dcache Introduction Course

Similar documents
dcache Introduction Course

Grid Authentication and Authorisation Issues. Ákos Frohner at CERN

Prototype DIRAC portal for EISCAT data Short instruction

MyProxy Server Installation

The German National Analysis Facility What it is and how to use it efficiently

Troubleshooting Grid authentication from the client side

Grid Security Infrastructure

Copyright

30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy

Introduction to Programming and Computing for Scientists

Using the MyProxy Online Credential Repository

How to Set Up External CA VPN Certificates

Scientific data management

dcache: challenges and opportunities when growing into new communities Paul Millar on behalf of the dcache team

EI 338: Computer Systems Engineering (Operating Systems & Computer Architecture)

Introduction Data Management Jan Just Keijser Nikhef Grid Tutorial, November 2008

SPNEGO SINGLE SIGN-ON USING SECURE LOGIN SERVER X.509 CLIENT CERTIFICATES

dcache-view Olufemi S. Adeyemi On behalf of the project team INDIGO DataCloud

Guidelines on non-browser access

glite Grid Services Overview

vcenter Server Appliance Configuration Update 1 Modified on 04 OCT 2017 VMware vsphere 6.5 VMware ESXi 6.5 vcenter Server 6.5

VOMS Support, MyProxy Tool and Globus Online Tool in GSISSH-Term Siew Hoon Leong (Cerlane) 23rd October 2013 EGI Webinar

Linux Administration

4. Note: This example has NFS version 3, but other settings such as NFS version 4 may also work better in some environments.

Part Four - Storage Management. Chapter 10: File-System Interface

Introduction to Grid Computing!

A QUICK INTRODUCTION TO VOMS

and the GridKa mass storage system Jos van Wezel / GridKa

Grid services. Enabling Grids for E-sciencE. Dusan Vudragovic Scientific Computing Laboratory Institute of Physics Belgrade, Serbia

SAS Viya 3.4 Administration: Using the Command-Line Interfaces

dcache NFSv4.1 Tigran Mkrtchyan Zeuthen, dcache NFSv4.1 Tigran Mkrtchyan 4/13/12 Page 1

EUROPEAN MIDDLEWARE INITIATIVE

DELL EMC UNITY: DR ACCESS AND TESTING. Dell EMC Unity OE 4.3

Configure Recorder in CMS/Acano Call Bridge

Xcalar Installation Guide

1 Login AppServ Hosting Control System

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS

Using vrealize Operations Tenant App as a Service Provider

DELL EMC UNITY: DR ACCESS AND TESTING. Dell EMC Unity OE 4.5

Leveraging Globus Identity for the Grid. Suchandra Thapa GlobusWorld, April 22, 2016 Chicago

SLCS and VASH Service Interoperability of Shibboleth and glite

Architecture Proposal

The National Analysis DESY

Chapter 10: File-System Interface

Running Kmeans Spark on EC2 Documentation

Ftp Command Line Manual Windows User Password

You will save an Auto Server Setup file and use it in the next exercise.

Chapter 10: File-System Interface

Introduction to SciTokens

On-demand target, up and running

Outline. Cgroup hierarchies

dcache integration into HDF

Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft. Presented by Manfred Alef Contributions of Jos van Wezel, Andreas Heiss

Network File System (NFS)

Network File System. Network File System (NFS) NFS Advantages. Network File System Disadvantages

NorduGrid Tutorial. Client Installation and Job Examples

This PDF Document was generated for free by the Aloaha PDF Suite If you want to learn how to make your own PDF Documents visit:

Grid Computing. MCSN - N. Tonellotto - Distributed Enabling Platforms

CS 470 Spring Distributed Web and File Systems. Mike Lam, Professor. Content taken from the following:

Interfacing Operational Grid Security to Site Security. Eileen Berman Fermi National Accelerator Laboratory

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Globus Installation Procedure

vcenter Server Appliance Configuration Modified on 17 APR 2018 VMware vsphere 6.7 VMware ESXi 6.7 vcenter Server 6.7

Agent Teamwork Research Assistant. Progress Report. Prepared by Solomon Lane

Gridbus Portlets -- USER GUIDE -- GRIDBUS PORTLETS 1 1. GETTING STARTED 2 2. AUTHENTICATION 3 3. WORKING WITH PROJECTS 4

Security Provider Integration: Kerberos Server

VMware Identity Manager Administration

Veritas NetBackup Copilot for Oracle Configuration Guide. Release 3.1 and 3.1.1

Lecture 10 File Systems - Interface (chapter 10)

LCG User Registration & VO management

DiGS (Version 3.1) Setup Guide

CS 470 Spring Distributed Web and File Systems. Mike Lam, Professor. Content taken from the following:

UNIX Quick Reference

Migrating vrealize Automation 6.2 to 7.2

Exploring UNIX: Session 3

Veritas NetBackup Appliance Security Guide

ALICE Grid/Analysis Tutorial Exercise-Solutions

Sides Colour Coding. Applies to both Xp and Windows 7. Applies to Xp only. Applies to Vista and Windows 7 only

FUSION REGISTRY COMMUNITY EDITION SETUP GUIDE VERSION 9. Setup Guide. This guide explains how to install and configure the Fusion Registry.

UNIX File Hierarchy: Structure and Commands

Outline. Cgroup hierarchies

NetBackup Copilot for Oracle Configuration Guide. Release 2.7.1

Beob Kyun KIM, Christophe BONNAUD {kyun, NSDC / KISTI

Galigeo for Cognos Analytics Installation Guide - G experience

2. HDF AAI Meeting -- Demo Slides

Veritas NetBackup Copilot for Oracle Configuration Guide. Release 2.7.2

Veritas NetBackup Copilot for Oracle Configuration Guide. Release 2.7.3

Understanding StoRM: from introduction to internals

Globus Toolkit Manoj Soni SENG, CDAC. 20 th & 21 th Nov 2008 GGOA Workshop 08 Bangalore

Genesys Security Deployment Guide. What You Need

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Introduction. Let s start with the first set of slides

HPE ALM Excel Add-in. Microsoft Excel Add-in Guide. Software Version: Go to HELP CENTER ONLINE

Using SSL to Secure Client/Server Connections

User Authentication Principles and Methods

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

SAML-Based SSO Configuration

DSIT WP1 WP2. Federated AAI and Federated Storage Report for the Autumn 2014 All Hands Meeting

GROWL Scripts and Web Services

Transcription:

GRIDKA SCHOOL 2013 KARLSRUHER INSTITUT FÜR TECHNOLOGIE KARLSRUHE August 29, 2013 dcache Introduction Course Overview Chapters I, II and Ⅴ Christoph Anton Mitterer christoph.anton.mitterer@lmu.de

ⅤIII. Examples And Exercises Christoph Anton Mitterer Slide 2

Conventions The following conventions are used: Lines starting with $ are entered within a POSIX-sh-compatible shell. These are typically done on the client-side. Lines starting with # are entered within a POSIX-sh-compatible shell, with the effective user-id and group-id being 0 ( root-rights ). These are typically done on the server-side. Lines starting with (location) > are entered within dcache s administration interface with location as the current location. Standard input is written black, standard output grey and standard error red. Christoph Anton Mitterer Slide 3

5. Access Control Christoph Anton Mitterer Slide 4

Devising A Real World Scenario The following defines a real world scenario that will be used through the following exercises: All the users have unique grid certificates with distinct DNs. All users are members to the dech-vo (via their grid certificates). Some users have the production-role for that VO. There are two classes of files to be stored: normal files These are normal files from the users, for example personal data. production files These are files used with an important production-system (for example an automated service that is critical for the organisation). All users should be allowed to read all files. Only users that are a member of the dech-vo should be allowed to write to normal files and directories. Only users also having the production-role should be allowed to write to production files and directories. Christoph Anton Mitterer Slide 5

Preparations Since X.509 proxy certificates with FQANs are used in these exercises to demonstrate access control, access protocols (and thus doors) need to be used that support them. This is currently the case for WebDAV, GridFTP ( gsiftp ) and gsidcap. NFS 4.1 does not directly support X.509-based authentication. 1. Enable the gridftp- and gsidcap-services ( doors ) in the layout-configuration-file on a node of the cluster: [gridftpdomain] [gridftpdomain/gridftp] [gsidcapdomain] [gsidcapdomain/gsidcap] Of course, any domains can be used. 2. Start the doors: # dcache start gridftpdomain # dcache start gsidcapdomain Christoph Anton Mitterer Slide 6

Preparations Further, in order to simplify user-mapping and authentication with NFS 4.1, without the need to set up Kerberos, the following special settings are applied: 3. Enable numerical principal mapping via the following setting in the dcache-configuration-file on at least those node(s) of the cluster, that have a NFS 4.1-door: nfs.idmap.legacy=true Simply said, the effect is that the NFS 4.1-door (the server ) takes the numeric (UNIX) User IDs and Group IDs from the client as is, without trying to do any NFS ID mapping. 4. Verify that root squashing is disabled for the respective exports in the NFS server export table (/etc/ exports) by having the option no_root_squash set, for example: /export address(no_root_squash[, ]) 5. Unmount any mounted NFS-exports. 6. Restart the NFS 4.1-door. 7. Re-mount the NFS-exports. Christoph Anton Mitterer Slide 7

E1: Enabling gplazma And Basic Configuration The goal of this exercise is to enable the gplazma-service and set up its basic configuration. 1. Verify that the following service is enabled in the layout-configuration-file on a node of the cluster: [gplazmadomain] [gplazmadomain/gplazma] Of course, any domain can be used. 2. Verify that the CA- and VOMS-root-certificates, that should be used and trusted, are present and configured in /etc/ grid-security/ certificates/ and /etc/ grid-security/ vomsdir respectively. 3. The other general gplazma configuration-options need not to be touched. 4. In this and the following exercises, a combination of the x509, voms, vorolemap, and authzdb plug-ins shall be used, as described in chapter V. Christoph Anton Mitterer Slide 8

E1: Enabling gplazma And Basic Configuration 5. Configure the plug-ins in the gplazma plug-in configuration file (per default found at / etc/ dcache/ gplazma.conf): auth optional x509 auth optional voms map optional vorolemap map requisite authzdb session requisite authzdb Remove any other (especially the default) entries 6. Try to understand this configuration. 7. Other plug-in-specific configuration-options in the dcache configuration files need not to be touched. 8. Restart the gplazma-service: # dcache restart gplazmadomain Christoph Anton Mitterer Slide 9

E2: Creating The grid-vorolemap-file The goal of this exercise is to create a grid-vorolemap-file with mappings that fit to the real world scenario. 1. Create the file /etc/ grid-security/ grid-vorolemap with the following contents: "*" "/dech" dech_normal "*" "/dech/role=production" dech_production This has the following semantic meanings: Certificates with any DN and the FQAN /dech will be mapped to the virtual user-name dech_normal. Certificates with any DN and the FQAN /dech/role=production will be mapped to the virtual user-name dech_production. If a certificate has both FQANs attached it is mapped to both virtual user-names. Christoph Anton Mitterer Slide 10

E3: Creating The storage-authzdb-file The goal of this exercise is to create a storage-authzdb-file with mappings that fit to the real world scenario. 1. Create the file /etc/ grid-security/ storage-authzdb with the following contents: version 2.1 authorize dech_normal read-write 1000 1000 / / / authorize dech_production read-write 1001 1000 / / / This has the following semantic meanings: The virtual user-name dech_normal is mapped to the actual UNIX user-id 1000 ( dech ) and the actual UNIX group-id 1000 ( dech ). The virtual user-name dech_production is mapped to the actual UNIX user-id 1001 ( dech_prod ) and the actual UNIX group-id 1000 ( dech ). For both, the allowed access-mode is not generally restricted to read-only. Christoph Anton Mitterer Slide 11

E4: Generating ⅤOMS Proxy Certificates The goal of this exercise is to show how to generate VOMS proxy certificates. 1. Optionally, read the documentation to the voms-proxy-init, voms-proxy-destroy and voms-proxy-info programs. 2. Create a plain proxy certificate with membership to the dech-vo via: $ voms-proxy-init -voms dech:/dech Here, dech specifies the VOMS-server to be used, while /dech specifies the FQAN to be requested. The following is more or less equivalent (it actually lets the server decide which FQANs he assigns) but shorter: $ voms-proxy-init -voms dech 3. Analyse that proxy certificate via: $ voms-proxy-info --all 4. Optionally, destroy the proxy certificate via: $ voms-proxy-destroy Christoph Anton Mitterer Slide 12

E4: Generating ⅤOMS Proxy Certificates 5. Create a proxy certificate with membership to the dech-vo and the production-role via: $ voms-proxy-init -voms dech:/dech/role=production When analysing that proxy certificate it should be noted, that it got both FQANs attached by the VOMS-server: attribute : /dech/role=production/capability=null attribute : /dech/role=null/capability=null It should also be noted, that the attached FQANs have an order, which might have an influence at further actions using that proxy certificate (the order can be changed via voms-proxy-init s -order-parameter). 6. Optionally, create a proxy certificate with membership to the dech-vo and multiple roles via: $ voms-proxy-init -voms dech:/dech/role=production -voms dech:/dech/role=gks 7. Destroy the proxy certificate. Christoph Anton Mitterer Slide 13

E5: Checking The Mappings The goal of this exercise is to see how different combinations of DNs and FQANs are mapped to different actual UNIX user-ids and group-ids. 1. Log in to dcache s administration interface and connect to the gplazma-cell via: (local) > cd gplazma 2. Check the mappings for different combinations of DNs and FQANs via: (gplazma) > test login principal [principal]* For example: (gplazma) > test login "dn:/c=de/o=germangrid/ou=dech-school/cn=gs001" "fqan:/dech" Login[dech_normal,1000:[1000],[ReadWrite, HomeDirectory[/], RootDirectory[/]]] (gplazma) > test login "dn:/c=de/o=germangrid/ou=dech-school/cn=gs001" "fqan:/dech/role=production" Login[dech_production,1001:[1000],[ReadWrite, HomeDirectory[/], RootDirectory[/]]] (gplazma) > test login "dn:/c=de/o=germangrid/ou=dech-school/cn=gs001" CacheException(rc=10018;msg=login failed) 3. It should be noted, that mappings without an FQAN fail. This is desired, as the grid-vorolemap-file set up before does not map single DNs ( explicit-dn-matches ). Actually, any DN with one of the matching FQANs will lead to a mapping. Christoph Anton Mitterer Slide 14

E5: Checking The Mappings 4. Try out the explain login command, which takes the same arguments than test login but gives more detailed output on how gplzama s plug-ins decide. Christoph Anton Mitterer Slide 15

E6: Trying Out Access Control The goal of this exercise is to actually try out access control by writing files to the cluster. 1. Create two directories that will be used as write-areas via: # mkdir -p /data/ exp1/ access_control/ normal # mkdir -p /data/ exp1/ access_control/ production These directories were created with the traditional POSIX file permission modes rwxr xr x and are thus readable by anyone but writeable only by their respective owning users. 2. Set the owning user and group so that one of the directories is owned by the normal user and the other one by the production user via: # chown 1000:1000 /data/ exp1/ access_control/ normal # chown 1001:1000 /data/ exp1/ access_control/ production The user-ids and group-ids used above correspond to those that were set in the storage-authzdb-file. 3. Understand, that (unless the Name Service Switch is used) it is not necessary at all for dcache, that UNIX users and groups with the corresponding IDs exist. It is however useful for many POSIX programs. Christoph Anton Mitterer Slide 16

E6: Trying Out Access Control 4. Repeat the following with different VOMS proxy certificates and for different write-areas : 1. Create a VOMS proxy certificate (as described in E4) with zero or more FQANs. 2. With an GSI-secured client, try to upload a file into one of the write-areas, for example via one of the following: Using gsidcap, where the pool-node initiates the data-connection to the client-node: $ dccp /bin/ sh gsidcap:// door-hostname/ data/ exp1/ access_control/ [normal production]/ test1 Using gsidcap, where the client-node initiates the data-connection to the pool-node: $ dccp -A /bin/ sh gsidcap:// door-hostname/ data/ exp1/ access_control/ [normal production]/ test2 Using GridFTP: $ globus-url-copy file:// /bin/ sh gsiftp:// door-hostname/ data/ exp1/ access_control/ [normal production]/ test3 You should see some successful and some denied transfers, depending on your selected proxy certificate and write-area. Christoph Anton Mitterer Slide 17

Finis coronat opus. Christoph Anton Mitterer

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback