Difference: DynaFed (1 vs. 7)

Revision 72017-09-11 - mebert

Line: 1 to 1
 
META TOPICPARENT name="DynaFed"

Dynafed installation and user authentication

Changed:
<
<
copy tools tested with dynafed can be found here
>
>
copy tools tested with dynafed can be found here
 

manual installation

Revision 62017-07-11 - mebert

Line: 1 to 1
 
META TOPICPARENT name="DynaFed"

Dynafed installation and user authentication

Added:
>
>
copy tools tested with dynafed can be found here
 

manual installation

Revision 52017-06-27 - mebert

Line: 1 to 1
 
META TOPICPARENT name="DynaFed"

Dynafed installation and user authentication

Line: 68 to 68
 

Authentication

Changed:
<
<

for clients using voms proxy

>
>

for clients using voms proxy (not needed if general certificate based authentication is used)

 
  • add in /etc/ugr/ugr.conf
    • glb.allowgroups[]: /atlas/* /myfed/S3-Atlas rl
  • restart httpd and memcached
Line: 86 to 86
  glb.authorizationplugin[]: libugrauthplugin_python27.so authplug1 ugrauth_gridmap isallowed
      • depending on OS and python version it needs to be python27 or python26
      • the correct version is in /usr/lib64/ugr/
Added:
>
>
    • NOTE: IF there are no glb.allow.... directives used then access will be granted (at least in a browser)
      • to activate authorization and deactivate general glb.allow-authorization, add also something like: glb.allowgroups[]: * /noexistent rld
      • important is to have something in there which doesn't exists, just to activate the general authorization system
 
    • in /etc/grid-security/ create the file accessfile
      • accessfile contains a line per directory and access mode
        • e.g.: /myfed/S3-Atlas atlas rl

Revision 42017-05-26 - mebert

Line: 1 to 1
 
META TOPICPARENT name="DynaFed"

Dynafed installation and user authentication

Line: 22 to 22
 
    • fetch-crl
    • gridsite
    • edg-mkgridmap
Changed:
<
<
    • ca_*
>
>
    • lcg-CA
 
      • all site certificates
  • disable selinux
  • replace /etc/httpd/conf.d/ssl.conf with an empty file
Line: 58 to 58
 
  • create a file ending with ".conf" in /etc/ugr/conf.d/
  • add the endpoint to this file
Changed:
<
<
glb.locplugin[]
libugrlocplugin_s3.so cc_rjs 2 https://s3-uvic.dev.computecanada.ca/rjsBucket
locplugin.cc_rjs.xlatepfx
/S3-Atlas /
locplugin.cc_rjs.s3.priv_key
PRIVATE KEY GOES HERE
locplugin.cc_rjs.s3.pub_key
PUBLIC KEY GOES HERE
locplugin.cc_rjs.s3.alternate
yes
>
>
glb.locplugin[]
libugrlocplugin_s3.so UGR-ID 2 https://s3-SERVER/Bucket
locplugin.UGR-ID.xlatepfx
/S3-Atlas /
locplugin.UGR-ID.s3.priv_key
PRIVATE KEY GOES HERE
locplugin.UGR-ID.s3.pub_key
PUBLIC KEY GOES HERE
locplugin.UGR-ID.s3.alternate
yes
 
  • restart httpd and memcached
Line: 74 to 74
 
  • restart httpd and memcached

This will allow read and listing of everything under /myfed/S3-Atlas for everyone with a valid Atlas voms proxy.

Changed:
<
<
However, the dynafed endpoint will no longer we usable through a web browser even for Atlas users since dynafed by default does not evaluate certificates.
>
>
However, the dynafed endpoint will no longer be usable through a web browser even for Atlas users since dynafed by default does not evaluate certificates.
 

certificate based authentication

  • works only if SSL is enabled
  • DynaFed doesn't support certificate evaluation by default but it allows python based authentication using own modules
    • needs a grid-mapfile
Changed:
<
<
    • in /etc/ugr/conf.d create the file ugrauth_gridmap.py
      • file needs to be renamed to remove ".txt" at the end
>
>
    • in /etc/ugr/conf.d create the file ugrauth_gridmap.py.txt
      • downloaded file needs to be renamed to remove ".txt" at the end
 
    • add to /etc/ugr/ugr.conf the line:
      glb.authorizationplugin[]: libugrauthplugin_python27.so authplug1 ugrauth_gridmap isallowed
      • depending on OS and python version it needs to be python27 or python26
Line: 93 to 93
 
Added:
>
>
This also works for voms proxy based access on the command line.
 

grid-mapfile generation

  • needs a list of voms server in config files
    • e.g. /etc/edg-mkgridmap-atlas-prod.conf contains2 lines:

Revision 32017-05-24 - mebert

Line: 1 to 1
 
META TOPICPARENT name="DynaFed"

Dynafed installation and user authentication

Line: 110 to 110
 touch $TMPFILE
Changed:
<
<
for VO in belle atlas atlas-prod atlas-lcgadmin
>
>
for VO in belle belle-prod belle-lcgadmin atlas atlas-prod atlas-lcgadmin
 do edg-mkgridmap --conf=/etc/edg-mkgridmap-$VO.conf --output=- >>$TMPFILE done

Revision 22017-05-19 - mebert

Line: 1 to 1
 
META TOPICPARENT name="DynaFed"

Dynafed installation and user authentication

Line: 103 to 103
 
 #!/bin/bash

TMPFILE=/tmp/gridmap.out
Changed:
<
<
touch $TMPFILE
>
>
if [ -f $TMPFILE ] then
 rm $TMPFILE
Added:
>
>
fi
 touch $TMPFILE
Added:
>
>
 for VO in belle atlas atlas-prod atlas-lcgadmin do edg-mkgridmap --conf=/etc/edg-mkgridmap-$VO.conf --output=- >>$TMPFILE
Line: 133 to 136
 

Comments

<--/commentPlugin-->
Changed:
<
<
  • ugr.conf: Files described within the page
>
>
 
META FILEATTACHMENT attachment="ugr.conf" attr="" comment="dynafed config file" date="1495144755" name="ugr.conf" path="ugr.conf" size="914" user="mebert" version="1"
META FILEATTACHMENT attachment="ugrauth_gridmap.py.txt" attr="" comment="python code for certificate based authentication using a grid-mapfile" date="1495144755" name="ugrauth_gridmap.py.txt" path="ugrauth_gridmap.py.txt" size="3151" user="mebert" version="1"

Revision 12017-05-18 - mebert

Line: 1 to 1
Added:
>
>
META TOPICPARENT name="DynaFed"

Dynafed installation and user authentication

manual installation

  • start with minimal CentOS 7
  • enable repos:
    • epel-release
    • egi
    • wlcg
  • install:
    • httpd
    • dynafed
    • dynafed-http-plugin
    • dynafed-dmlite-plugin
    • dynafed-dmlite-frontend
    • memcached
    • mod_ssl
    • openssh (update)
    • fetch-crl
    • gridsite
    • edg-mkgridmap
    • ca_*
      • all site certificates
  • disable selinux
  • replace /etc/httpd/conf.d/ssl.conf with an empty file
  • change ServerName in /etc/httpd/conf/httpd.conf to the correct one
  • place host certificate and key in /etc/grid-security
    • make sure the permissions are correct
    • remove password from the hostkey file
  • in /etc/ugr/ugr.conf
    • make sure extcache.memcached.ttl is set to the same value as infohandler.itemmaxttl
  • rename /etc/httpd/conf.d/zgridsite.conf in a way that it is read after zlcgdm-ugr-dav.conf
  • delete:
    • /etc/httpd/conf.modules.d/00-dav.conf
      /etc/httpd/conf.modules.d/00-ssl.conf
  • in /etc/httpd/conf.d/zlcgdm-ugr-dav.conf
    • enable SSL section
    • change port to 8443
    • add
      • LoadModule ssl_module modules/mod_ssl.so
        LoadModule gridsite_module /usr/lib64/httpd/modules/mod_gridsite.so
  • enable service at boot time: httpd and memcached
  • make sure firewall is configured to allow access to port 8443
  • start services: httpd and memcached

automatic install

An Ansible module will be uploaded.

location: ???

adding S3 endpoints

  • create a file ending with ".conf" in /etc/ugr/conf.d/
  • add the endpoint to this file
    •          glb.locplugin[]: libugrlocplugin_s3.so cc_rjs 2 https://s3-uvic.dev.computecanada.ca/rjsBucket
               locplugin.cc_rjs.xlatepfx: /S3-Atlas /
               locplugin.cc_rjs.s3.priv_key: PRIVATE KEY GOES HERE
               locplugin.cc_rjs.s3.pub_key: PUBLIC KEY GOES HERE
               locplugin.cc_rjs.s3.alternate: yes
              
  • restart httpd and memcached

Authentication

for clients using voms proxy

  • add in /etc/ugr/ugr.conf
    • glb.allowgroups[]: /atlas/* /myfed/S3-Atlas rl
  • restart httpd and memcached

This will allow read and listing of everything under /myfed/S3-Atlas for everyone with a valid Atlas voms proxy.
However, the dynafed endpoint will no longer we usable through a web browser even for Atlas users since dynafed by default does not evaluate certificates.

certificate based authentication

  • works only if SSL is enabled
  • DynaFed doesn't support certificate evaluation by default but it allows python based authentication using own modules
    • needs a grid-mapfile
    • in /etc/ugr/conf.d create the file ugrauth_gridmap.py
      • file needs to be renamed to remove ".txt" at the end
    • add to /etc/ugr/ugr.conf the line:
      glb.authorizationplugin[]: libugrauthplugin_python27.so authplug1 ugrauth_gridmap isallowed
      • depending on OS and python version it needs to be python27 or python26
      • the correct version is in /usr/lib64/ugr/
    • in /etc/grid-security/ create the file accessfile
      • accessfile contains a line per directory and access mode
        • e.g.: /myfed/S3-Atlas atlas rl
          • this will allow everyone registered with Atlas to read and list everything in /myfed/S3-Atlas (and below) using a browser
        • example file
  • restart httpd and memcached

grid-mapfile generation

  • needs a list of voms server in config files
    • e.g. /etc/edg-mkgridmap-atlas-prod.conf contains2 lines:
      • group vomss://lcg-voms2.cern.ch:8443/voms/atlas?/atlas/Role=production atlas-prod
        group vomss://voms2.cern.ch:8443/voms/atlas?/atlas/Role=production atlas-prod
    • create one config file for each VO and each role within each VO
  • create a single file that contains all certificates for all VOs and all roles, e.g. with something like this:
     #!/bin/bash
    
    TMPFILE=/tmp/gridmap.out
    touch $TMPFILE
    rm $TMPFILE
    touch $TMPFILE
    
    for VO in belle atlas atlas-prod atlas-lcgadmin
    do
     edg-mkgridmap --conf=/etc/edg-mkgridmap-$VO.conf --output=- >>$TMPFILE
    done
    sort $TMPFILE >/etc/grid-security/grid-mapfile
    

cronjobs and other considerations

  • cronjobs need to be installed for
    • grid-mapfile generation
    • certificate updates
  • if dynafed is used to list also other sites (e.g. DPM/dCache sites), then :
    • register host certificate with the VOs
    • create a voms proxy using the host certificate
    • install cronjob that renews the voms proxy

-- mebert - 2017-05-18

Comments

<--/commentPlugin-->
  • ugr.conf: Files described within the page

META FILEATTACHMENT attachment="ugr.conf" attr="" comment="dynafed config file" date="1495144755" name="ugr.conf" path="ugr.conf" size="914" user="mebert" version="1"
META FILEATTACHMENT attachment="ugrauth_gridmap.py.txt" attr="" comment="python code for certificate based authentication using a grid-mapfile" date="1495144755" name="ugrauth_gridmap.py.txt" path="ugrauth_gridmap.py.txt" size="3151" user="mebert" version="1"
META FILEATTACHMENT attachment="accessfile" attr="" comment="example for the accessfile" date="1495144755" name="accessfile" path="accessfile" size="50" user="mebert" version="1"
META FILEATTACHMENT attachment="zlcgdm-ugr-dav.conf" attr="" comment="http ssl config for dynafed" date="1495144755" name="zlcgdm-ugr-dav.conf" path="zlcgdm-ugr-dav.conf" size="3485" user="mebert" version="1"
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback