myproxy-server.config

代理服务器源代码 供大家学习使用,希望大家喜欢

#
# Example myproxy server configuration file.
#
# You should modify this file to meet your specific requirements
# and install in /etc/myproxy-server.config or
# $GLOBUS_LOCATION/etc/myproxy-server.config.
#
# Any line starting with a pound sign (#) is a comment.
#
######################################################################

#
# Complete Sample Policy
#
# The following lines define a sample policy that enables all
# myproxy-server features.  See below for more examples.
#accepted_credentials       "*"
#authorized_retrievers      "*"
#default_retrievers         "*"
#authorized_renewers        "*"
#default_renewers           "none"
#authorized_key_retrievers  "*"
#default_key_retrievers     "none"
#trusted_retrievers         "*"
#default_trusted_retrievers "none"

#
# Accepted Credentials
#
# Which credentials is the server willing to accept and store?
#
# Example: Willing to store Alliance credentials
#accepted_credentials  "/C=US/O=National Computational Science Alliance/CN=*"
#
# Example: Willing to store Globus credentials
#accepted_credentials  "/C=US/O=Globus/*"
#accepted_credentials  "/O=Grid/O=Globus/*"
#
# Example: Willing to story any credentials
#accepted_credentials  "*"

#
# Authorized Retrievers
#
# Who is authorized to retrieve proxy credentials from the repository?
#
# Example: Allow only trusted Alliance web portals with a valid
# Myproxy passphrase to retrieve proxy credentials, thereby discouraging
# users from giving out their Myproxy passphrase to untrusted sites
# and limiting the vulnerability of the credentials stored on the
# Myproxy server.
# Note: NCSA doesn't audit sites with portal certificates.
#authorized_retrievers "/C=US/O=National Computational Science Alliance/CN=portal/*"
#
# Example: Allow any client, including anonymous clients, with a valid
# MyProxy passphrase to retrieve credentials.  This is the recommended
# setting, as it gives users the flexibility to set their own policies
# on their credentials.
#authorized_retrievers "*"

#
# Default Retrievers
#
# If a user doesn't set a retrieval policy with the credential on
# upload, apply the following policy in addition to the
# authorized_retrievers policy.
#
# If no default_retrievers policy is set, then only the
# authorized_retrievers policy is applied.
#
# Example: Allow NCSA portals to retrieve credentials by default.
#default_retrievers "/C=US/O=National Computational Science Alliance/CN=portal/*"

#
# Authorized Renewers
#
# Who is authorized to renew a proxy credential before it expires?
#
# If no authorized_renewers line is defined, credential renewal is not
# allowed. 
#
# Example: Allow trusted schedulers to renew proxy credentials for the
# jobs they manage.
# Note: NCSA doesn't give out /CN=scheduler/* certificates.  This is
# a fictitious example.
#authorized_renewers "/C=US/O=National Computational Science Alliance/CN=scheduler/*"
#
# Example: Allow any client to renew a proxy credential.  In this
# case, the client can simply authenticate with the proxy it wants to
# renew.  This is potentially dangerous, in that it can be used to
# extend the lifetime of a compromised proxy credential on any host.
# However, when use with default_renewers, it gives users the
# flexibility to set their own policies.
#authorized_renewers "*"

#
# Default Renewers
#
# If a user doesn't set a renewal policy with the credential on
# upload, apply the following policy.
#
# Example: Disable renewal unless the client specifically authorizes it.
#default_renewers "none"
#
# Example: Allow the Condor-G scheduler on modi4.ncsa.uiuc.edu to
# renew user credentials by default.
#default_renewers "/C=US/O=National Computational Science Alliance/CN=condorg/modi4.ncsa.uiuc.edu"

#
# Authorized Key Retrievers
#
# Who is authorized to retrieve credentials (keys) directly from the
# repository?
#
# Example: Allow any client, including anonymous clients, with a valid
# MyProxy passphrase to retrieve credentials.  This allows expert
# users to have direct access to their keys, with the associated added
# vulnerability.  See default_key_retrievers below for a way to
# restrict this to specific credentials.
#authorized_key_retrievers "*"

#
# Default Key Retrievers
#
# If a user doesn't set a key retrieval policy with the credential on
# upload, apply the following policy in addition to the
# authorized_key_retrievers policy.
#
# If no default_key_retrievers policy is set, then only the
# authorized_key_retrievers policy is applied.
#
# Example: Don't allow anyone to retrieve keys directly by default.
# Expert users must enable key retrieval when storing credentials.
#default_retrievers "none"

#
# Trusted Retrievers
#
# Who is authorized to retrieve credentials without further
# authentication?
#
# By default, clients that match authorized_retrievers must perform
# additional authentication (such as passphrase, PAM, or SASL) to
# retrieve credentials.  However, authenticated clients that match
# trusted_retrievers do not need to perform additional authentication.
#
# Example: Allow any client to retrieve a credential.  This permissive
# policy can be used with a restrictive default_trusted_retrievers
# policy (see below) to allow expert users to set their own policy
# with 'myproxy-init -Z'.
#trusted_retrievers "*"

#
# Default Trusted Retrievers
#
#
# If a user doesn't set a trusted retrieval policy with the credential
# on upload (via 'myproxy-init -Z'), the myproxy-server will apply the
# following policy in addition to the trusted_retrievers policy.
#
# If no default_trusted_retrievers policy is set, then only the
# trusted_retrievers policy is applied.
#
# Example: Don't allow retrieval based on certificate-only
# authentication by default.  Expert users must enable
# certificate-only retrieval when storing credentials.
#default_trusted_retrievers "none"

#
# Passphrase Policy Enforcement
#
# Specifies the path to an external passphrase policy enforcement
# program.  The program is passed the new passphrase via stdin and is
# passed the following arguments: username, distinguished name,
# credential name (if any), per-credential retriever policy (if any),
# and per-credential renewal policy (if any).  If the passphrase is
# acceptable, the program should exit with status 0.  Otherwise, it
# should exit with non-zero status, causing the operation in progress
# (credential load, passphrase change) to fail with the error message
# provided by the program's stdout.
#passphrase_policy_program /usr/local/sbin/myproxy-passphrase-policy

#
# Maximum Proxy Certificate Lifetime
#
# Specifies the maximum allowed lifetime of proxy certificates issued
# by the myproxy-server to minimize the window of vulnerability of all
# issued credentials.  By default, no server-wide maximum is enforced.
# There is also a maximum proxy lifetime set for each stored
# credential.
#max_proxy_lifetime 12

#
# PAM Policy
#
# Governs use of PAM to check passphrases.  MyProxy will attempt to
# authenticate via PAM, with the supplied username and passphrase.
# Note that PAM will need to be configured externally for the
# application "myproxy" (usually in /etc/pam.d/), or for the
# application named by pam_id, below.
#
# Accepted values: 
#
#    required
#       PAM password authentication is required under all conditions.
#       If the credential is unencrypted (that is, it has no
#       passphrase), a PAM password check is still required for
#       authentication.  If the credential is encrypted, its
#       passphrase must match the PAM password.
#
#    sufficient
#       The user's passphrase may match either the credential
#       passphrase or, if the credential is unencrypted, the PAM
#       passphrase.  If the credential is encrypted, then the PAM
#       password is not relevant.
#
#    disabled (default)
#       PAM is not used to check passphrases.
#pam "disabled"

#
# PAM ID
#
# The name that myproxy uses to identify itself to PAM.  Default is
# "myproxy".
#
# For example, on most Unix-like systems, if pam_id is set to "login",
# MyProxy will authenticate against the system's own usernames and
# passwords.
#pam_id "myproxy"

#
# SASL Policy
#
# Governs use of SASL authentication.
#
# Accepted values: 
#
#    required
#       SASL authentication is required for retrieving credentials.
#
#    sufficient
#       SASL authentication is sufficient for retrieving credentials,
#       but other authentication methods may also be used.
#
#    disabled (default)
#       SASL authentication isn't used.
#sasl "disabled"

#
# Certificate Issuer
#
# The Issuer Distinguished Name for certificates issued for
# authenticated clients that don't have credentials stored.  This
# optionally configures the myproxy-server to act as an online
# certificate authority.  You can either specify certificate_issuer,
# certificate_issuer_cert, or certificate_issuer_program.  See also
# the certificate_issuer_key and certificate_mapfile parameters below.
#certificate_issuer "/O=Grid/OU=GlobusTest/OU=simpleCA-myproxy.ncsa.uiuc.edu/CN=Globus Simple CA"

#
# Certificate Issuer Certificate
#
# As an alternative to certificate_issuer, you can instead specify
# certificate_issuer_cert to be used to obtain the Issuer
# Distinguished Name.
#certificate_issuer_cert /home/globus/.globus/simpleCA/cacert.pem

#
# Certificate Issuer Key
#
# When specifying certificate_issuer or certificate_issuer_cert above,
# you must also give the path to a CA private key in PEM format for
# signing certificates.
#certificate_issuer_key /home/globus/.globus/simpleCA/private/cakey.pem

#
# Certificate Issuer Key Passphrase
#
# If the certificate_issuer_key is encrypted, give the passphrase here.
#certificate_issuer_key_passphrase "myproxy"

#
# Certificate Issuer Program
#
# The path to a program to issue certificates for authenticated
# clients that don't have credentials stored.  This optionally
# configures the myproxy-server to act as an online certificate
# authority, allowing programmatic control over the certificate
# issuance process.  See also the certificate_issuer parameter above.
# You can specify certificate_issuer or certificate_issuer_program but
# not both.
#certificate_issuer_program /usr/local/sbin/myproxy-ca

#
# Certificate Issuer Serial File
#
# The path to a file to store the serial number counter for issued
# certificates.
#certificate_serialfile /home/globus/.globus/simpleCA/serial

#
# Certificate Issuer Email Domain
#
# If set, include an email X509v3 Subject Alternative Name in issued
# certificates with the MyProxy username and the configured domain.
#certificate_issuer_email_domain "ncsa.uiuc.edu"

#
# Max Certificate Lifetiem
#
# The maximum lifetime (in hours) for certificates issued by the CA
# module.  Defaults to 12 hours.
#max_cert_lifetime 12

#
# Certificate Authority Mapfile
#
# When specifying certificate_issuer above, you can map account names
# to certificate subject distinguished names for the issued
# certificates using this mapfile, which has the same format as used
# by other Globus Toolkit services, i.e., lines of the form:
#   "DN" username
# By default, /etc/grid-security/grid-mapfile is used.
#certificate_mapfile /etc/grid-security/grid-mapfile

#
# CA LDAP Server
#
# If OpenLDAP support is built-in to the myproxy-server, this
# parameter specifies the URI to the LDAP server to use for username
# to DN resolution in the Certificate Authority module.  Both ldap://
# and ldaps:// protocols are supported.  A port number may optionally
# be specified as well.  Defining this directive is the "trigger" that
# causes the name resolution module to use LDAP querying.  If it is
# not defined, then mapfile lookup will be executed instead (see
# certificate_mapfile above).
#ca_ldap_server "ldap://localhost:389/"

#
# CA LDAP UID Attribute
#
# The name of the record attribute that maps to the MyProxy username.
# Required for LDAP username to DN resolution.
#ca_ldap_uid_attribute "uid"

#
# CA LDAP SearchBase
#
# The DN of the region of the ldap database to be searched.
# Required for LDAP username to DN resolution.
#ca_ldap_searchbase "ou=people,dc=bullwinkle,dc=lbl,dc=gov"

#
# CA LDAP DN Attribute
#
# If this directive is set, the LDAP resolver will pull the DN from
# the specified attribute in the returned record.  If it is not set,
# the default is to use the DN of the record itself.
#ca_ldap_dn_attribute "subjectDN"

#
# CA LDAP DN/Passphrase
#
# User/passphrase combination to be used for LDAP basic
# authentication (optional).
#ca_ldap_connect_dn "cn=Monte Goode,ou=ldapusers,dc=bullwinkle,dc=lbl,dc=gov"
#ca_ldap_connect_passphrase "passphrase"

#
# Slave server list 
#
# When the myproxy-replicate program is run.  This list of servers is 
# used to indicate where the repository information is to be sent.
# The list is comprised of hostnames and optional port numbers. The 
# hostname may be in the form:
#	name
#	FQDN
#	tcp/ip address
#
# The host name and port number must be seperated by a ':'.
#
# If multiple slaves are given, each slave server must be seperated with
# a ';'.
#
#
# Example: 
#	grids1
#	grids1.ncsa.uiuc.edu
#	grids1:9000
#	grids1;grids2.ncsa.uiuc.edu:9000;141.142.96.41
#
#slave_servers

#
# Master server
#
# Host name of the MyProxy master sever.  This value is used when MyProxy
# is configured to replicate the repository.  Each server that is running
# as a slave needs to have this value set.  The value is used to redirect
# error output back to the master.
#
#master_server

#
# Pubcookie Granting Certificate
#
# To enable Pubcookie-based authentication, disabled by default,
# provide the full path to the PEM-encoded Pubcookie granting
# certificate for verifying signatures on Pubcookie granting cookies.
# See <http://www.pubcookie.org/> for more information about Pubcookie.
#pubcookie_granting_cert /etc/grid-security/pubcookiecert.pem

#
# Pubcookie Application Server Key
#
# For Pubcookie-based authentication, provide the full path to the
# 2048 byte application server key (PubcookieCryptKeyfile).
#pubcookie_app_server_key /etc/grid-security/pubcookie.key