A couple of months ago, I set up a test machine running XrootD version 4 at QMUL. This was to test three things:
For the new machine, I started by following ATLAS's Fax for Posix storage sites instructions. These instructions document how to use VOMS authentication, but not central banning via ARGUS. CMS do however have some instructions on using xrootd-lcmaps to do the authorisation - though with RPMs from different (and therefore potentially incompatible) repositories. It is, however, possible to get them to work.
The following packages are needed (or at least what I have installed):
yum install xrootd4-server-atlas-n2n-plugin
yum install argus-pep-api-c yum install lcmaps-plugins-c-pep
yum install lcmaps-plugins-verify-proxy
yum install lcmaps-plugins-tracking-groupid
yum install yum install xerces-c
yum install lcmaps-plugins-basic
Now the packages are installed, xrootd needs to be configured to use them - the appropriate lines in /etc/xrootd/xrootd-clustered.cfg are:
xrootd.seclib /usr/lib64/libXrdSec.so
xrootd.fslib /usr/lib64/libXrdOfs.so
sec.protocol /usr/lib64 gsi -certdir:/etc/grid-security/certificates -cert:/etc/grid-security/xrd/xrdcert.pem -key:/etc/grid-security/xrd/xrdkey.pem -crl:3 -authzfun:libXrdLcmaps.so -authzfunparms:--osg,--lcmapscfg,/etc/xrootd/lcmaps.cfg,--loglevel,5|useglobals -gmapopt:10 -gmapto:0
#
acc.authdb /etc/xrootd/auth_file
acc.authrefresh 60
ofs.authorize 1
And in /etc/xrootd/lcmaps.cfg it is necessary to change path and argus server (my argus server is obscured in the example below). My config file looks looks like:
################################
# where to look for modules
#path = /usr/lib64/modules
path = /usr/lib64/lcmaps
good = "lcmaps_dummy_good.mod"
bad = "lcmaps_dummy_bad.mod"
# Note put your own argus host instead of for argushost.mydomain
pepc = "lcmaps_c_pep.mod"
"--pep-daemon-endpoint-url https://argushost.mydomain:8154/authz"
" --resourceid http://esc.qmul.ac.uk/xrootd"
" --actionid http://glite.org/xacml/action/execute"
" --capath /etc/grid-security/certificates/"
" --no-check-certificates"
" --certificate /etc/grid-security/xrd/xrdcert.pem"
" --key /etc/grid-security/xrd/xrdkey.pem"
xrootd_policy:
pepc -> good | bad
################################################
Then after restarting xrootd, you just need to test that it works.
It seems to work, I was successfully able to ban myself. Unbanning didn't work instantly, and I resorted to restarting xrootd - though perhaps if I'd had patience, it would have worked eventually.
Overall, whilst it wasn't trivial to do, it's not actually that hard, and is one more step along the road to having central banning working on all our grid services.
- IPv6 (see blog post),
- Central authorisation via ARGUS (the subject of this blog post).
- XrootD 4
For the new machine, I started by following ATLAS's Fax for Posix storage sites instructions. These instructions document how to use VOMS authentication, but not central banning via ARGUS. CMS do however have some instructions on using xrootd-lcmaps to do the authorisation - though with RPMs from different (and therefore potentially incompatible) repositories. It is, however, possible to get them to work.
The following packages are needed (or at least what I have installed):
yum install xrootd4-server-atlas-n2n-plugin
yum install argus-pep-api-c yum install lcmaps-plugins-c-pep
yum install lcmaps-plugins-verify-proxy
yum install lcmaps-plugins-tracking-groupid
yum install yum install xerces-c
yum install lcmaps-plugins-basic
Now the packages are installed, xrootd needs to be configured to use them - the appropriate lines in /etc/xrootd/xrootd-clustered.cfg are:
xrootd.seclib /usr/lib64/libXrdSec.so
xrootd.fslib /usr/lib64/libXrdOfs.so
sec.protocol /usr/lib64 gsi -certdir:/etc/grid-security/certificates -cert:/etc/grid-security/xrd/xrdcert.pem -key:/etc/grid-security/xrd/xrdkey.pem -crl:3 -authzfun:libXrdLcmaps.so -authzfunparms:--osg,--lcmapscfg,/etc/xrootd/lcmaps.cfg,--loglevel,5|useglobals -gmapopt:10 -gmapto:0
#
acc.authdb /etc/xrootd/auth_file
acc.authrefresh 60
ofs.authorize 1
And in /etc/xrootd/lcmaps.cfg it is necessary to change path and argus server (my argus server is obscured in the example below). My config file looks looks like:
################################
# where to look for modules
#path = /usr/lib64/modules
path = /usr/lib64/lcmaps
good = "lcmaps_dummy_good.mod"
bad = "lcmaps_dummy_bad.mod"
# Note put your own argus host instead of for argushost.mydomain
pepc = "lcmaps_c_pep.mod"
"--pep-daemon-endpoint-url https://argushost.mydomain:8154/authz"
" --resourceid http://esc.qmul.ac.uk/xrootd"
" --actionid http://glite.org/xacml/action/execute"
" --capath /etc/grid-security/certificates/"
" --no-check-certificates"
" --certificate /etc/grid-security/xrd/xrdcert.pem"
" --key /etc/grid-security/xrd/xrdkey.pem"
xrootd_policy:
pepc -> good | bad
################################################
Then after restarting xrootd, you just need to test that it works.
It seems to work, I was successfully able to ban myself. Unbanning didn't work instantly, and I resorted to restarting xrootd - though perhaps if I'd had patience, it would have worked eventually.
Overall, whilst it wasn't trivial to do, it's not actually that hard, and is one more step along the road to having central banning working on all our grid services.