gx-map - A system for maintaining Globus grid-mapfiles and CRLs
The gx-map system is a set of programs, implemented in Perl, designed to automate the maintenance of the grid-mapfile and the various CA files used by Globus.
All commands accept a -help option to print a brief usage message and a -version option to display the current software version.
If you're looking for the gx-map command, its name has been changed to gx-request; see the gx-request(1) man page for more information.
A grid-mapfile is a plain text file used for user authorization by the Globus toolkit. Each line maps a distinguished name (also known as a DN or subject name to one or more Unix account names.
grid-mapfile maintenance is done in three phases.
Phase one is the client program, gx-request. Using this command, an unprivileged user can request an update to the grid-mapfile. The update will be automatically propagated as needed. The gx-request command creates a request file in a world-writable directory. See the gx-request(1) man page.
(In previous releases, the gx-request command was called gx-map, but using the same name for the client command and the package as a whole was confusing. The gx-map command is still available as a symbolic link to gx-request, but it's deprecated and is likely to be removed in a future release.)
Phase two is the gx-check-requests program. This is normally executed from a cron job. This checks for new request files generated by gx-request. Any new request files are validated; if this is successful, the request file is appended, with annotations, to the requests.log file. See the gx-check-requests(8) man page.
Phase three is the gx-gen-mapfile command. This is normally executed from a cron job. This reads the requests.log file and generates a new grid-mapfile as needed. The grid-mapfile is regenerated from scratch whenever necessary, so any manual changes to the grid-mapfile will be lost on the next update. See the gx-gen-mapfile(8) man page.
The gx-ca-update command maintains the certificate, CRL, and signing_policy files used by Globus. These are normally stored in the /etc/grid-security directory. See the gx-ca-update(8) man page for details.
The gx-map system consists of two major components: grid-mapfile maintenance (consisting of the gx-request, gx-check-requests, and gx-gen-mapfile commands) and CA certificate updating (the gx-ca-update command). It is not required to use both of these components. For example, if you have another solution for maintaining your grid-mapfile, you can install the gx-map system and use only the gx-ca-update command; conversely, if you don't want to use gx-ca-update to maintain your certificates directory, you can use use the grid-mapfile maintenance component.
You can also install and run the gx-map system without letting it directly affect your system, for testing purposes. See the discussion of ``paranoid mode'' in the gx-map-security(7) man page.
There are no options to install only part of the gx-map system. If you don't want to use gx-map for grid-mapfile maintenance, you might consider replacing the gx-request command with a script that prints an error message.
None. I believe the gx-map system is reasonably robust, but if you install this software and it breaks your system, it's your own fault for trusting me.
More seriously, the gx-map system has no known security-related bugs. A very small number of such bugs have been found and corrected in the past. But, as always, the statement that
There are no known security-related bugs.
is semantically equivalent to
All the security-related bugs are unknown ones.
#include <stddisclaimer.h >>
See also the gx-map-security(7) man page.
Commands: gx-request(1), gx-check-requests(8), gx-propagate(8), gx-gen-mapfile(8), gx-ca-update(8)
Auxiliary commands: gx-ingest(8), gx-admins(8), gx-convert-log(8), gx-cleanup-logs(8), gx-remove-locks(8)
Modules and file formats: gx-map-gridmap-utils(3), gx-map-cadesc(5), gx-map-requests-log(5)
Security considerations: gx-map-security(7)
The gx-map home page is <http://users.sdsc.edu/~kst/gx-map/>.
Keith Thompson, San Diego Supercomputer Center, <kst@sdsc.edu>
See the file LICENSE in the gx-map distribution, installed in the etc/gx-map subdirectory.