CERN Accelerating science

EOS GSI and https configuration

Dear Devops
I would like to ask if there is any document, mini-guide or ready template about GSI configuration for dteam VO and the setup of HTTPs and TPC protocols/features ?
thank you in advance
best
e.v.

Hi Emmanouil,

You can find some info about this here:
https://eos-docs.web.cern.ch/configuration/http_tpc.html

EOS uses in general the /etc/grid-security/gridmap-file for mapping DNs to local users but you can also use the vid functionality to map VO info to specific accounts. You can also find more info in this thread:

Cheers,
Elvin

1 Like

Hello Elvin

I have a dteam certificate with two voms group /dteam and /dteam/france
in order to map only the first voms group ( attribute) e.g.

== VO dteam extension information ===
VO : dteam
subject : /O=GRID-FR/C=FR/O=CNRS/OU=LAL/CN=Emmanouil Vamvakopoulos
issuer : /C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms2.hellasgrid.gr
attribute : /dteam/Role=lcgadmin/Capability=NULL
attribute : /dteam/Role=NULL/Capability=NULL
attribute : /dteam/france/Role=NULL/Capability=NULL
timeleft : 11:55:49
uri : voms2.hellasgrid.gr:15004

I have to use a gsi configuration like


sec.protparm gsi -vomsfun:/usr/lib64/libXrdSecgsiVOMS.so 
-vomsfunparms:certfmt=pem|vos=dteam|grps=/dteam,/dteam/france|grpopt=10|dbg

sec.protocol gsi -crl:0 -cert:/etc/grid-security/daemon/hostcert.pem -key:/etc/grid-security/daemon/hostkey.pem -gridmap:/etc/grid-security/ogrid-mapfile -d:3 -gmapopt:11 -vomsat:1 -moninfo:1 -gmapto:1 

And describe explicitly the group list and map on the first attribute
with -vomsfunparms:certfmt=pem|vos=dteam|grps=/dteam,/dteam/france|grpopt=10

Do you have any comments about this configuration ?
Do you use something similar to a CERN EOS instance?

the default vomsfunparms tooks the last attribute ( thus last group) which is not very convinient

the grid-mapfile for the moment is empty as we do not have some special users.
and we would like to make a user map only on voms attributes
in addition my vid voms mapping is

voms:"/dteam:":gid => dteam
voms:"/dteam:":uid => dte
voms:"/dteam:lcgadmin":gid => dteam
voms:"/dteam:lcgadmin":uid => dtes
voms:"/dteam:production":gid => dteam
voms:"/dteam:production":uid => dtep
voms:"/vo.grif.fr:":gid => dteam
voms:"/vo.grif.fr:":uid => dte

thank you in advance for your comments
best
e.v.

Hi Manos,

This is exactly what we are trying to set up on EOS/CTA at RAL so I coud try and give a comment.

Following the XRootD 5 standard, we use the new string values for the ‘-crl’ ‘-gropt’ ‘-gmaopt’ and other options. The numerical values are there for backward compatibility (Scalla Extension: Security)

Please see our current config is below. We dont set vomsat as it is automatically set to “require” (or value 2) if the vomsfun is specified.We have set “-gmapopt:null” to make the plugin ignore the gridmap file and " -crl:require" (or -crl:3) to require an up-to-date CRL for each CA. We dont use ‘-gmapto’ and ‘-gmapopt’ options as we dont use gridmap files.

We are currently trying to figure out with our VO liaisons which of the extracted voms group memberhips (-grps option) and roles to use in the EOS vid mappings. In case of more than one extracted voms group memberhips/roles we need to decide which if these we pass to the gsi plugin via the ‘-gropt’ flag: usefirst or uselast.

I think that with your grpopt=10 (again, this value format is deprecated (as mentioned in the above link) you use the first acceptable group from your grps option (which is /dteam) that is found in your proxy which means it will use this

attribute : /dteam/Role=lcgadmin/Capability=NULL

and read/write to dirs owned by a vuid/guid that mapped to this attribute.

Hope this helps,

George


sec.protparm gsi -vomsfun:/usr/lib64/libXrdSecgsiVOMS.so -vomsfunparms:certfmt=pem|grps=/atlas/uk,/cms,/dteam|grpopt=useall|dbg

sec.protocol gsi -dlgpxy:request -exppxy:=creds -crl:require -cert:/etc/grid-security/xrootd/hostcert.pem -key:/etc/grid-security/xrootd/hostkey.pem -gmapopt:null -d:1

sec.protbind * only gsi
sec.protbind *.scd.rl.ac.uk sss unix
sec.protbind localhost.localdomain sss unix
sec.protbind localhost sss unix

Hello George
thank you for your reply it is very helpful
Which version of EOS do you use for the EOS/CTA instance ?
best
e.v.

Hello,

We are currently running version 4.8.37-1.

Best,

George