Difference between revisions of "HowTo: Configuring gPlazma"

From Public PIC Wiki
Jump to navigation Jump to search
Line 3: Line 3:
 
=== WebDAV ===
 
=== WebDAV ===
 
* htpasswd
 
* htpasswd
:'''Authentication:''' JAAS, custom ''/etc/dcache/jgss.conf''
+
==== Authentication ====
:'''Mapping:''' glazma Mutator (to convert LDAP specific result to dCache internal principals)  + NSSwitch (to map user name to uid)
+
* JAAS, custom ''/etc/dcache/jgss.conf''
 +
==== Mapping ====
 +
* glazma Mutator (to convert LDAP specific result to dCache internal principals)  + NSSwitch (to map user name to uid)
 
=== NFSv3/NFSv41 ===
 
=== NFSv3/NFSv41 ===
* '''Authentication:''' Not performed in the dCache system, is made through OpenLDAP server.
+
==== Authentication ====
* '''Mapping:''' Username/Password already authenticated through OpenLDAP, NSSwitch for mapping.
+
* Not performed in the dCache system, is made through OpenLDAP server.
 +
==== Mapping ====
 +
* Username/Password already authenticated through OpenLDAP, NSSwitch for mapping.
 
=== GridFTP ===
 
=== GridFTP ===
* '''Authentication:''' users configured in ''/etc/grid-security/grid-mapfile''
+
==== Authentication ====
 +
===== x509 =====
 +
* Users defined in ''/etc/grid-security/grid-mapfile''.
 
:* '''/etc/grid-security/grid-mapfile''' is generated with a ''grid-mapfile'' cron (''crontab -l'') which executes the '''edg-mkgridmap''' application.
 
:* '''/etc/grid-security/grid-mapfile''' is generated with a ''grid-mapfile'' cron (''crontab -l'') which executes the '''edg-mkgridmap''' application.
 
  # Puppet Name: grid-mapfile
 
  # Puppet Name: grid-mapfile
Line 17: Line 23:
 
  group vomss://voms2.cern.ch:8443/voms/lhcb?/lhcb lhcb001
 
  group vomss://voms2.cern.ch:8443/voms/lhcb?/lhcb lhcb001
 
::* '''/etc/grid-mapfile-local''' is a file to bootstrap the actual grid-mapfile and can be used to allow extra DNs or override some mappings
 
::* '''/etc/grid-mapfile-local''' is a file to bootstrap the actual grid-mapfile and can be used to allow extra DNs or override some mappings
* '''Mapping:''' ''gridmap'' must is map the incoming DN to a local user
+
===== voms =====
 +
* User defined in ''/etc/grid-security/grid-vorolemap''.
 +
==== Mapping ====
 +
* ''gridmap'' must is map the incoming DN to a local user
 
=== DCap/GSI-DCap ===
 
=== DCap/GSI-DCap ===
 +
:'''Authentication:''' Plain DCap with no authentication, but requires world readable and/or writable. GSI-DCap
 +
:'''Mapping:''' glazma Mutator (to convert LDAP specific result to dCache internal principals)  + NSSwitch (to map user name to uid)
 
=== XRootD ===
 
=== XRootD ===
  

Revision as of 12:59, 6 September 2017

Configuring gPlazma

dCache Authorization by protocol

WebDAV

  • htpasswd

Authentication

  • JAAS, custom /etc/dcache/jgss.conf

Mapping

  • glazma Mutator (to convert LDAP specific result to dCache internal principals) + NSSwitch (to map user name to uid)

NFSv3/NFSv41

Authentication

  • Not performed in the dCache system, is made through OpenLDAP server.

Mapping

  • Username/Password already authenticated through OpenLDAP, NSSwitch for mapping.

GridFTP

Authentication

x509
  • Users defined in /etc/grid-security/grid-mapfile.
  • /etc/grid-security/grid-mapfile is generated with a grid-mapfile cron (crontab -l) which executes the edg-mkgridmap application.
# Puppet Name: grid-mapfile
0 */6 * * * [ ! -f /var/lock/subsys/edg-mkgridmap ] && /usr/sbin/edg-mkgridmap --output=- > /etc/grid-security/grid-mapfile.new && sleep 3 && cat /etc/grid-security/grid-mapfile.new > /etc/grid-security/grid-mapfile
  • edg-mkgridmap application can be configured with the /etc/edg-mkgridmap.conf file where:
  • You can map VO members by specifying a VOMS service and the affected VO. In example:
group vomss://voms2.cern.ch:8443/voms/lhcb?/lhcb lhcb001
  • /etc/grid-mapfile-local is a file to bootstrap the actual grid-mapfile and can be used to allow extra DNs or override some mappings
voms
  • User defined in /etc/grid-security/grid-vorolemap.

Mapping

  • gridmap must is map the incoming DN to a local user

DCap/GSI-DCap

Authentication: Plain DCap with no authentication, but requires world readable and/or writable. GSI-DCap
Mapping: glazma Mutator (to convert LDAP specific result to dCache internal principals) + NSSwitch (to map user name to uid)

XRootD

HTPasswd

  • This is intended only for the WebDAV protocol.

x509 Certificates

  • This is mostly intented for the WebDAV protocol.

VOMS Certificates

  • This is intented for GRID Users, mostly using GridFTP, GSI-DCap & SRM protocols.

JAAS

  • This is intended for PIC LDAP users accessing to WebDAV.

multimap

  • Useful for OIDC authentication (i.e. through Google or INDIGO Accounts)