# $Id: Relnotes,v 1.12 2007/04/25 02:59:06 kst Exp $ # $Source: /projects/globus/kst/CVS/public_html/gx-map/Relnotes,v $ # [ Id: Relnotes,v 1.35.2.1 2007/03/02 09:26:51 kst Exp ] # [ Source: /projects/globus/kst/CVS/tools/gx-map/Relnotes,v ] Release notes for gx-map Release 0.5.3.3 / 0.5.3.2p1, Fri 2007-03-02 This is a bug fix release. You can either install the 0.5.3.3 release from scratch using the usual method, or run the "patch-gx-map-0.5.3.2" script to update an existing 0.5.3.2 installation, setting the version string to "0.5.3.2p1". A patched 0.5.3.2p1 installation and a from-scratch 0.5.3.3 installation are functionally identical. The "-update" option to the gx-request command has been removed. Users no longer have a way to request a forced update of the grid-mapfile. (An administrator can do so by, for example, touching the requests.log file.) If an administrator runs gx-request with the "-no-admin" option, the "source" attribute is set to "user". gx-check-requests requires the new-requests directory to disallow non-root chown. The method used to check this has been modified to be more reliable. The code used to read user-submitted request files has been modified to improve security. gx-gen-mapfile no longer has the option to generate multiple copies of the grid-mapfile. The generated grid-mapfile is written in a more secure manner. It still allows the grid-mapfile to be written to stdout. gx-gen-mapfile has a new option, "-prerequisite", that specifies files whose timestamps can be checked to determine whether to re-generate the grid-mapfile. For most sites, it probably won't be necessary to use this option. Release 0.5.3.2, Sat 2006-12-09 Miscellaneous minor bug fixes. Allow the "resource_name" attribute in the tgcdb.db-config file to be a wildcard. This is TeraGrid-specific. See README.TeraGrid for details. Added gx-map-db-config(5) man page to document tgcdb.db-config file. Added several *.cadesc files. Release 0.5.3, Fri 2006-11-17 Miscellaneous minor bug fixes. Improvements in locking code and cacheing code. The "gx-map" command is no longer an alias for "gx-request". It now simply prints an error message and exits. If the Time::HiRes Perl module is not available, the "gettimeofday" may be used instead (though it's recommended to install Time::HiRes instead). See INSTALL for details. New command: gx-check-index This incorporates the functionality of the "gx-map-cacl" tool into gx-map. This is primarily intended for use at SDSC, but it could be used at other sites if a CA provides an appropriate index file. New command: gx-cron-job Rather than invoking individual commands from a complex set of cron jobs, you can just invoke gx-cron job every 1 or 5 minutes. A configuration file controls which commands are executed when. gx-cron job may also be run as a daemon, bypassing crond. New command: gx-install-cadesc Installs a gx-map-cadesc-*.tar.gz tarball, containing CA description files, into an existing installation. This removes the need for a full new release of the gx-map package when CA information changes. New command: gx-util-test This is a test program for some of the functions in the Gridmap_Utils Perl module. New command: gx-watch-locks This watches for stale lock files. gx-request: Issue a warning for DNs that are handled automatically (e.g., ones handled by gx-check-index). The set of DNS to warn about can be configured by editing the file "etc/gx-map/auto.txt". Added "-literal-dn" option (useful for removing certain invalid entries). gx-gen-mapfile: New option: -[no]multiple-users By default, the generated grid-mapfile may map a single DN to multiple account names. With -nomultiple-users, all user names after the default one are commented out. New options: -merge-before file -merge-after file These replace the "-merge-file" option. With "-merge-before", mappings from the input external grid-mapfile are overridden by any conflicting mappings from any request log files; this is the old (undocumented) behavior of "-merge-file". With "-merge-after", mappings from the external file override any conflicting mappings from any request log files. gx-ca-update: New option: -[no]download. By default, gx-ca-update attempts to download files as needed. With "-nodownload", it uses only existing files in the cache directory. This can be useful if multiple instances of gx-map are being used on several systems with a shared data directory. One instance can run in the default "-download" mode, and all the others can depend on the cache files, saving time and network traffic. If no "-ca" or "-ca-list" option is specified, try to use a ".ca-list" file in the target directory. The "-list-cas" option excludes disabled CAs. The new "-list-all-cas" option shows all CAs, including disabled ones (what "-list-cas" formerly did). Release 0.5.2.2, Sat 2006-08-19 This is another minor maintenance update for gx-map 0.5.2. It was prompted by the impending expiration of the PSC (Pittsburgh Supercomputing Center) CA signing certificates and the issuance of new certificates replacing them. It also includes new and updated *.cadesc files for some other CAs, particularly for the new UK e-Science CA. This is a recommended upgrade for TeraGrid sites, and for other sites using the PSC Certificate Authorities. The updated files are: Gridmap_Utils.pm.in (updated VERSION only) README (updated version information only) Relnotes ca/01621954.uk-escience-old.cadesc (replaces ca/01621954.uk-escience.cadesc) ca/0a2bac92.brgrid.cadesc ca/290a3b29.psc-kerberos-1.cadesc ca/8175c1cd.uk-escience-root.cadesc ca/85ca9edc.psc-kerberos-old.cadesc (replaces ca/85ca9edc.psc-kerberos.cadesc) ca/9b88e95b.psc-root.cadesc ca/aa99c057.psc-root-old.cadesc (replaces ca/aa99c057.psc-root.cadesc) ca/acc06fda.psc-hosts.cadesc ca/adcbc9ef.uk-escience.cadesc If you're already using gx-map 0.5.2 or 0.5.2.1, you can also consider just updating the necessary cadesc files. Be sure to remove any obsolete cadesc files with the same hash value (the string of 8 hexadecimal digits at the beginning of the file name). Maintenance note: Unlike most previous releases, this is not a full snapshot. There is some work in progress that is not yet ready for prime time, and is therefore not included in this point release. (In a future release, I plan to implement a more convenient method of updating cadesc files without upgrading to a new version of the gx-map package.) Release 0.5.2.1, Thu 2006-07-13 This is a minor maintenance update for gx-map 0.5.2. It was prompted by a change in the URLs for the USC Certificate Authorities. Two other cadesc files were also updated: some information for the TACC CA was updated, and two old CAs whose signing certificates have expired were marked as disabled. Also, a new bug report was added for a transient (and probably harmless) locking failure. The updated files are: Gridmap_Utils.pm.in (updated VERSION only) Relnotes ca/2ca73e82.usc-pki-lite-r1.cadesc ca/84c1f123.cygrid-old.cadesc ca/9a1da9f9.tacc.cadesc ca/b57985f0.usc-kerberos-v3.cadesc ca/ed99a497.cesnet-old.cadesc bugs/bug-0100 This is a recommended upgrade for TeraGrid sites, and for other sites using the USC Certificate Authorities. (The old USC URLs still work, but it's not clear that they'll continue to work.) If you're already using gx-map 0.5.2, you can also consider just updating the necessary cadesc files: ca/2ca73e82.usc-pki-lite-r1.cadesc ca/b57985f0.usc-kerberos-v3.cadesc Release 0.5.2, Fri 2006-06-30 This release is mostly intended to allow for some changes in the TeraGrid Central Database (TGCDB). It also makes some operations more efficient. The gx-request commands "-set" and "-dn-list-file" options have been removed. Handling for different forms of DNs has been enhanced. Fields of certain DNs can have different forms in GT2 (Globus Toolkit release 2) vs. GT4. Some fields have yet another form for the web services portion of GT3. The "-compatible" option of the gx-gen-mapfile command has been removed, and is replaced by two new options: -gt2-compatible : Generate a grid-mapfile compatible with both GT2 and GT3/GT4. By default, the generated grid-mapfile is *not* compatible with GT2 for certain DNs. -gt3-compatible : Generate a grid-mapfile compatible both with GT3 WS (Web Services) and with GT4. This is rarely necessary. This option can be used together with the "-compatible" option. The gx-ca-update command has a new option: -gt3-compatible Generate *.signing_policy files compatible with GT3 web services tools. This should rarely be necessary or useful. By default, generated *.signing_policy files are compatible with both GT2 and GT4, and with GT3 pre-WS. gx-ca-update's "-force" option now applies to CRLs as well as to certificates and signing_policy files. Some commands installed in the sbin directory are to be executed only by the owner of the gx-map installation. These commands now have their permissions set to 744 (rwxr--r--) during installation. Miscellaneous minor bug fixes and enhancements. TeraGrid-specific changes (see README.TeraGrid for details): The name of the database configuration file (introduced in release 0.5.1) has been changed from "tgcdb.conf" to "tgcdb.db-config", and it is now installed in the correct directory (etc/gx-map rather than etc). The names of some of the fields have been changed. On installation, if the GX_PROPAGATE attribute is set to "gx-propagate.in.teragrid" (i.e., if you're using the TeraGrid specific database code), the etc/gx-map/tgcdb.db-config file is created automatically. You must manually edit this file before using gx-ca-update (you will be reminded to do this during installation). The permissions on the tgcdb.db-config file must be set to 400 (r--------) or 600 (rw-------). In addition to the GX_PROPAGATE attribute, the installation configuration file has a new optional attribute, EXTRAS. The only currently supported value for this is TGCDB, which causes the TGCDB subsystem to be installed, consisting of the gx-db-request, gx-db-gx-requests, and gx-db-dump commands. The gx-propagate command has a new option: -check-config Check whether the tgcdb.db-config file is ok. If not, silently exit with an error indication. This is used by gx-check-requests to determine whether the tgcdb.db-config file has been updated. If not, it refuses to run (unless you use "gx-check-requests -nopropagate"). Release 0.5.1, 2006-04-15 This is a new major release. Some file formats have changed. This release changes the name of the "gx-map" client program to "gx-request". For backward compatibility, it's still available as "gx-map", but that may be removed in a future release. The idea is to avoid confusion between the name of the client program and the name of the package as a whole. (This change was actually made in release 0.4.5.) The gx-cleanup-logs command is new. The gx-remove-locks command is new. The optional gx-propagate command is new. Man pages have finally been added. The documentation is written in Perl's "POD" format and automatically converted to man page format during configuration. The raw *.pod files are also installed in the "doc" subdirectory. The gx-map(7) man page provides an overview of the system. The gx-map-security(7) man page discusses security considerations. Other man pages document individual commands and file formats. New command-line options for gx-request: (The -quick-add and -quick-remove options are intended to replace most of the need for the -interactive option.) -quick-add Add a mapping for the user's current proxy or user certificate. -quick-remove Remove a mapping for the user's current proxy or user certificate. -set Set mappings for the specified user, giving zero or more DNs which replace all existing DNs for that user. -default-dn Extract a DN from the user's current proxy or user certificate. -dn-list-file Read a list of DNs from a specified text file. Used only with the "-set" option. The "-secondary" option has been removed. New command-line options for gx-check-requests: -[no]propagate Invoke gx-propagate as appropriate. Has no effect if gx-propagate is not installed. -dryrun Passed to the gx-propagate command. Has no effect if gx-propagate is not installed. The "-namespace" option has been removed. New command-line options for gx-gen-mapfile: -compatible Generate a grid-mapfile compatible with both GT2 and GT3/GT4. (This was the default behavior in earlier gx-map releases.) By default, the grid-mapfile is compatible only with GT3/GT4. -merge-file file Merge an existing grid-mapfile into the generated grid-mapfile -[no]rcs Check the generated grid-mapfile into RCS. The default is "-rcs"; use "-norcs" to disable. -force Force an update regardless of the timestamps of the input and output files. New command-line options for gx-ca-update: -ca-list Specify a text file containing a list of CAs. -permissions Specify octal permissions for installed files; default is 444. The "-all-cas" option has been removed. A number of minor bugs have been corrected (none of them are serious security flaws). See the "bugs" subdirectory for details. A new subsystem for propagating grid-mapfile information across sites has been implemented. The optional "gx-propagate" command acts as a plug-in for the "gx-check-requests' command. A version is provided that's designed specifically to work on the TeraGrid, using the TGCDB (TeraGrid Central Database) to propagate information from one TeraGrid site to another. The interface is intended to be extensible (it remains to be seen whether it lives up the intent). See the gx-propagate(8) man page for details. Some subdirectories of the installation directory have been renamed: "etc" --> "etc/gx-map" "var" --> "gx-map-data" (this is still a symlink to a separate directory) This allows gx-map to be installed directly under $GLOBUS_LOCATION or another installation directory if desired. Of course, it can still be installed in its own directory. The information provided in the installation configuration file has been modified. The old GLOBUS_ADMINS attribute has been replaced by GX_MAP_OWNER and ADDITIONAL_ADMINS (it is recommended that ADDITIONAL_ADMINS should be empty). The string %VERSION% is expanded to the current version number in the installation directory. See "sample.conf" for details. The format of the CA description files (*.cadesc) has been updated. The INDEX attribute has been deleted. A number of *.cadesc files have been added or updated. CA certificates that are not self-signed are checked using "openssl verify". Permissions for generated files are managed more carefully. Better defense against attacks on the world-writable new-requests directory. The gx-map installation must be owned by, and the gx-check-requests and gx-ca-update commands must be executed by, the GX_MAP_OWNER account (see sample.conf). The GX_MAP_OWNER may not be root. All downloads are done using the "curl" command; the "ncftp" and "wget" commands are no longer used. The customizable Gridmap_Valid_Mappings Perl module has been dropped. Its functionality has been incorporated into the Gridmap_Utils module. Gridmap_Valid_Mappings was designed to support cross-site propagation; this has been re-implemented using gx-propagate. Timestamps are stored in microsecond resolution (using the Time::HiRes Perl module). All distinguished names are handled internally using the GT4 format rather than the GT2 format (i.e., using "/UID=" rather than "/USERID=", and "/emailAddress=" rather than "/Email="). A GT2-compatible grid-mapfile is not generated by default; use the "-compatible" option if necessary. Error checking is more rigorous. More errors, including transient network errors that can be handled by falling back to a cached copy of a file, are both logged and reported by e-mail. All e-mail messages are logged. The system attempts to keep track of reported errors. For example, if a CA web site is down, an e-mail notification will only be sent once, not every time gx-ca-update is run. If the web site comes back up and then goes down again, another message will be sent. Dropped the idea of "secondary" mappings. A grid-mapfile entry can map a single DN to multiple user names, separated by commas: "/O=Foo/OU=Bar/CN=John Doe" jdoe,johnd,sys123 In gx-map 0.4.X, this was handled by requiring the user to treat some mappings as "secondary", a feature that turned out to be extremely error-prone. Now the most recently added mapping goes first. To change the order, re-add another mapping. If the data directory doesn't exist (e.g., because an NFS filesystem isn't mounted), the commands will bail out with a clear error message, rather than dying obscurely on the first attempt to access something in the data directory. Generated grid-mapfiles are (optionally) checked into RCS. In gx-request, a "set" request specifies the complete set of DNs for the user; it's equivalent to a "remove-user" request followed zero or more "add" requests. This is designed for interaction with the TGCDB. This option is not available in interactive mode. The locking mechanism has been improved, and should avoid race conditions when the data directory is on an NFS filesystem. Internal code cleanup. Release 0.4.5, 2005-05-07 This release changes the name of the "gx-map" client program to "gx-request". For backward compatibility, it's still available as "gx-map". The idea is to avoid confusion between the name of the client program and the name of the package as a whole. Bugs fixed in this release: bug-0019 Change name of gx-map client to gx-request Release 0.4.4, 2005-05-07 This is a bug fix release. The web server for the DOEGrids CA's CRL has a bug that affects the cache mechanism. This release includes a workaround for that bug. The Perl getpwuid function on MacOS X behaves differently than on other platforms (the result includes an extra element), which caused the gx-map command to fail. This release allows for the difference. Bugs fixed in this release: bug-0020 Work around web server problem for DOEGrids CA CRL bug-0024 Don't assume Perl's getpw* functions return 9 elements Release 0.4.3, 2005-04-26 This release fixes a minor (and mostly harmless) oversight in release 0.4.2. The file gx-map.conf.in is part of the new configuration system, which is not yet complete. It was inadvertently included in release 0.4.2, which could cause some confusion. Release 0.4.3 omits this file (and updates a few bug reports). There is no functional difference between releases 0.4.2 and 0.4.3. Bugs fix in this release: bug-0021 gx-map.conf.in mistakenly included in 0.4.2 release Release 0.4.2, 2005-04-17 This is primarily a bug fix release, intended to be included in NMI release 7. It also includes some updated *.cadesc files (including a new CERTIFICATE_SHA1 attribute). This release also includes a "bugs" directory containing several bug reports. Bugs fixed in this release: bug-0001 Removing a secondary mapping crashes gx-gen-mapfile bug-0002 Double usernames for primary+secondary mappings bug-0003 "ci" command can change requests.log permissions bug-0005 New feature: MISSING_CRL_OK attribute in cadesc files. (changed attribute name to ALLOW_MISSING_CRL) bug-0006 Use SHA1 fingerprints in gx-ca-update bug-0009 Better tracebacks on errors Release 0.4.1, 2004-11-30 This is a bug fix release. In release 0.4.0, I inadvertently did not implement the REQUESTS_LOG_PERMISSIONS configuration option. Instead, it unconditionally set the permissions of the requests.log file to 400 (readable only by the owner). This is now corrected. (You can still set REQUESTS_LOG_PERMISSIONS to 400 if you don't want the requests.log file to be world-readable.) Release 0.4.0, 2004-11-26 (I've decided to call this release 0.4.0 rather than 0.4 so the name of the tarball will sort properly in a directory listing if there's a 0.4.1 release.) Like previous releases, gx-map 0.4.0 is still somewhat lacking in coherent documentation. It is therefore recommended for users who want to upgrade from gx-map 0.3, or who are willing to spend some time getting the system working. Future releases will include man pages. This release includes several new tools: gx-ingest reads an existing grid-mapfile and generates a script that invokes gx-map to incorporate the entries into the database. gx-ca-update downloads and installs certificates, CRLs, and signing_policy files. See README.CA and README.CA-SECURITY in this distribution for more information. Note that this can be used independently of the gx-map command; even if you don't use gx-map to maintain your grid-mapfile, you can still use gx-ca-update to maintain your CA files. gx-convert-log converts data from a previous gx-map installation for use with gx-map 0.4. gx-admins reads an existing requests.log file and guess which users are treated as administrators (useful when upgrading from gx-map 0.3). Multiple user names can be supported for a grid-mapfile entry by treating some mappings as "secondary". An administrator may use the "-source" option to specify the source of a mapping; this will eventually be used to manage cross-site propagation. The gx-map system depends critically on checking file ownership to confirm that a request was made by an authorized user. The gx-check-requests command now fails if a non-root user is able to use chown on a file in the new-requests directory. The generated grid-mapfile is compatible with both GT2 (OpenSSL 0.9.6) and GT3 (OpenSSL 0.9.7). (The expand-grid-mapfile command used by some sites with gx-map 0.3 is no longer needed.) See for more information on this issue. The syntax of the GLOBUS_ADMINS configuration variable changed from 0.3 to 0.4.0. The argument is now a series of one or more space-delimited Unix user names. Group names are no longer allowed. The "user:" prefix is no longer allowed. It is recommended that the GLOBUS_ADMINS variable be set to a single non-human account name other than "root". Making a human user an admin can cause problems if the account's owner leaves the organization. Using "root" can cause problems if an NFS filesystem holding the data files is mounted in a way that maps the "root" account to "nobody". My recommendation: Make the "globus" account the only administrative account, make sure any administrative users have access to that account. Be careful not to give any untrusted users access to any administrative account. The gx-convert-log command supports changing the set of admins in an existing requests.log file. Release 0.3, 2003-07-28 This should probably be considered a beta release. It included fixes for some fairly nasty bugs. It was in use at SDSC and on several TeraGrid sites starting in July 2003. Release 0.2, 2003-07-23 This was an alpha release, reworked for use at multiple sites. It was used briefly at SDSC and on some TeraGrid sites. It is no longer supported, and its use is not recommended. Release 0.1, date unknown This was an SDSC internal system; it was never released.