NAME
globus-gatekeeper - Authorize and execute a grid service on behalf of a
user
SYNOPSIS
globus-gatekeeper [-help]
[-conf PARAMETER_FILE]
[-test] [-d | -debug]
{-inetd | -f}
[-p PORT | -port PORT]
[-home PATH] [-l LOGFILE | -logfile LOGFILE]
[-acctfile ACCTFILE]
[-e LIBEXECDIR]
[-launch_method {fork_and_exit | fork_and_wait | dont_fork}]
[-grid_services SERVICEDIR]
[-globusid GLOBUSID]
[-gridmap GRIDMAP]
[-x509_cert_dir TRUSTED_CERT_DIR]
[-x509_cert_file TRUSTED_CERT_FILE]
[-x509_user_cert CERT_PATH]
[-x509_user_key KEY_PATH]
[-x509_user_proxy PROXY_PATH]
[-k]
[-globuskmap KMAP]
DESCRIPTION
The globus-gatekeeper program is a meta-server similar to inetd or
xinetd that starts other services after authenticating the TCP
connection using GSSAPI.
The most common use for the globus-gatekeeper program is to start
instances of the globus-job-manager(8) service. A single
globus-gatekeeper deployment can handle multiple different service
configurations by having entries in the grid-services directory.
Typically, users interact with the globus-gatekeeper program via client
applications such as globusrun(1), globus-job-submit, or tools such as
CoG jglobus or Condor-G.
The full set of command-line options to globus-gatekeeper consists of:
-help
Display a help message to standard error and exit
-conf PARAMETER_FILE
Load configuration parameters from PARAMETER_FILE. The parameters
in that file are treated as additional command-line options.
-test
Parse the configuration file and print out the POSIX user id of the
globus-gatekeeper process, service home directory, service
execution directory, and X.509 subject name and then exits.
-d, -debug
Run the globus-gatekeeper process in the foreground.
-inetd
Flag to indicate that the globus-gatekeeper process was started via
inetd or a similar super-server. If this flag is set and the
globus-gatekeeper was not started via inetd, a warning will be
printed in the gatekeeper log.
-f
Flag to indicate that the globus-gatekeeper process should run in
the foreground. This flag has no effect when the globus-gatekeeper
is started via inetd.
-p PORT, -port PORT
Listen for connections on the TCP/IP port PORT. This option has no
effect if the globus-gatekeeper is started via inetd or a similar
service. If not specified and the gatekeeper is running as root,
the default of 754 is used. Otherwise, the gatekeeper defaults to
an ephemeral port.
-home PATH
Sets the gatekeeper deployment directory to PATH. This is used to
interpret relative paths for accounting files, libexecdir,
certificate paths, and also to set the GLOBUS_LOCATION environment
variable in the service environment. If not specified, the
gatekeeper uses its working directory.
-l LOGFILE, -logfile LOGFILE
Write status log entries to LOGFILE
-acctfile ACCTFILE
Set the path to write accounting records to ACCTFILE. If not set,
no accounting records will be written.
-e LIBEXECDIR
Look for service executables in LIBEXECDIR. If not specified, the
default of HOME/libexec is used.
-launch_method fork_and_exit|fork_and_wait|dont_fork
Determine how to launch services. The method may be either
fork_and_exit (the service runs completely independently of the
gatekeeper, which exits after creating the new service process),
fork_and_wait (the service is run in a separate process from the
gatekeeper but the gatekeeper does not exit until the service
terminates), or dont_fork, where the gatekeeper process becomes the
service process via the exec() system call.
-grid_services SERVICEDIR
Look for service descriptions in SERVICEDIR. If this is a relative
path, it is interpreted relative to the HOME value. If this is not
specified, the default of HOME/etc/grid-services is used.
-globusid GLOBUSID
Sets the GLOBUSID environment variable to GLOBUSID. This variable
is used to construct the gatekeeper contact string if it can not be
parsed from the service credential.
-gridmap GRIDMAP
Use the file at GRIDMAP to map GSSAPI names to POSIX user names. If
not specified, the default of HOME/etc/grid-mapfile is used.
-x509_cert_dir TRUSTED_CERT_DIR
Use the directory TRUSTED_CERT_DIR to locate trusted CA X.509
certificates. The gatekeeper sets the environment variable
X509_CERT_DIR to this value.
-x509_cert_file TRUSTED_CERT_FILE
OBSOLETE GSI OPTION
-x509_user_cert CERT_PATH
Read the service X.509 certificate from CERT_PATH. The gatekeeper
sets the X509_USER_CERT environment variable to this value.
-x509_user_key KEY_PATH
Read the private key for the service from KEY_PATH. The gatekeeper
sets the X509_USER_KEY environment variable to this value.
-x509_user_proxy PROXY_PATH
Read the X.509 proxy certificate from PROXY_PATH. The gatekeeper
sets the X509_USER_PROXY environment variable to this value.
-k
Assume authentication with Kerberos 5 GSSAPI instead of X.509
GSSAPI.
-globuskmap KMAP
Assume authentication with Kerberos 5 GSSAPI instead of X.509
GSSAPI and use KMAP as the path to the kerberos principal to POSIX
user mapping file.
ENVIRONMENT
If the following variables affect the execution of globus-gatekeeper
X509_CERT_DIR
Directory containing X.509 trust anchors and signing policy files.
X509_USER_PROXY
Path to file containing an X.509 proxy.
X509_USER_CERT
Path to file containing an X.509 user certificate.
X509_USER_KEY
Path to file containing an X.509 user key.
FILES
$GLOBUS_LOCATION/etc/globus-gatekeeper.conf
Default path to gatekeeper configuration file.
$GLOBUS_LOCATION/etc/grid-services/SERVICENAME
Service configuration for SERVICENAME.
SEE ALSO
globusrun(1), globus-job-manager(8)