2.0 Setting up and logging in

You must set up the proper environment variables before starting. You may also need to log in to a Legion system as a Legion user.

2.1 Preparing your Legion environment

Depending on how your system is set up, you may need to set up your access to your Legion system. This will probably involve running a script such as this:

$ . ~legion/setup.sh

or

$ source ~legion/setup.csh

The exact syntax will depend on what kind of shell you are using and where your Legion files are installed. Your system may have different requirements: ask your system administrator.

2.2 Logging in

If your system administrator has enabled Legion's security features, you must have a user id and log in to Legion before you can start working. Ask your system administrator to create one for you if necessary.

Your system's log in procedure may differ from what is described here, so check with your system administrator for specific instructions. The default system requires all users to have user ids and passwords. This lets Legion keep track of your objects and user privileges. It also prevents malicious users from interfering with your objects or gaining illicit access to your system.

When you log in to a Legion system you are identified by an AuthenticationObject , a special object that contains your password, initial implicit parameters (the Legion equivalent of a Unix "environment"), and other information. AuthenticationObjects are created when you create a user id. A set of Legion commands can be used to retrieve or change this information (see section 2.8 in the Legion Reference Manual for these commands). When an authenticated user runs a Legion process a certificate confirming his or her identify is passed along to verify that this person has permission to run the process. This certificate is created and signed by your AuthenticationObject, so you will have to get a new user id if your AuthenticationObject is destroyed.

2.2.1 Logging in as a user

You login with the legion_login command. You will be prompted for your password. You must use the full path name for your user id (e.g., /users/<user id>).

To login, run legion_login:

$ legion_login /users/bob
Password: xxxx
$

Or

$ legion_login 
Legion login: /users/bob
Password: xxxx
$1

Your current working context is automatically set to your home context (/home/<user id>). Use legion_cd to move to another part of context space (see section 5.1.4).

The legion_login command verifies your identity and your security privileges and puts a credentials file in your local /tmp directory. This file is a user read-only file. It is used by command-line utilities to verify your identity. You get a separate credentials file in each shell in which you run legion_login. You own objects you create while logged in. No one else (except the system administrator) can use them unless you specifically give them permission (see "About object permissions"). Any processes that you start after logging in will be accompanied by a copy of your AuthenticationObject's certificate.

2.2.2 Changing your password

While you are logged in, you can use legion_passwd to change your password. You must use the whole user id path. You will be prompted for your old and new passwords.

$  legion_passwd /users/nemo
New Legion password: xxxx
Retype new password: xxxx
Password changed.
$

2.2.3 About object permissions

If your system administrator has enabled Legion security, the objects that you create while logged in cannot be used by any other users. If you wish to share your objects you need to give other users any necessary read, write, and execute permissions.2 You can use legion_change_permissions to change an object's permissions. The syntax is:

legion_change_permissions [+-rwx] [-v]
<group/user context path>
<target context path>
[-debug] [-help]

Use the r, w, or x flags to add (+) or remove (-) read, write, and execute permissions on objects. For example, if you wanted to allow bob to read your object foo, you would enter:

$ legion_change_permissions +r /users/bob foo

See page 64 in the Reference Manual for more information.

2.2.4 Checking your log in status

If you want to check whether or not you are logged in or verify your current user id, use legion_whoami. If you are logged in, it will return your current user id:

$ legion_whoami
/users/nemo
$

If you are not logged in the command will return <Unknown>.

2.2.5 Logging out

To log out, run legion_logout. You don't need your user id path.

$ legion_logout

This will remove your credentials file. Remember that you are not in a subshell, so if you type exit you will close your current shell.

2.2.6 Using Legion in a Kerberos environment

If your site requires you to authenticate via Kerberos in order to log on or otherwise interact with any of the machines at the site (irrespective of Legion), you need to incorporate your Kerberos credentials into the Legion environment. If Legion needs to create a process or a file on your behalf on a remote machine, your Kerberos credentials must be available to authenticate you to the remote machine. To do this you will need to create a Legion proxy object that holds a copy of your Kerberos credentials. Legion can then automatically contact this proxy object whenever it needs your Kerberos credentials for a remote machine.

If you don't know whether or not you're running in a Kerberos environment, you're probably not. Check with your system administrator to confirm this.

Kerberos support in Legion is not currently fully documented; a small collection of sites that use Kerberos are working with the Legion developers to define and improve Kerberos support in Legion. In the near future, we will include detailed instructions regarding the creation and use of the Kerberos proxy objects. If you require Kerberos support in Legion, contact us at <legion-help@virginia.edu>.

2.3 Changing your profile

You can use legion_configure_profile to edit information about your user profile, security settings, and fault tolerance settings. It's a menu-driven command, so just enter it on the command line:

$ legion_configure_profile

and choose your options. Hit the <enter> key to return to the previous menu level. This command carries out three functions:

  1. Edit your AuthenticationObject to include contact information
  2. Change your security preferences for the message layer
  3. Edit your fault tolerance settings for SKCC objects

The first option lets you provide your e-mail address, name, and company. This can be useful if you are using Legion on-line. It also let us contact you more easily.

The second option lets you set the security mode for the Legion message layer. There are three settings: private, protected, and off. We strongly recommend that you read the discussion of the message layer and these security settings before using this option (page 30 in the System Administrator Manual). Any changes you make will be applied to all messages passed by your objects.

The third option lets you edit the settings for your SKCC classes and backup vaults. This will override any settings you have previously made. It uses the following commands to edit your settings:

legion_skcc_set_class_vaults
legion_skcc_set_defaults
legion_set_backup_vaults
legion_class_vault_list

Please see the man pages or Reference Manual for information on these commands. Please see page 32 for more information about SKCC classes and backup vaults.


1. If you wish, you can include your password on the command line. E.g.,

$ legion_login /users/bob -p bobspassword

This is not a secure method of logging in, though, and we don't recommend it.

2. This command can only be used with common Legion object types: context, file, class, tty, implementation, host, and vault objects.

Directory of Legion 1.8 Manuals
[Home] [General] [Documentation] [Software]
[Testbeds] [Et Cetera] [Map/Search]

Free JavaScripts provided by The JavaScript Source

legion@Virginia.edu
http://legion.virginia.edu/