Dynafed installation and user authentication
copy tools tested with dynafed can be found here
manual installation
- start with minimal CentOS 7
- enable repos:
- install:
- httpd
- dynafed
- dynafed-http-plugin
- dynafed-dmlite-plugin
- dynafed-dmlite-frontend
- memcached
- mod_ssl
- openssh (update)
- fetch-crl
- gridsite
- edg-mkgridmap
- lcg-CA
- disable selinux
- replace /etc/httpd/conf.d/ssl.conf with an empty file
- change ServerName in /etc/httpd/conf/httpd.conf to the correct one
- place host certificate and key in /etc/grid-security
- make sure the permissions are correct
- remove password from the hostkey file
- in /etc/ugr/ugr.conf
- make sure extcache.memcached.ttl is set to the same value as infohandler.itemmaxttl
- rename /etc/httpd/conf.d/zgridsite.conf in a way that it is read after zlcgdm-ugr-dav.conf
- delete:
- /etc/httpd/conf.modules.d/00-dav.conf
/etc/httpd/conf.modules.d/00-ssl.conf
- in /etc/httpd/conf.d/zlcgdm-ugr-dav.conf
- enable SSL section
- change port to 8443
- add
- LoadModule ssl_module modules/mod_ssl.so
LoadModule gridsite_module /usr/lib64/httpd/modules/mod_gridsite.so
- enable service at boot time: httpd and memcached
- make sure firewall is configured to allow access to port 8443
- start services: httpd and memcached
automatic install
An Ansible module will be uploaded.
location: ???
adding S3 endpoints
- create a file ending with ".conf" in /etc/ugr/conf.d/
- add the endpoint to this file
- restart httpd and memcached
Authentication
for clients using voms proxy (not needed if general certificate based authentication is used)
- add in /etc/ugr/ugr.conf
- glb.allowgroups[]: /atlas/* /myfed/S3-Atlas rl
- restart httpd and memcached
This will allow read and listing of everything under
/myfed/S3-Atlas for everyone with a valid Atlas voms proxy.
However, the dynafed endpoint will no longer be usable through a web browser even for Atlas users since dynafed by default does not evaluate certificates.
certificate based authentication
- works only if SSL is enabled
- DynaFed doesn't support certificate evaluation by default but it allows python based authentication using own modules
- needs a grid-mapfile
- in /etc/ugr/conf.d create the file ugrauth_gridmap.py.txt
- downloaded file needs to be renamed to remove ".txt" at the end
- add to /etc/ugr/ugr.conf the line:
glb.authorizationplugin[]: libugrauthplugin_python27.so authplug1 ugrauth_gridmap isallowed
- depending on OS and python version it needs to be python27 or python26
- the correct version is in /usr/lib64/ugr/
- NOTE: IF there are no glb.allow.... directives used then access will be granted (at least in a browser)
- to activate authorization and deactivate general glb.allow-authorization, add also something like: glb.allowgroups[]: * /noexistent rld
- important is to have something in there which doesn't exists, just to activate the general authorization system
- in /etc/grid-security/ create the file accessfile
- accessfile contains a line per directory and access mode
- e.g.: /myfed/S3-Atlas atlas rl
- this will allow everyone registered with Atlas to read and list everything in /myfed/S3-Atlas (and below) using a browser
- example file
- restart httpd and memcached
This also works for voms proxy based access on the command line.
grid-mapfile generation
cronjobs and other considerations
- cronjobs need to be installed for
- grid-mapfile generation
- certificate updates
- if dynafed is used to list also other sites (e.g. DPM/dCache sites), then :
- register host certificate with the VOs
- create a voms proxy using the host certificate
- install cronjob that renews the voms proxy
--
mebert - 2017-05-18
Comments
Topic revision: r6 - 2017-07-11
- mebert