Difference between revisions of "HowTo: Configuring gPlazma"
Jump to navigation
Jump to search
Line 3: | Line 3: | ||
=== WebDAV === | === WebDAV === | ||
* htpasswd | * htpasswd | ||
− | + | ==== Authentication ==== | |
− | + | * JAAS, custom ''/etc/dcache/jgss.conf'' | |
+ | ==== Mapping ==== | ||
+ | * glazma Mutator (to convert LDAP specific result to dCache internal principals) + NSSwitch (to map user name to uid) | ||
=== NFSv3/NFSv41 === | === NFSv3/NFSv41 === | ||
− | * | + | ==== Authentication ==== |
− | * | + | * Not performed in the dCache system, is made through OpenLDAP server. |
+ | ==== Mapping ==== | ||
+ | * Username/Password already authenticated through OpenLDAP, NSSwitch for mapping. | ||
=== GridFTP === | === GridFTP === | ||
− | * | + | ==== Authentication ==== |
+ | ===== x509 ===== | ||
+ | * Users defined in ''/etc/grid-security/grid-mapfile''. | ||
:* '''/etc/grid-security/grid-mapfile''' is generated with a ''grid-mapfile'' cron (''crontab -l'') which executes the '''edg-mkgridmap''' application. | :* '''/etc/grid-security/grid-mapfile''' is generated with a ''grid-mapfile'' cron (''crontab -l'') which executes the '''edg-mkgridmap''' application. | ||
# Puppet Name: grid-mapfile | # Puppet Name: grid-mapfile | ||
Line 17: | Line 23: | ||
group vomss://voms2.cern.ch:8443/voms/lhcb?/lhcb lhcb001 | group vomss://voms2.cern.ch:8443/voms/lhcb?/lhcb lhcb001 | ||
::* '''/etc/grid-mapfile-local''' is a file to bootstrap the actual grid-mapfile and can be used to allow extra DNs or override some mappings | ::* '''/etc/grid-mapfile-local''' is a file to bootstrap the actual grid-mapfile and can be used to allow extra DNs or override some mappings | ||
− | * '''Mapping | + | ===== voms ===== |
+ | * User defined in ''/etc/grid-security/grid-vorolemap''. | ||
+ | ==== Mapping ==== | ||
+ | * ''gridmap'' must is map the incoming DN to a local user | ||
=== DCap/GSI-DCap === | === DCap/GSI-DCap === | ||
+ | :'''Authentication:''' Plain DCap with no authentication, but requires world readable and/or writable. GSI-DCap | ||
+ | :'''Mapping:''' glazma Mutator (to convert LDAP specific result to dCache internal principals) + NSSwitch (to map user name to uid) | ||
=== XRootD === | === XRootD === | ||
Revision as of 12:59, 6 September 2017
Configuring gPlazma
dCache Authorization by protocol
WebDAV
- htpasswd
Authentication
- JAAS, custom /etc/dcache/jgss.conf
Mapping
- glazma Mutator (to convert LDAP specific result to dCache internal principals) + NSSwitch (to map user name to uid)
NFSv3/NFSv41
Authentication
- Not performed in the dCache system, is made through OpenLDAP server.
Mapping
- Username/Password already authenticated through OpenLDAP, NSSwitch for mapping.
GridFTP
Authentication
x509
- Users defined in /etc/grid-security/grid-mapfile.
- /etc/grid-security/grid-mapfile is generated with a grid-mapfile cron (crontab -l) which executes the edg-mkgridmap application.
# Puppet Name: grid-mapfile 0 */6 * * * [ ! -f /var/lock/subsys/edg-mkgridmap ] && /usr/sbin/edg-mkgridmap --output=- > /etc/grid-security/grid-mapfile.new && sleep 3 && cat /etc/grid-security/grid-mapfile.new > /etc/grid-security/grid-mapfile
- edg-mkgridmap application can be configured with the /etc/edg-mkgridmap.conf file where:
- You can map VO members by specifying a VOMS service and the affected VO. In example:
group vomss://voms2.cern.ch:8443/voms/lhcb?/lhcb lhcb001
- /etc/grid-mapfile-local is a file to bootstrap the actual grid-mapfile and can be used to allow extra DNs or override some mappings
voms
- User defined in /etc/grid-security/grid-vorolemap.
Mapping
- gridmap must is map the incoming DN to a local user
DCap/GSI-DCap
- Authentication: Plain DCap with no authentication, but requires world readable and/or writable. GSI-DCap
- Mapping: glazma Mutator (to convert LDAP specific result to dCache internal principals) + NSSwitch (to map user name to uid)
XRootD
HTPasswd
- This is intended only for the WebDAV protocol.
x509 Certificates
- This is mostly intented for the WebDAV protocol.
VOMS Certificates
- This is intented for GRID Users, mostly using GridFTP, GSI-DCap & SRM protocols.
JAAS
- This is intended for PIC LDAP users accessing to WebDAV.
multimap
- Useful for OIDC authentication (i.e. through Google or INDIGO Accounts)