Title: Configuring sudo privileges for GRAM in GT4
--------------------------------------------------

1 Prerequisites
---------------

The system on which GRAM will be executed must run sudo. 

Before configuring sudo privileges for GRAM on the machine 
on which the GRAM services will run, there is a prerequisite 
for several Unix accounts to be set up:

- one account under which the Globus container will run, 
  named for instance 'globus'.
  This is the same account under which the toolkit was installed.
- at least one user account under which jobs will be submitted. This 
  user name must be mapped to a DN in the Globus gridmap file so that 
  remote submissions be authorized.
  
2 Basic Sudoers Configuration for one Submitting User
-----------------------------------------------------
Sudo privileges are configured by modification of the sudo configuration, 
which is persisted in what is known in official sudo jargon as the "sudoers file" 
(typically modified with the visudo command). You may have to ask the 
administrator of the sytem on which you are installing GRAM to setup the 
minimal required sudo privileges as explained below.

On the GRAM machine, the Globus container-running account (which may be a 
local account) must be able to run the job execution script as any 
user that can be authorized to submit a job, and without the requirement for 
a password.

Note: the command that must be executed is currently a script. This may change in 
future releases.

For instance, assuming the globus toolkit runs as user 'globus' on 
the machine 'myhost', the following entry in the sudoers file configures 
the account 'globus' with the sudo privileges necessary for user 
'globus_user1' to submit jobs to GRAM:

   globus     myhost=(globus_user1)NOPASSWD: <managed-job-script.pl>
   
where <managed-job-script.pl> is the absolute file path of the GRAM script 
that executes the job, namely $GLOBUS_LOCATION/libexec/globus-job-manager-script.pl
((((((CHECK THIS VALUE)))))))

Basically, this allows the 'globus' account to run the managed job execution script 
on the machine 'myhost' as 'globus_user1'without password authentication.
In fact, password authentication must be disabled by the sudo configuration 
entry because the sudo command is performed programmatically by the GRAM code.
The following command-line is the equivalent of what GRAM executes 
in order to run the job script as 'globus_user1':

   /local/bin/sudo -u globus_user1 <managed-job-script.pl>

     
3 Enabling submission for several users
---------------------------------------
In order to allow multiple users to submit jobs, one can list the corresponding 
account names in the sudoers file entry for the Globus container account, 
as in:

   globus     myhost=(globus_user1, globus_user2, globus_user3)NOPASSWD: <managed-job-script.pl>

This allows the 'globus' account to run the managed job execution script 
on the machine 'myhost' as 'globus_user1', 'globus_user2' or 'globus_user3' 
without password authentication.

It is also possible to use an alias within the sudo configuration, as in:

   Runas_Alias   GLOBUS_USERS = globus_user1, globus_user2, globus_user3
   globus     myhost=(GLOBUS_USERS)NOPASSWD: <managed-job-script.pl>

4 Enabling submission for a group of submitting users
-----------------------------------------------------
However this method becomes rapidly tedious when a lot of users must be authorized 
to submit jobs. In addition, maintenance of the sudo configuration is needed 
each time a new user must be granted GRAM job submission rights.

A solution is to grant sudo privileges to the 'globus' account to run as 
a group of users as opposed to a list of individual users that must be maintained.

The group name must be prefixed prefixed with '%' if it is a system group, or 
'+' if it is a netgroup.

For instance, in order to let any user in the Unix group 'griduser' submit jobs 
to GRAM, the previous example of a sudoers file entry may be changed to:
 
   globus     myhost=(%griduser)NOPASSWD: <managed-job-script.pl>     


More options for sudo configuration are described in the sudoers manual [sudoers], 
in particular the different ways to specify which account(s) can be ran as. 
   
References: 
----------

[sudo]
Sudo manual
http://www.gratisoft.us/sudo/sudo.html

[sudoers]
Sudoers manual
http://www.courtesan.com/sudo/man/sudoers.html