Query> acl_show /gilda >> root rwx >> system ... - EELA Documents

righteousgaggleData Management

Jan 31, 2013 (4 years and 6 months ago)

203 views

FP6−2004−Infrastructures−6
-
SSA
-
026409


www.eu
-
eela.org

E
-
infrastructure shared between
E
urope and
L
atin
A
merica

AMGA Server Installation and
configuration

Tony Calanducci

INFN


Catania

Third EELA Tutorial for Managers and Users

Rio de Janeiro, 26
-
30 June 2006

Third EELA Tutorial, Rio de Janeiro, 26
-
30 June 2006

FP6−2004−Infrastructures−6
-
SSA
-
026409


E
-
infrastructure shared between
E
urope and
L
atin
A
merica

Outline





How to install an AMGA Server



AMGA Server Configuration



Reference

Third EELA Tutorial, Rio de Janeiro, 26
-
30 June 2006

FP6−2004−Infrastructures−6
-
SSA
-
026409


E
-
infrastructure shared between
E
urope and
L
atin
A
merica

3

Installation requirements


Start from a fresh install of SLC 3.0.x



Verify that apt is installed and properly
configured:


rpm
-
qa | grep apt


Install apt if necessary

±
Create a /etc/apt/source.list.d/egee
-
ca.list file with this line:


rpm


http://grid018.ct.infn.it/rep

glite_sl3
-
i386 security


Run apt
-
get update



Configure ntpd as illustrated in the SysAdmin Intro
tutorial


Third EELA Tutorial, Rio de Janeiro, 26
-
30 June 2006

FP6−2004−Infrastructures−6
-
SSA
-
026409


E
-
infrastructure shared between
E
urope and
L
atin
A
merica

4

Security pre
-
requisites


Install the RPMs of all the CA supported by EGEE:


apt
-
get install lcg
-
CA



If you plan to use certificates released by unsupported
EGEE CA’s, be sure that their public key, signing
policy and CRLs (usually distributed with an rpm) are
installed in
/etc/grid
-
security/certificates
.


For the VO GILDA, the RPM is available at



https://gilda.ct.infn.it/RPMS/ca_GILDA
-
1.0
-
2.i386.rpm


Additionally install the RPMs of GILDA and EELA VOMS:


https://gilda.ct.infn.it/RPMS/edg
-
voms
-
vo
-
gilda
-
1.0
-
0.noarch.rpm


https://gilda.ct.infn.it/RPMS/lcg
-
voms
-
vo
-
eela_1.0
-
0_noarch.rpm



Third EELA Tutorial, Rio de Janeiro, 26
-
30 June 2006

FP6−2004−Infrastructures−6
-
SSA
-
026409


E
-
infrastructure shared between
E
urope and
L
atin
A
merica

5

Security pre
-
requisites (II)


Download and install edg
-
utils
-
system RPM from:


http://grid018.ct.infn.it/rep/glite_sl3
-
i386/RPMS/edg
-
utils
-
system
-
1.8.2
-
1_sl3.noarch.rpm


Edit /etc/cron.d/
edg
-
fetch
-
crl to look like:


PATH=/sbin:/bin:/usr/sbin:/usr/bin


39 2,8,14,20 * * * root /opt/edg/etc/cron/edg
-
fetch
-
crl
-
cron >>
/var/log/edg
-
fetch
-
crl
-
cron.log 2>&1



Request a X509 host certificate for the AMGA Server
you are going to install from a Certification Autority
(CA). For example, to get host certificates from the
GILDA CA, go to:


https://gilda.ct.infn.it/CA/mgt/restricted/srvreq.php


Install host certificates (hostcert.pem and
hostkey.pem) in
/etc/grid
-
security
.


chmod 644 hostcert.pem

±
chmod 400 hostkey.pem

Third EELA Tutorial, Rio de Janeiro, 26
-
30 June 2006

FP6−2004−Infrastructures−6
-
SSA
-
026409


E
-
infrastructure shared between
E
urope and
L
atin
A
merica

6

AMGA Server and Client RPMs


The following packages are necessary to use AMGA
and must be installed first: unixODBC, libxml2 and
Boost
-
lib. You can get the package via


apt
-
get install unixODBC


apt
-
get install libxml2


apt
-
get install boost


Download and install the latest AMGA server and client
from the AMGA download directory (http://project
-
arda
-
dev.web.cern.ch/project
-
arda
-
dev/metadata/downloads/)



http://project
-
arda
-
dev.web.cern.ch/project
-
arda
-
dev/metadata/downloads/glite
-
amga
-
server
-
1.2.3
-
1.SLC3.i386.rpm


http://project
-
arda
-
dev.web.cern.ch/project
-
arda
-
dev/metadata/downloads/glite
-
amga
-
cli
-
1.2.3
-
1.SLC3.i386.rpm


Third EELA Tutorial, Rio de Janeiro, 26
-
30 June 2006

FP6−2004−Infrastructures−6
-
SSA
-
026409


E
-
infrastructure shared between
E
urope and
L
atin
A
merica

7

DB and ODBC installation


You also need a database and the appropriate ODBC
driver. AMGA currently supports 4 different database
backends via ODBC drivers (PostgreSQL, MySQL, Oracle
and SQLite).


Install postgreSQL that comes with SLC with:


apt
-
get install rh
-
postgresql
-
server rh
-
postgresql




Install a postgreSQL ODBC driver (at least version 08.01.0200)


Download it from:
http://project
-
arda
-
dev.web.cern.ch/project
-
arda
-
dev/metadata/downloads/amga
-
odbc.tar.gz


Just run the INSTALL.sh script after unpacking



NB: don’t use the postgresql
-
odbc package that comes with
SLC. It’s too old and AMGA will not work with it



Third EELA Tutorial, Rio de Janeiro, 26
-
30 June 2006

FP6−2004−Infrastructures−6
-
SSA
-
026409


E
-
infrastructure shared between
E
urope and
L
atin
A
merica

8

postgreSQL configuration


Initialize the DB configuration:


/etc/init.d/rhdb start



/etc/init.d/rhdb stop



Uncomment out the line and set the parameter to true
in /var/lib/pgsql/data/postgresql.conf as follow:


tcpip_socket = true




This is needed to enable TCP/IP connections used by the ODBC
driver


Add the following lines to
/var/lib/pgsql/data/pg_hba.conf:


host


metadata arda


127.0.0.1 255.255.255.255


trust


local


metadata


arda


trust



(Used to authorize the arda db user to connect to
the metadata db)

Third EELA Tutorial, Rio de Janeiro, 26
-
30 June 2006

FP6−2004−Infrastructures−6
-
SSA
-
026409


E
-
infrastructure shared between
E
urope and
L
atin
A
merica

9

postgreSQL configuration (II)


Start again postgreSQL:


/etc/init.d/rhdb start


Create the DB user arda allowing him to create new
DBs:


su postgres
-
c 'createuser
-
d
-
A arda'


Create the Unix user arda:


adduser arda


Let arda user create metadata DB:


su arda
-
c 'createdb metadata'



Allow stored procedures for metadata db:


su postgres

c ‘createlang
-
d metadata plpgsql’


Third EELA Tutorial, Rio de Janeiro, 26
-
30 June 2006

FP6−2004−Infrastructures−6
-
SSA
-
026409


E
-
infrastructure shared between
E
urope and
L
atin
A
merica

10

ODBC driver configuration


The ODBC data source is created by appending the
following lines to /etc/odbc.ini:


[PSQL]


Description


= AMGA metadata catalogue database


Driver


= PostgreSQL


Trace


= No


TraceFil


= /tmp/metadata/odbc.log


Database


= metadata


Servername


= localhost


Port


= 5432


ReadOnly


= No



Double check the /etc/odbcinst.ini ensuring it contains
the proper settings for the postgreSQL ODBC driver (it
should have been configure by the INSTALL.sh during
the installation)


Third EELA Tutorial, Rio de Janeiro, 26
-
30 June 2006

FP6−2004−Infrastructures−6
-
SSA
-
026409


E
-
infrastructure shared between
E
urope and
L
atin
A
merica

11

ODBC Testing and metadata DB creation


To test if the ODBC was set up correctly you can use
the generic unixODBC CLI tool:


isql PSQL metadata


Now you can initialize the database using the
createInitialXXX.sql scripts (where XXX has to be
replaced with the DB of choice which you will find in
/opt/glite/share/doc/glite
-
amga
-
server
-
1.2.3/)



su arda

psql metadata < /opt/glite/share/doc/glite
-
amga
-
server
-
1.2.3/createInitialPG.sql



If you want to use also ACL per entries you need also to
create some store procedures with


psql metadata < /opt/glite/share/doc/glite
-
amga
-
server
-
1.2.3/proceduresPSQL.sql



Third EELA Tutorial, Rio de Janeiro, 26
-
30 June 2006

FP6−2004−Infrastructures−6
-
SSA
-
026409


E
-
infrastructure shared between
E
urope and
L
atin
A
merica

12

AMGA initial configuration


/etc/mdserver.conf contains all the variables you need
to set up and fine tune the AMGA server. By default it
configures AMGA with no authentication checks.


Start the AMGA server with:


/etc/init.d/mdservice start




AMGA server demon should be listening on 8822 port:


lsof
-
i | grep 8822


mdserver 13856 root 6u IPv4 27296 TCP *:8822 (LISTEN)


mdserver 13857 root 6u IPv4 27296 TCP *:8822 (LISTEN)


mdserver 13860 root 6u IPv4 27296 TCP *:8822 (LISTEN)


Third EELA Tutorial, Rio de Janeiro, 26
-
30 June 2006

FP6−2004−Infrastructures−6
-
SSA
-
026409


E
-
infrastructure shared between
E
urope and
L
atin
A
merica

13

AMGA testing


Log in into a User Interface where the AMGA Client
tools are installed.


You can check it with ‘rpm

qa | grep
-
i amga’


Copy the amga client template config file from
/etc/mdclient.config to your home as .mdclient.config


cp /etc/mdclient.config $HOME/.mdclient.config


Edit the Host variable filling it with the right hostname
and ensure Login one equals to root


Connect to the AMGA server using the AMGA mdclient
tool:


$mdclient


Connecting to amgarm3.trigrid.it:8822...


ARDA Metadata Server 1.2.3


Query> whoami


>> root


Query>



Third EELA Tutorial, Rio de Janeiro, 26
-
30 June 2006

FP6−2004−Infrastructures−6
-
SSA
-
026409


E
-
infrastructure shared between
E
urope and
L
atin
A
merica

14

Create a root user


Inside the Mdclient shell, create the root user (called
also ‘role’ inside AMGA) with:


Query> user_create root


Bind the amga root role to the subject of the AMGA
administrator (you in this case):


Query> user_subject_add root 'C = IT, O = GILDA, OU =
Personal Certificate, L = INFN Catania, CN = Tony
Calanducci, emailAddress =
tony.calanducci@ct.infn.it



You can get it by:


openssl x509
-
in usercert.pem
-
subject
-
noout
-
nameopt oneline


You can also define an AMGA root passwd if you plan
to enable also password authentication, with:


Query> user_password_change root ‘bondia’

Third EELA Tutorial, Rio de Janeiro, 26
-
30 June 2006

FP6−2004−Infrastructures−6
-
SSA
-
026409


E
-
infrastructure shared between
E
urope and
L
atin
A
merica

15

Enabling Certificate Authentication


Edit /etd/mdserver.config in AMGA server and change
the following variables:


UseSSL = 1


RequireAuthentication = 1


AllowCertificateAuthentication = 1


CertFile = /etc/grid
-
security/hostcert.pem


KeyFile = /etc/grid
-
security/hostkey.pem


TrustedCertDir = /etc/grid
-
security/certificates


AllowGridProxyLogin = 1


MyProxyHack = 1


Enable the users from the VOs you want to give access
to:


VirtualOrganizations = gilda(gilda), eela(eela)


VOGroupMap = gilda:/gilda(gilda:users), eela(eela:users)


Restart the AMGA server with


/etc/init.d/mdserver restart


Third EELA Tutorial, Rio de Janeiro, 26
-
30 June 2006

FP6−2004−Infrastructures−6
-
SSA
-
026409


E
-
infrastructure shared between
E
urope and
L
atin
A
merica

16

Test the VOMS proxy authentication


Log in to the UI and edit the $HOME/.mdclient.config:


Login = NULL


UseSSL = require


AuthenticateWithCertificate = 1


UseGridProxy = 1


Initialize your proxy asking the membership to one of
the enabled VO (gilda for example)


Start the mdclient tool. You should be authenticated as
gilda user(role) belonging to gilda:users group


$ mdclient


Connecting to amgarm3.trigrid.it:8822...


ARDA Metadata Server 1.2.3


Query> whoami


>> gilda


Query> grp_member


>> gilda:users


Third EELA Tutorial, Rio de Janeiro, 26
-
30 June 2006

FP6−2004−Infrastructures−6
-
SSA
-
026409


E
-
infrastructure shared between
E
urope and
L
atin
A
merica

17

Set up a collection per each VO


Initialize the voms proxy with the user defined as root.


Change the previous $HOME/.mdclient.config to login
as root


Start the Mdclient. You should be authenticated as root
(by your subject):


$ mdclient


Connecting to amgarm3.trigrid.it:8822...


ARDA Metadata Server 1.2.3


Query> whoami


>> root


Create a root collection for each VO you support. You can also create
specific collection to support specific roles or applications.


createdir /gilda


createdir /eela


Third EELA Tutorial, Rio de Janeiro, 26
-
30 June 2006

FP6−2004−Infrastructures−6
-
SSA
-
026409


E
-
infrastructure shared between
E
urope and
L
atin
A
merica

18

Set up collections for VOs (II)


Anyone will be allowed to read the new collections, but
we want also grant write permissions to the VO users:


Query> acl_show /gilda


>> root rwx


>> system:anyuser rx


Query> acl_add /gilda gilda:users rwx


Query> acl_show gilda


>> root rwx


>> gilda:users rwx


>> system:anyuser rx


You could achieve the same results changing the
ownership of the /gilda collection with


chown /gilda gilda


If you don’t allow others to read inside /gilda collection
remove from the ACLs the system:anyuser group:


Query> acl_remove /gilda/ system:anyuser

Third EELA Tutorial, Rio de Janeiro, 26
-
30 June 2006

FP6−2004−Infrastructures−6
-
SSA
-
026409


E
-
infrastructure shared between
E
urope and
L
atin
A
merica

References


AMGA project Homepage:


http://project
-
arda
-
dev.web.cern.ch/project
-
arda
-
dev/metadata/



AMGA Documentation:


http://project
-
arda
-
dev.web.cern.ch/project
-
arda
-
dev/metadata/pages.html



AMGA User’s and Administrator’s manual:


http://project
-
arda
-
dev.web.cern.ch/project
-
arda
-
dev/metadata/downloads/amga
-
manual_1_2_3.pdf



AMGA Installation Notes on GILDA Team Wiki:


https://grid.ct.infn.it/twiki/bin/view/GILDA/AMGA