Dynafed installation and user authentication
copy tools tested with dynafed can be found heremanual installation
- start with minimal CentOS 7
- enable repos:
- epel-release
- egi
- wlcg
- install:
- httpd
- dynafed
- dynafed-http-plugin
- dynafed-dmlite-plugin
- dynafed-dmlite-frontend
- memcached
- mod_ssl
- openssh (update)
- fetch-crl
- gridsite
- edg-mkgridmap
- lcg-CA
- all site certificates
- disable selinux
- replace /etc/httpd/conf.d/ssl.conf with an empty file
- change ServerName in /etc/httpd/conf/httpd.conf to the correct one
- place host certificate and key in /etc/grid-security
- make sure the permissions are correct
- remove password from the hostkey file
- in /etc/ugr/ugr.conf
- make sure extcache.memcached.ttl is set to the same value as infohandler.itemmaxttl
- rename /etc/httpd/conf.d/zgridsite.conf in a way that it is read after zlcgdm-ugr-dav.conf
- delete:
- /etc/httpd/conf.modules.d/00-dav.conf
/etc/httpd/conf.modules.d/00-ssl.conf
- /etc/httpd/conf.modules.d/00-dav.conf
- in /etc/httpd/conf.d/zlcgdm-ugr-dav.conf
- enable SSL section
- change port to 8443
- add
- LoadModule ssl_module modules/mod_ssl.so
LoadModule gridsite_module /usr/lib64/httpd/modules/mod_gridsite.so
- LoadModule ssl_module modules/mod_ssl.so
- enable service at boot time: httpd and memcached
- make sure firewall is configured to allow access to port 8443
- start services: httpd and memcached
automatic install
An Ansible module will be uploaded. location: ???adding S3 endpoints
- create a file ending with ".conf" in /etc/ugr/conf.d/
- add the endpoint to this file
-
glb.locplugin[]: libugrlocplugin_s3.so UGR-ID 2 https://s3-SERVER/Bucket locplugin.UGR-ID.xlatepfx: /S3-Atlas / locplugin.UGR-ID.s3.priv_key: PRIVATE KEY GOES HERE locplugin.UGR-ID.s3.pub_key: PUBLIC KEY GOES HERE locplugin.UGR-ID.s3.alternate: yes
-
- restart httpd and memcached
Authentication
for clients using voms proxy (not needed if general certificate based authentication is used)
- add in /etc/ugr/ugr.conf
- glb.allowgroups[]: /atlas/* /myfed/S3-Atlas rl
- restart httpd and memcached
However, the dynafed endpoint will no longer be usable through a web browser even for Atlas users since dynafed by default does not evaluate certificates.
certificate based authentication
- works only if SSL is enabled
- DynaFed doesn't support certificate evaluation by default but it allows python based authentication using own modules
- needs a grid-mapfile
- in /etc/ugr/conf.d create the file ugrauth_gridmap.py.txt
- downloaded file needs to be renamed to remove ".txt" at the end
- add to /etc/ugr/ugr.conf the line:
glb.authorizationplugin[]: libugrauthplugin_python27.so authplug1 ugrauth_gridmap isallowed- depending on OS and python version it needs to be python27 or python26
- the correct version is in /usr/lib64/ugr/
- NOTE: IF there are no glb.allow.... directives used then access will be granted (at least in a browser)
- to activate authorization and deactivate general glb.allow-authorization, add also something like: glb.allowgroups[]: * /noexistent rld
- important is to have something in there which doesn't exists, just to activate the general authorization system
- in /etc/grid-security/ create the file accessfile
- accessfile contains a line per directory and access mode
- e.g.: /myfed/S3-Atlas atlas rl
- this will allow everyone registered with Atlas to read and list everything in /myfed/S3-Atlas (and below) using a browser
- example file
- e.g.: /myfed/S3-Atlas atlas rl
- accessfile contains a line per directory and access mode
- restart httpd and memcached
grid-mapfile generation
- needs a list of voms server in config files
- e.g. /etc/edg-mkgridmap-atlas-prod.conf contains2 lines:
- group vomss://lcg-voms2.cern.ch:8443/voms/atlas?/atlas/Role=production atlas-prod
group vomss://voms2.cern.ch:8443/voms/atlas?/atlas/Role=production atlas-prod
- group vomss://lcg-voms2.cern.ch:8443/voms/atlas?/atlas/Role=production atlas-prod
- create one config file for each VO and each role within each VO
- e.g. /etc/edg-mkgridmap-atlas-prod.conf contains2 lines:
- create a single file that contains all certificates for all VOs and all roles, e.g. with something like this:
#!/bin/bash TMPFILE=/tmp/gridmap.out if [ -f $TMPFILE ] then rm $TMPFILE fi touch $TMPFILE for VO in belle belle-prod belle-lcgadmin atlas atlas-prod atlas-lcgadmin do edg-mkgridmap --conf=/etc/edg-mkgridmap-$VO.conf --output=- >>$TMPFILE done sort $TMPFILE >/etc/grid-security/grid-mapfile
cronjobs and other considerations
- cronjobs need to be installed for
- grid-mapfile generation
- certificate updates
- if dynafed is used to list also other sites (e.g. DPM/dCache sites), then :
- register host certificate with the VOs
- create a voms proxy using the host certificate
- install cronjob that renews the voms proxy
mebert - 2017-05-18
Comments
| I | Attachment | History | Action | Size |
Date | Who | Comment |
|---|---|---|---|---|---|---|---|
 conf |
zlcgdm-ugr-dav.conf | r1 | manage | 3.4 K | 2017-05-18 - 21:59 | UnknownUser | http ssl config for dynafed |
 txt |
ugrauth_gridmap.py.txt | r1 | manage | 3.1 K | 2017-05-18 - 21:59 | UnknownUser | python code for certificate based authentication using a grid-mapfile |
| conf |
ugr.conf | r1 | manage | 0.9 K | 2017-05-18 - 21:59 | UnknownUser | dynafed config file |
| EXT |
accessfile | r1 | manage | 0.1 K | 2017-05-18 - 21:59 | UnknownUser | example for the accessfile |
Site map
Altair web
Create New Topic
Index
Search
Changes
Notifications
RSS Feed
Statistics
Preferences
Account 
Copyright © 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback