GLOBUS-GATEKEEPER(8)
NAME
globus-gatekeeper - Authorize and execute a grid service on behalf of a
user
SYNOPSIS
globus-gatekeeper [-help]
[-conf PARAMETER_FILE]
[-test] [-d | -debug]
{-inetd | -f}
[-p PORT | -port PORT]
[-home PATH] [-l LOGFILE | -logfile LOGFILE]
[-acctfile ACCTFILE]
[-e LIBEXECDIR]
[-launch_method {fork_and_exit | fork_and_wait | dont_fork}]
[-grid_services SERVICEDIR]
[-globusid GLOBUSID]
[-gridmap GRIDMAP]
[-x509_cert_dir TRUSTED_CERT_DIR]
[-x509_cert_file TRUSTED_CERT_FILE]
[-x509_user_cert CERT_PATH]
[-x509_user_key KEY_PATH]
[-x509_user_proxy PROXY_PATH]
[-k]
[-globuskmap KMAP]
DESCRIPTION
The globus-gatekeeper program is a meta-server similar to inetd or
xinetd that starts other services after authenticating the TCP
connection using GSSAPI.
The most common use for the globus-gatekeeper program is to start
instances of the globus-job-manager(8) service. A single
globus-gatekeeper deployment can handle multiple different service
configurations by having entries in the grid-services directory.
Typically, users interact with the globus-gatekeeper program via client
applications such as globusrun(1), globus-job-submit, or tools such as
CoG jglobus or Condor-G.
The full set of command-line options to globus-gatekeeper consists of:
- -help
- Display a help message to standard error and exit
- -conf PARAMETER_FILE
- Load configuration parameters from PARAMETER_FILE. The parameters in that file are treated as additional command-line options.
- -test
- Parse the configuration file and print out the POSIX user id of the globus-gatekeeper process, service home directory, service execution directory, and X.509 subject name and then exits.
- -d, -debug
- Run the globus-gatekeeper process in the foreground.
- -inetd
- Flag to indicate that the globus-gatekeeper process was started via inetd or a similar super-server. If this flag is set and the globus-gatekeeper was not started via inetd, a warning will be printed in the gatekeeper log.
- -f
- Flag to indicate that the globus-gatekeeper process should run in the foreground. This flag has no effect when the globus-gatekeeper is started via inetd.
- -p PORT, -port PORT
- Listen for connections on the TCP/IP port PORT. This option has no
effect if the globus-gatekeeper is started via inetd or a similar
service. If not specified and the gatekeeper is running as root,
the default of 754 is used. Otherwise, the gatekeeper defaults to
an ephemeral port. - -home PATH
- Sets the gatekeeper deployment directory to PATH. This is used to
interpret relative paths for accounting files, libexecdir,
certificate paths, and also to set the GLOBUS_LOCATION environment variable in the service environment. If not specified, the
gatekeeper uses its working directory. - -l LOGFILE, -logfile LOGFILE
- Write status log entries to LOGFILE
- -acctfile ACCTFILE
- Set the path to write accounting records to ACCTFILE. If not set, no accounting records will be written.
- -e LIBEXECDIR
- Look for service executables in LIBEXECDIR. If not specified, the default of HOME/libexec is used.
- -launch_method fork_and_exit|fork_and_wait|dont_fork
- Determine how to launch services. The method may be either
fork_and_exit (the service runs completely independently of the
gatekeeper, which exits after creating the new service process),
fork_and_wait (the service is run in a separate process from the
gatekeeper but the gatekeeper does not exit until the service
terminates), or dont_fork, where the gatekeeper process becomes the service process via the exec() system call. - -grid_services SERVICEDIR
- Look for service descriptions in SERVICEDIR. If this is a relative path, it is interpreted relative to the HOME value. If this is not specified, the default of HOME/etc/grid-services is used.
- -globusid GLOBUSID
- Sets the GLOBUSID environment variable to GLOBUSID. This variable is used to construct the gatekeeper contact string if it can not be parsed from the service credential.
- -gridmap GRIDMAP
- Use the file at GRIDMAP to map GSSAPI names to POSIX user names. If not specified, the default of HOME/etc/grid-mapfile is used.
- -x509_cert_dir TRUSTED_CERT_DIR
- Use the directory TRUSTED_CERT_DIR to locate trusted CA X.509
certificates. The gatekeeper sets the environment variable
X509_CERT_DIR to this value. - -x509_cert_file TRUSTED_CERT_FILE
- OBSOLETE GSI OPTION
- -x509_user_cert CERT_PATH
- Read the service X.509 certificate from CERT_PATH. The gatekeeper sets the X509_USER_CERT environment variable to this value.
- -x509_user_key KEY_PATH
- Read the private key for the service from KEY_PATH. The gatekeeper sets the X509_USER_KEY environment variable to this value.
- -x509_user_proxy PROXY_PATH
- Read the X.509 proxy certificate from PROXY_PATH. The gatekeeper sets the X509_USER_PROXY environment variable to this value.
- -k
- Assume authentication with Kerberos 5 GSSAPI instead of X.509
GSSAPI. - -globuskmap KMAP
- Assume authentication with Kerberos 5 GSSAPI instead of X.509
GSSAPI and use KMAP as the path to the kerberos principal to POSIX user mapping file.
ENVIRONMENT
If the following variables affect the execution of globus-gatekeeper
- X509_CERT_DIR
- Directory containing X.509 trust anchors and signing policy files.
- X509_USER_PROXY
- Path to file containing an X.509 proxy.
- X509_USER_CERT
- Path to file containing an X.509 user certificate.
- X509_USER_KEY
- Path to file containing an X.509 user key.
FILES
- $GLOBUS_LOCATION/etc/globus-gatekeeper.conf
- Default path to gatekeeper configuration file.
- $GLOBUS_LOCATION/etc/grid-services/SERVICENAME
- Service configuration for SERVICENAME.