Dear Devops
I would like to ask if there is any document, mini-guide or ready template about GSI configuration for dteam VO and the setup of HTTPs and TPC protocols/features ?
thank you in advance
best
e.v.
Hi Emmanouil,
You can find some info about this here:
https://eos-docs.web.cern.ch/configuration/http_tpc.html
EOS uses in general the /etc/grid-security/gridmap-file
for mapping DNs to local users but you can also use the vid
functionality to map VO info to specific accounts. You can also find more info in this thread:
Cheers,
Elvin
Hello Elvin
I have a dteam certificate with two voms group /dteam and /dteam/france
in order to map only the first voms group ( attribute) e.g.
== VO dteam extension information ===
VO : dteam
subject : /O=GRID-FR/C=FR/O=CNRS/OU=LAL/CN=Emmanouil Vamvakopoulos
issuer : /C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms2.hellasgrid.gr
attribute : /dteam/Role=lcgadmin/Capability=NULL
attribute : /dteam/Role=NULL/Capability=NULL
attribute : /dteam/france/Role=NULL/Capability=NULL
timeleft : 11:55:49
uri : voms2.hellasgrid.gr:15004
I have to use a gsi configuration like
sec.protparm gsi -vomsfun:/usr/lib64/libXrdSecgsiVOMS.so
-vomsfunparms:certfmt=pem|vos=dteam|grps=/dteam,/dteam/france|grpopt=10|dbg
sec.protocol gsi -crl:0 -cert:/etc/grid-security/daemon/hostcert.pem -key:/etc/grid-security/daemon/hostkey.pem -gridmap:/etc/grid-security/ogrid-mapfile -d:3 -gmapopt:11 -vomsat:1 -moninfo:1 -gmapto:1
And describe explicitly the group list and map on the first attribute
with -vomsfunparms:certfmt=pem|vos=dteam|grps=/dteam,/dteam/france|grpopt=10
Do you have any comments about this configuration ?
Do you use something similar to a CERN EOS instance?
the default vomsfunparms tooks the last attribute ( thus last group) which is not very convinient
the grid-mapfile for the moment is empty as we do not have some special users.
and we would like to make a user map only on voms attributes
in addition my vid voms mapping is
voms:"/dteam:":gid => dteam
voms:"/dteam:":uid => dte
voms:"/dteam:lcgadmin":gid => dteam
voms:"/dteam:lcgadmin":uid => dtes
voms:"/dteam:production":gid => dteam
voms:"/dteam:production":uid => dtep
voms:"/vo.grif.fr:":gid => dteam
voms:"/vo.grif.fr:":uid => dte
thank you in advance for your comments
best
e.v.
Hi Manos,
This is exactly what we are trying to set up on EOS/CTA at RAL so I coud try and give a comment.
Following the XRootD 5 standard, we use the new string values for the ‘-crl’ ‘-gropt’ ‘-gmaopt’ and other options. The numerical values are there for backward compatibility (Scalla Extension: Security)
Please see our current config is below. We dont set vomsat as it is automatically set to “require” (or value 2) if the vomsfun is specified.We have set “-gmapopt:null” to make the plugin ignore the gridmap file and " -crl:require" (or -crl:3) to require an up-to-date CRL for each CA. We dont use ‘-gmapto’ and ‘-gmapopt’ options as we dont use gridmap files.
We are currently trying to figure out with our VO liaisons which of the extracted voms group memberhips (-grps option) and roles to use in the EOS vid mappings. In case of more than one extracted voms group memberhips/roles we need to decide which if these we pass to the gsi plugin via the ‘-gropt’ flag: usefirst or uselast.
I think that with your grpopt=10 (again, this value format is deprecated (as mentioned in the above link) you use the first acceptable group from your grps option (which is /dteam) that is found in your proxy which means it will use this
attribute : /dteam/Role=lcgadmin/Capability=NULL
and read/write to dirs owned by a vuid/guid that mapped to this attribute.
Hope this helps,
George
sec.protparm gsi -vomsfun:/usr/lib64/libXrdSecgsiVOMS.so -vomsfunparms:certfmt=pem|grps=/atlas/uk,/cms,/dteam|grpopt=useall|dbg
sec.protocol gsi -dlgpxy:request -exppxy:=creds -crl:require -cert:/etc/grid-security/xrootd/hostcert.pem -key:/etc/grid-security/xrootd/hostkey.pem -gmapopt:null -d:1
sec.protbind * only gsi
sec.protbind *.scd.rl.ac.uk sss unix
sec.protbind localhost.localdomain sss unix
sec.protbind localhost sss unix
Hello George
thank you for your reply it is very helpful
Which version of EOS do you use for the EOS/CTA instance ?
best
e.v.
Hello,
We are currently running version 4.8.37-1.
Best,
George