LCMAPS. This prevents a segfault |
28 |
appearing when VOMS is re-initialized after it is unloaded due to a dlclose |
29 |
on RH5 based systems in a globus setup. |
30 |
- Add env var LLGT_DLCLOSE_LCAS, when set to no, disable or disabled, do NOT |
31 |
call dlclose() on lcas. This might further aid with the RH5 |
32 |
OpenSSL/VOMS/Globus dlclose bug. |
33 |
|
34 |
Version 0.2.5: |
35 |
- The result of LCMAPS mapping is stored. When a non-NULL 'desired identity' |
36 |
is presented, a previous result is available, and the two results match, |
37 |
LCMAPS is not run a second time. |
38 |
This behaviour can be disabled by setting the new environment variable |
39 |
LLGT_CACHE_CALLOUT to no, disable or disabled. |
40 |
- Do not call globus_module_deactivate() since this might corrupt e.g. the |
41 |
OpenSSL library, it should be called from the calling program. |
42 |
- Add env var LLGT_DLCLOSE_LCMAPS, when set to no, disable or disabled, do NOT |
43 |
call dlclose() on lcmaps. This is a workaround for a RH5-based bug relating |
44 |
to gsisshd, which (could) run the callout twice. |
45 |
- Include a manpage for the install script. |
46 |
- Improve logging: |
47 |
- When LLGT_LOG_FILE is provided and it can be opened, llgt internal |
48 |
logging goes to this file. In that case LCAS_LOG_FILE and |
49 |
LCMAPS_LOG_FILE when unset, will be set to the same file. |
50 |
- In case of syslog, openlog() is only called when either the log facility or |
51 |
the log ident is overridden (LLGT_LOG_FACILITY or LLGT_LOG_IDENT). |
52 |
|
53 |
Version 0.2.4: |
54 |
- Fix a bug with closing the log file. |
55 |
|
56 |
Version 0.2.3: |
57 |
- Sync headers with those specified in globus_internal.h headers in LCMAPS |
58 |
- Fix remaining renaming of globus_internal.h into llgt_globus_internal.h |
59 |
- Explicitly prefix globus_internal.h with llgt_ and insert macro to enforce |
60 |
single inclusion. |
61 |
- When an LCAS_LOG_FILE=<file> or LCMAPS_LOG_FILE=<file> is provided to the |
62 |
LLGT, it opened a FILE handle (for each of the environments). |
63 |
Now it also closes them. |
64 |
- Prefix all files with llgt_. Rename configure options file into |
65 |
llgt_config.h Add missing llgt_config.h header to all c and h files. |
66 |
- Cleanup of code: splitup lcas and lcmaps dependent code in separate .c and |
67 |
.h files, which are prefixed with llgt_ to prevent confusion with the |
68 |
framework files. Further removal of dead code. |
69 |
- Cleanup dead code: comment-out functions and their prototypes if they are |
70 |
not being used. Also remove unused header files. |
71 |
- Cleanup code to limit the handling of internal globus structs. All these |
72 |
structs are now defined in globus_internal.h. The need for this arises |
73 |
because there is no public way of obtaining a gss_cred_id_t from a |
74 |
gss_ctx_id_t. |
75 |
- Fix proper handling of --disable-lcas: |
76 |
- use of AM_CONDITIONAL in configure.ac |
77 |
- use of AC_DEFINE and #if(n)def to skip LCAS code |
78 |
- don't compile lcas.c (not even as empty file) Add some comments on globus |
79 |
modules. |
80 |
- Fix use of LCMAPS_POLICY_NAME, it wasn't used by llgt4 since it called |
81 |
lcmaps_run_and_return_username with policies==NULL meaning parse all |
82 |
policies. The LCMAPS_POLICY_NAME is now split into an array of policy |
83 |
names using new function llgt4_policy_tokenize() similar to lcmaps_tokenize |
84 |
- fix two memory leaks: liblcmaps_path (in lcmaps.c) and client name (in |
85 |
lcmaps_gt4_front.c). At the same time client name is only determined once |
86 |
from context. |
87 |
- fix typos: lcas instead of lcmaps (in lcmaps.c) |
88 |
|
89 |
|
90 |
|
91 |
Version 0.2.0: |
92 |
- Changed the copyright to The Initiative for Globus in Europe project. |
93 |
- Moved the default logging facility from LOG_LOCAL1 to LOG_DAEMON. |
94 |
- Change the default logging facility with the $LLGT_LOG_FACILITY environment |
95 |
variable. Use the name of (standard syslog) facility names. Example: |
96 |
LOG_DAEMON, LOG_LOCAL1, etcetera |
97 |
- The $LLGT_LOG_IDENT can (optionally) be set as the Syslog ident value. This |
98 |
will be the identifying string in Syslog for the current process. Not using |
99 |
this option will let Syslog (or one of the GT services) to set these |
100 |
options. By default the Syslog ident will be set to the executable name. |
101 |
- Changed the default LCAS_DEBUG_LEVEL value to the build in number 4. Which |
102 |
equal to a cut off at the LOG_INFO Syslog priority. Setting it on 5 will |
103 |
let it run with LOG_DEBUG enabled. |
104 |
- Switched internal time from localtime() to gmtime() to generate a |
105 |
JOB_REPOSITORY_ID and GATEKEEPER_JM_ID. |
106 |
- Set the environment variable $LLGT_RUN_LCAS to "no", "disabled" or |
107 |
"disable" to avoid LCAS to run prior to the LCMAPS. |
108 |
- There is a matching ./configure option "--enable-lcas" which can be used to |
109 |
change the default behaviour to run LCAS or not. The $LLGT_RUN_LCAS |
110 |
environment variable can still influence the LCAS run. |
111 |
- Added ./configure options similar gLExec to manipulate LCAS and LCMAPS |
112 |
usage, e.g. --with-lcas-db=FILE, --with-lcas-moduledir-sfx=path, |
113 |
--with-lcas-moduledir=path, --with-lcmaps-db=FILE, |
114 |
--with-lcmaps-moduledir-sfx=path, --with-lcmaps-moduledir=path |
115 |
- When the variable LLGT_LIFT_PRIVILEGED_PROTECTION is set the post-LCMAPS |
116 |
mapping to the 'root' user and group check is disabled. This check is |
117 |
implicitly enable to prevent erroneous configuration to silently result |
118 |
into a root-account mapping in services that don't have preventions for |
119 |
this of themselves. This setting is NEEDED in services that: |
120 |
1.) don't user switch, and run as root. |
121 |
2.) services that expect only a username to be returned and perform the |
122 |
user switch themselves, e.g. the Globus GSI-OpenSSHd. |
123 |
- Depreciated: $LLGT_NO_CHANGE_USER in favor of $LLGT_LIFT_PRIVILEGED_PROTECTION. |
124 |
(Depreciation does not mean non-functional anymore) |
125 |
- Depreciated: $LLGT4_NO_CHANGE_USER in favor of $LLGT_LIFT_PRIVILEGED_PROTECTION. |
126 |
(Depreciation does not mean non-functional anymore) |
127 |
- Set the environment variable $LLGT_VOMS_DISABLE_CREDENTIAL_CHECK to disable |
128 |
the VOMS verification at run-time in LCMAPS, provided that LCMAPS has the |
129 |
feature to select it at run-time. |
130 |
- Set the environment variable $LLGT_VOMS_ENABLE_CREDENTIAL_CHECK explicitly |
131 |
enable the VOMS attribute verification. It will override the LCMAPS |
132 |
build-in default, which could be disabled with certain build flags. |
133 |
- Support for a CFLAGS setting for LCAS_LIBDIR to open the liblcas.so library |
134 |
from an alternative location at build-time to override it's default. |
135 |
Example: export CFLAGS='-DLCAS_LIBDIR=\"/usr/local/lib/\"' |
136 |
- Support for an alternative LCAS_LIBDIR as a run-time setting by exporting |
137 |
$LLGT_LCAS_LIBDIR="/usr/local/lib/liblcas.so" |
138 |
- Support for a CFLAGS setting for LCMAPS_LIBDIR to open the liblcmaps.so library |
139 |
from an alternative location at build-time to override it's default. |
140 |
Example: export CFLAGS='-DLCMAPS_LIBDIR=\"/usr/local/lib/\"' |
141 |
- Support for an alternative LCMAPS_LIBDIR as a run-time setting by exporting |
142 |
$LLGT_LCMAPS_LIBDIR="/usr/local/lib/liblcmaps.so" |
143 |
- If the $LLGT_ENABLE_DEBUG environment variable is set, then the debugging |
144 |
message logged at level LOG_DEBUG are passed to the log. The scope of this |
145 |
setting is only within the LCAS-LCMAPS-GT-interface |
146 |
|
147 |
|
148 |
|
149 |
Version 0.1.5: |
150 |
Applying Brian Bockelman's patch for the services that can handle an account |
151 |
change itself. For instance, GSISSH and Condor. |
152 |
|
153 |
The scenario is as follows: LCMAPS resolves an account and typically enforced |
154 |
it into the process by changing to the resolved account. The enforcement step |
155 |
can be disabled by simply not running the posix_enf plug-in. In effect the |
156 |
process is still running as root after the LCMAPS account resolvement and the |
157 |
LCAS LCMAPS GT4/GT5 Callout kicks to throw an error on the (effective) user ID |
158 |
or (effective) group ID being root. |
159 |
|
160 |
The patch allows for an exception to this safety measure when the environment |
161 |
variable "LLGT4_NO_CHANGE_USER" is set. The final check in the GT4/GT5 call-out |
162 |
is bypassed and continues to pass the Username to the GT4/GT5 Call-out |
163 |
framework of the service. |
164 |
|
165 |
With some more time and concideration the need for this environment variable |
166 |
might disappear as I currently think that these checks in the GT4/GT5 Call-out |
167 |
could be safely regarded as pedantic. |
168 |
|
169 |
|
170 |
|
171 |
Version 0.1.4: |
172 |
Fix to use the GSS interface to LCAS again. LCMAPS was changed to use it, but |
173 |
LCAS wasn't yet. This is now fixed and the services work reliably again. |
174 |
Error appeared in the logs indicating that LCAS couldn't read the credentials |
175 |
as input. |