Logging into a running Legion system

Altering the AuthenticationObject

A set of Legion commands can be used to retrieve or change the information in an AuthenticationObject: legion_passwd, legion_set_implicit_params, legion_set_acl, legion_get_implicit_params, and legion_get_acl.

AuthenticationObjects must be permanent in order to be useful. If an AuthenticationObject is destroyed, its associated LOID, which identifies the user to the rest of the system, is lost. There is no way to generate an identical LOID for a new AuthenticationObject.

More about legion_login

Like Unix rsh, legion_login can also execute a specific command rather than create a new interactive shell. For example, to use legion_login to execute legion_cat on object bob, enter:

$ legion_login /users/nemo -e legion_ping -c /home/nemo/bob
Password: xxxx
Bob's here.
$

With security enabled, nobody else can cat bob except nemo. If nemo tries to cat bob while not logged in, he'll get something like this:

$ legion_cat /home/nemo/bob

Legion ExoEvent Caught:
Type        : "Exception:Security:MayI"
Description : "Security fault, MayI failed"
Source Loid : 1.3622a3eb.06.9bb12a36.000001fc...
Destination Loid : 1.3622a3eb.66000000.04000000.000...
Function Id : _i_16exportsInterface_21LegionObjectInterface_V
$

Running while logged in has a benefit even if you do not plan to use security features. Normally every command-line tool needs to create a public key pair for its self-generated LOID before it can do its work. When logged in, the tool gets the LOID from the legion_login process instead, which maintains several pre-generated LOIDs. On slow machines the time to generate a fresh LOID can be quite noticeable, and using legion_login can eliminate some of the delay.

Creating new user ids

Please note that you must have admin privileges in order to create new user ids in a security-enabled system. Please see the System Administrator manual for further information.

You can now add users to your system, by creating user ids. A user id is an entry in context space that represents an AuthenticationObject. It is also used to signify ownership of all objects that a logged in user creates. The admin creates user ids with the legion_create_user command. This command will also create a home context for the new user. To create a user id for "nemo," for example, you would enter:

$ legion_create_user nemo
New Legion password: xxxx 
Retype password: xxxx
1.3622a3eb.6b000000.03000000.000001fc...
Creating a Home context: /home/nemo
Creating context "nemo" in parent "/home".
New context LOID = "1.3622a3eb.05.11000000.000001fc..."
Changing ACLs on /home/nemo
$

The command will prompt for a password for the new user and will print the user's AuthenticationObject LOID. It will also create a home context for the user in the /home context. Please allow about five minutes for the new user to propagate in your system before logging in with the new id. (Until then the user will get security errors when he tries to create objects.)

The legion_create_user command is actually a simple wrapper around legion_create_user_object. The full command can give more control to the creation of AuthenticationObjects; execute it without arguments for a summary of its options.

Once a user is created, log in is achieved by giving the context path of the user object and a password to legion_login.

$ legion_login /users/nemo
Password:xxxx
$

On a successful log in, a new shell is created. Note that user nemo must move to his /home/nemo context: users can work only in the /home, /etc, /temp, /mpi, and /pvm contexts. Only admin can work in the remaining parts of context space. Log out is achieved by exiting the shell.