create new tag
view all tags

Dynafed installation and user authentication

copy tools tested with dynafed can be found here

manual installation

  • start with minimal CentOS 7
  • enable repos:
    • epel-release
    • egi
    • wlcg
  • install:
    • httpd
    • dynafed
    • dynafed-http-plugin
    • dynafed-dmlite-plugin
    • dynafed-dmlite-frontend
    • memcached
    • mod_ssl
    • openssh (update)
    • fetch-crl
    • gridsite
    • edg-mkgridmap
    • lcg-CA
      • all site certificates
  • disable selinux
  • replace /etc/httpd/conf.d/ssl.conf with an empty file
  • change ServerName in /etc/httpd/conf/httpd.conf to the correct one
  • place host certificate and key in /etc/grid-security
    • make sure the permissions are correct
    • remove password from the hostkey file
  • in /etc/ugr/ugr.conf
    • make sure extcache.memcached.ttl is set to the same value as infohandler.itemmaxttl
  • rename /etc/httpd/conf.d/zgridsite.conf in a way that it is read after zlcgdm-ugr-dav.conf
  • delete:
    • /etc/httpd/conf.modules.d/00-dav.conf
  • in /etc/httpd/conf.d/zlcgdm-ugr-dav.conf
    • enable SSL section
    • change port to 8443
    • add
      • LoadModule ssl_module modules/mod_ssl.so
        LoadModule gridsite_module /usr/lib64/httpd/modules/mod_gridsite.so
  • enable service at boot time: httpd and memcached
  • make sure firewall is configured to allow access to port 8443
  • start services: httpd and memcached

automatic install

An Ansible module will be uploaded.

location: ???

adding S3 endpoints

  • create a file ending with ".conf" in /etc/ugr/conf.d/
  • add the endpoint to this file
    •          glb.locplugin[]: libugrlocplugin_s3.so UGR-ID 2 https://s3-SERVER/Bucket
               locplugin.UGR-ID.xlatepfx: /S3-Atlas /
               locplugin.UGR-ID.s3.priv_key: PRIVATE KEY GOES HERE
               locplugin.UGR-ID.s3.pub_key: PUBLIC KEY GOES HERE
               locplugin.UGR-ID.s3.alternate: yes
  • restart httpd and memcached


for clients using voms proxy (not needed if general certificate based authentication is used)

  • add in /etc/ugr/ugr.conf
    • glb.allowgroups[]: /atlas/* /myfed/S3-Atlas rl
  • restart httpd and memcached

This will allow read and listing of everything under /myfed/S3-Atlas for everyone with a valid Atlas voms proxy.
However, the dynafed endpoint will no longer be usable through a web browser even for Atlas users since dynafed by default does not evaluate certificates.

certificate based authentication

  • works only if SSL is enabled
  • DynaFed doesn't support certificate evaluation by default but it allows python based authentication using own modules
    • needs a grid-mapfile
    • in /etc/ugr/conf.d create the file ugrauth_gridmap.py.txt
      • downloaded file needs to be renamed to remove ".txt" at the end
    • add to /etc/ugr/ugr.conf the line:
      glb.authorizationplugin[]: libugrauthplugin_python27.so authplug1 ugrauth_gridmap isallowed
      • depending on OS and python version it needs to be python27 or python26
      • the correct version is in /usr/lib64/ugr/
    • NOTE: IF there are no glb.allow.... directives used then access will be granted (at least in a browser)
      • to activate authorization and deactivate general glb.allow-authorization, add also something like: glb.allowgroups[]: * /noexistent rld
      • important is to have something in there which doesn't exists, just to activate the general authorization system
    • in /etc/grid-security/ create the file accessfile
      • accessfile contains a line per directory and access mode
        • e.g.: /myfed/S3-Atlas atlas rl
          • this will allow everyone registered with Atlas to read and list everything in /myfed/S3-Atlas (and below) using a browser
        • example file
  • restart httpd and memcached

This also works for voms proxy based access on the command line.

grid-mapfile generation

  • needs a list of voms server in config files
    • e.g. /etc/edg-mkgridmap-atlas-prod.conf contains2 lines:
      • group vomss://lcg-voms2.cern.ch:8443/voms/atlas?/atlas/Role=production atlas-prod
        group vomss://voms2.cern.ch:8443/voms/atlas?/atlas/Role=production atlas-prod
    • create one config file for each VO and each role within each VO
  • create a single file that contains all certificates for all VOs and all roles, e.g. with something like this:
    if [ -f $TMPFILE ]
     rm $TMPFILE
    touch $TMPFILE
    for VO in belle belle-prod belle-lcgadmin atlas atlas-prod atlas-lcgadmin
     edg-mkgridmap --conf=/etc/edg-mkgridmap-$VO.conf --output=- >>$TMPFILE
    sort $TMPFILE >/etc/grid-security/grid-mapfile

cronjobs and other considerations

  • cronjobs need to be installed for
    • grid-mapfile generation
    • certificate updates
  • if dynafed is used to list also other sites (e.g. DPM/dCache sites), then :
    • register host certificate with the VOs
    • create a voms proxy using the host certificate
    • install cronjob that renews the voms proxy

-- mebert - 2017-05-18


Topic attachments
I Attachment History Action Size Date Who Comment
Unknown file formatEXT accessfile r1 manage 0.1 K 2017-05-18 - 21:59 UnknownUser example for the accessfile
Unknown file formatconf ugr.conf r1 manage 0.9 K 2017-05-18 - 21:59 UnknownUser dynafed config file
Texttxt ugrauth_gridmap.py.txt r1 manage 3.1 K 2017-05-18 - 21:59 UnknownUser python code for certificate based authentication using a grid-mapfile
Unknown file formatconf zlcgdm-ugr-dav.conf r1 manage 3.4 K 2017-05-18 - 21:59 UnknownUser http ssl config for dynafed
Edit | Attach | Watch | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | More topic actions
Topic revision: r7 - 2017-09-11 - mebert
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback