1 / 19

AMGA Server Installation and configuration

AMGA Server Installation and configuration. Tony Calanducci INFN – Catania Third EELA Tutorial for Managers and Users Rio de Janeiro, 26-30 June 2006. Outline. How to install an AMGA Server AMGA Server Configuration Reference. Installation requirements.

larya
Télécharger la présentation

AMGA Server Installation and configuration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. AMGA Server Installation and configuration • Tony Calanducci • INFN – Catania • Third EELA Tutorial for Managers and Users • Rio de Janeiro, 26-30 June 2006

  2. Outline • How to install an AMGA Server • AMGA Server Configuration • Reference

  3. Installation requirements • Start from a fresh install of SLC 3.0.x • Verify that apt is installed and properly configured: • rpm -qa | grep apt • Install apt if necessary • Create a /etc/apt/source.list.d/egee-ca.list file with this line: • rpm  http://grid018.ct.infn.it/rep glite_sl3-i386 security • Run apt-get update • Configure ntpd as illustrated in the SysAdmin Intro tutorial

  4. Security pre-requisites • Install the RPMs of all the CA supported by EGEE: • apt-get install lcg-CA • If you plan to use certificates released by unsupported EGEE CA’s, be sure that their public key, signing policy and CRLs (usually distributed with an rpm) are installed in /etc/grid-security/certificates. • For the VO GILDA, the RPM is available at • https://gilda.ct.infn.it/RPMS/ca_GILDA-1.0-2.i386.rpm • Additionally install the RPMs of GILDA and EELA VOMS: • https://gilda.ct.infn.it/RPMS/edg-voms-vo-gilda-1.0-0.noarch.rpm • https://gilda.ct.infn.it/RPMS/lcg-voms-vo-eela_1.0-0_noarch.rpm

  5. Security pre-requisites (II) • Download and install edg-utils-system RPM from: • http://grid018.ct.infn.it/rep/glite_sl3-i386/RPMS/edg-utils-system-1.8.2-1_sl3.noarch.rpm • Edit /etc/cron.d/edg-fetch-crl to look like: • PATH=/sbin:/bin:/usr/sbin:/usr/bin • 39 2,8,14,20 * * * root /opt/edg/etc/cron/edg-fetch-crl-cron >> /var/log/edg-fetch-crl-cron.log 2>&1 • Request a X509 host certificate for the AMGA Server you are going to install from a Certification Autority (CA). For example, to get host certificates from the GILDA CA, go to: • https://gilda.ct.infn.it/CA/mgt/restricted/srvreq.php • Install host certificates (hostcert.pem and hostkey.pem) in /etc/grid-security. • chmod 644 hostcert.pem • chmod 400 hostkey.pem

  6. AMGA Server and Client RPMs • The following packages are necessary to use AMGA and must be installed first: unixODBC, libxml2 and Boost-lib. You can get the package via • apt-get install unixODBC • apt-get install libxml2 • apt-get install boost • Download and install the latest AMGA server and client from the AMGA download directory (http://project-arda-dev.web.cern.ch/project-arda-dev/metadata/downloads/) • http://project-arda-dev.web.cern.ch/project-arda-dev/metadata/downloads/glite-amga-server-1.2.3-1.SLC3.i386.rpm • http://project-arda-dev.web.cern.ch/project-arda-dev/metadata/downloads/glite-amga-cli-1.2.3-1.SLC3.i386.rpm

  7. DB and ODBC installation • You also need a database and the appropriate ODBC driver. AMGA currently supports 4 different database backends via ODBC drivers (PostgreSQL, MySQL, Oracle and SQLite). • Install postgreSQL that comes with SLC with: • apt-get install rh-postgresql-server rh-postgresql • Install a postgreSQL ODBC driver (at least version 08.01.0200) • Download it from: http://project-arda-dev.web.cern.ch/project-arda-dev/metadata/downloads/amga-odbc.tar.gz • Just run the INSTALL.sh script after unpacking • NB: don’t use the postgresql-odbc package that comes with SLC. It’s too old and AMGA will not work with it

  8. postgreSQL configuration • Initialize the DB configuration: • /etc/init.d/rhdb start • /etc/init.d/rhdb stop • Uncomment out the line and set the parameter to true in /var/lib/pgsql/data/postgresql.conf as follow: • tcpip_socket = true • This is needed to enable TCP/IP connections used by the ODBC driver • Add the following lines to /var/lib/pgsql/data/pg_hba.conf: • host    metadata arda            127.0.0.1 255.255.255.255      trust • local   metadata    arda                      trust • (Used to authorize the arda db user to connect to the metadata db)

  9. postgreSQL configuration (II) • Start again postgreSQL: • /etc/init.d/rhdb start • Create the DB user arda allowing him to create new DBs: • su postgres -c 'createuser -d -A arda' • Create the Unix user arda: • adduser arda • Let arda user create metadata DB: • su arda -c 'createdb metadata' • Allow stored procedures for metadata db: • su postgres –c ‘createlang -d metadata plpgsql’

  10. ODBC driver configuration • The ODBC data source is created by appending the following lines to /etc/odbc.ini: • [PSQL]  Description     = AMGA metadata catalogue database  Driver          = PostgreSQL  Trace           = No  TraceFil        = /tmp/metadata/odbc.log  Database        = metadata  Servername      = localhost  Port            = 5432  ReadOnly        = No • Double check the /etc/odbcinst.ini ensuring it contains the proper settings for the postgreSQL ODBC driver (it should have been configure by the INSTALL.sh during the installation)

  11. ODBC Testing and metadata DB creation • To test if the ODBC was set up correctly you can use the generic unixODBC CLI tool: • isql PSQL metadata • Now you can initialize the database using the createInitialXXX.sql scripts (where XXX has to be replaced with the DB of choice which you will find in /opt/glite/share/doc/glite-amga-server-1.2.3/) • su arda psql metadata < /opt/glite/share/doc/glite-amga-server-1.2.3/createInitialPG.sql • If you want to use also ACL per entries you need also to create some store procedures with • psql metadata < /opt/glite/share/doc/glite-amga-server-1.2.3/proceduresPSQL.sql

  12. AMGA initial configuration • /etc/mdserver.conf contains all the variables you need to set up and fine tune the AMGA server. By default it configures AMGA with no authentication checks. • Start the AMGA server with: • /etc/init.d/mdservice start • AMGA server demon should be listening on 8822 port: • lsof -i | grep 8822 • mdserver 13856 root 6u IPv4 27296 TCP *:8822 (LISTEN) • mdserver 13857 root 6u IPv4 27296 TCP *:8822 (LISTEN) • mdserver 13860 root 6u IPv4 27296 TCP *:8822 (LISTEN)

  13. AMGA testing • Log in into a User Interface where the AMGA Client tools are installed. • You can check it with ‘rpm –qa | grep -i amga’ • Copy the amga client template config file from /etc/mdclient.config to your home as .mdclient.config • cp /etc/mdclient.config $HOME/.mdclient.config • Edit the Host variable filling it with the right hostname and ensure Login one equals to root • Connect to the AMGA server using the AMGA mdclient tool: • $mdclient • Connecting to amgarm3.trigrid.it:8822... • ARDA Metadata Server 1.2.3 • Query> whoami • >> root • Query>

  14. Create a root user • Inside the Mdclient shell, create the root user (called also ‘role’ inside AMGA) with: • Query> user_create root • Bind the amga root role to the subject of the AMGA administrator (you in this case): • Query> user_subject_add root 'C = IT, O = GILDA, OU = Personal Certificate, L = INFN Catania, CN = Tony Calanducci, emailAddress = tony.calanducci@ct.infn.it‘ • You can get it by: • openssl x509 -in usercert.pem -subject -noout -nameopt oneline • You can also define an AMGA root passwd if you plan to enable also password authentication, with: • Query> user_password_change root ‘bondia’

  15. Enabling Certificate Authentication • Edit /etd/mdserver.config in AMGA server and change the following variables: • UseSSL = 1 • RequireAuthentication = 1 • AllowCertificateAuthentication = 1 • CertFile = /etc/grid-security/hostcert.pem • KeyFile = /etc/grid-security/hostkey.pem • TrustedCertDir = /etc/grid-security/certificates • AllowGridProxyLogin = 1 • MyProxyHack = 1 • Enable the users from the VOs you want to give access to: • VirtualOrganizations = gilda(gilda), eela(eela) • VOGroupMap = gilda:/gilda(gilda:users), eela(eela:users) • Restart the AMGA server with • /etc/init.d/mdserver restart

  16. Test the VOMS proxy authentication • Log in to the UI and edit the $HOME/.mdclient.config: • Login = NULL • UseSSL = require • AuthenticateWithCertificate = 1 • UseGridProxy = 1 • Initialize your proxy asking the membership to one of the enabled VO (gilda for example) • Start the mdclient tool. You should be authenticated as gilda user(role) belonging to gilda:users group • $ mdclient • Connecting to amgarm3.trigrid.it:8822... • ARDA Metadata Server 1.2.3 • Query> whoami • >> gilda • Query> grp_member • >> gilda:users

  17. Set up a collection per each VO • Initialize the voms proxy with the user defined as root. • Change the previous $HOME/.mdclient.config to login as root • Start the Mdclient. You should be authenticated as root (by your subject): • $ mdclient • Connecting to amgarm3.trigrid.it:8822... • ARDA Metadata Server 1.2.3 • Query> whoami • >> root • Create a root collection for each VO you support. You can also create specific collection to support specific roles or applications. • createdir /gilda • createdir /eela

  18. Set up collections for VOs (II) • Anyone will be allowed to read the new collections, but we want also grant write permissions to the VO users: • Query> acl_show /gilda • >> root rwx • >> system:anyuser rx • Query> acl_add /gilda gilda:users rwx • Query> acl_show gilda • >> root rwx • >> gilda:users rwx • >> system:anyuser rx • You could achieve the same results changing the ownership of the /gilda collection with • chown /gilda gilda • If you don’t allow others to read inside /gilda collection remove from the ACLs the system:anyuser group: • Query> acl_remove /gilda/ system:anyuser

  19. References • AMGA project Homepage: • http://project-arda-dev.web.cern.ch/project-arda-dev/metadata/ • AMGA Documentation: • http://project-arda-dev.web.cern.ch/project-arda-dev/metadata/pages.html • AMGA User’s and Administrator’s manual: • http://project-arda-dev.web.cern.ch/project-arda-dev/metadata/downloads/amga-manual_1_2_3.pdf • AMGA Installation Notes on GILDA Team Wiki: • https://grid.ct.infn.it/twiki/bin/view/GILDA/AMGA

More Related