Docstoc

AMGA

Document Sample
AMGA Powered By Docstoc
					                   E-infrastructure shared between Europe and Latin America




                        AMGA Server Installation and
                        configuration
                        Tony Calanducci
                        INFN – Catania
                        Third EELA Tutorial for Managers and Users
                        Rio de Janeiro, 26-30 June 2006



www.eu-eela.org


FP6−2004−Infrastructures−6-SSA-026409
                   E-infrastructure shared between Europe and Latin America
                                                                                                                 Outline




    • How to install an AMGA Server

    • AMGA Server Configuration

    • Reference




FP6−2004−Infrastructures−6-SSA-026409                                   Third EELA Tutorial, Rio de Janeiro, 26-30 June 2006
                                                                 Installation requirements
                   E-infrastructure shared between Europe and Latin America




    • Start from a fresh install of SLC 3.0.x

    • Verify that apt is installed and properly
      configured:
         – rpm -qa | grep apt
         – Install apt if necessary
         – Create a /etc/apt/source.list.d/egee-ca.list file with this line:
               rpm http://grid018.ct.infn.it/rep glite_sl3-i386 security
         – Run apt-get update

    • Configure ntpd as illustrated in the SysAdmin Intro
      tutorial



FP6−2004−Infrastructures−6-SSA-026409                                   Third EELA Tutorial, Rio de Janeiro, 26-30 June 2006   3
                                                                         Security pre-requisites
                   E-infrastructure shared between Europe and Latin America



    • Install the RPMs of all the CA supported by EGEE:
         – apt-get install lcg-CA


    • If you plan to use certificates released by unsupported
      EGEE CA’s, be sure that their public key, signing
      policy and CRLs (usually distributed with an rpm) are
      installed in /etc/grid-security/certificates.
         – For the VO GILDA, the RPM is available at
               https://gilda.ct.infn.it/RPMS/ca_GILDA-1.0-2.i386.rpm
         – Additionally install the RPMs of GILDA and EELA VOMS:
               https://gilda.ct.infn.it/RPMS/edg-voms-vo-gilda-1.0-
                0.noarch.rpm
               https://gilda.ct.infn.it/RPMS/lcg-voms-vo-eela_1.0-
                0_noarch.rpm

FP6−2004−Infrastructures−6-SSA-026409                                   Third EELA Tutorial, Rio de Janeiro, 26-30 June 2006   4
                                                           Security pre-requisites (II)
                E-infrastructure shared between Europe and Latin America



   • Download and install edg-utils-system RPM from:
       – http://grid018.ct.infn.it/rep/glite_sl3-i386/RPMS/edg-utils-system-
         1.8.2-1_sl3.noarch.rpm
   • Edit /etc/cron.d/edg-fetch-crl to look like:
       – PATH=/sbin:/bin:/usr/sbin:/usr/bin
       – 39 2,8,14,20 * * * root /opt/edg/etc/cron/edg-fetch-crl-cron >>
         /var/log/edg-fetch-crl-cron.log 2>&1


   • Request a X509 host certificate for the AMGA Server
     you are going to install from a Certification Autority
     (CA). For example, to get host certificates from the
     GILDA CA, go to:
       – https://gilda.ct.infn.it/CA/mgt/restricted/srvreq.php
   • Install host certificates (hostcert.pem and
     hostkey.pem) in /etc/grid-security.
        – chmod 644 hostcert.pem
FP6−2004−Infrastructures−6-SSA-026409                                Third EELA Tutorial, Rio de Janeiro, 26-30 June 2006   5
                                            AMGA Server and Client RPMs
                   E-infrastructure shared between Europe and Latin America



    • The following packages are necessary to use AMGA
      and must be installed first: unixODBC, libxml2 and
      Boost-lib. You can get the package via
         – apt-get install unixODBC
         – apt-get install libxml2
         – apt-get install boost
    • Download and install the latest AMGA server and client
      from the AMGA download directory (http://project-arda-
      dev.web.cern.ch/project-arda-dev/metadata/downloads/)
         – http://project-arda-dev.web.cern.ch/project-arda-
           dev/metadata/downloads/glite-amga-server-1.2.3-
           1.SLC3.i386.rpm
         – http://project-arda-dev.web.cern.ch/project-arda-
           dev/metadata/downloads/glite-amga-cli-1.2.3-1.SLC3.i386.rpm

FP6−2004−Infrastructures−6-SSA-026409                                   Third EELA Tutorial, Rio de Janeiro, 26-30 June 2006   6
                                                              DB and ODBC installation
                   E-infrastructure shared between Europe and Latin America



    • You also need a database and the appropriate ODBC
      driver. AMGA currently supports 4 different database
      backends via ODBC drivers (PostgreSQL, MySQL, Oracle
      and SQLite).
         – Install postgreSQL that comes with SLC with:
               apt-get install rh-postgresql-server rh-postgresql

         – Install a postgreSQL ODBC driver (at least version 08.01.0200)
               Download it from: http://project-arda-dev.web.cern.ch/project-arda-
                dev/metadata/downloads/amga-odbc.tar.gz
               Just run the INSTALL.sh script after unpacking
               NB: don’t use the postgresql-odbc package that comes with
                SLC. It’s too old and AMGA will not work with it




FP6−2004−Infrastructures−6-SSA-026409                                   Third EELA Tutorial, Rio de Janeiro, 26-30 June 2006   7
                                                             postgreSQL configuration
                   E-infrastructure shared between Europe and Latin America



    • Initialize the DB configuration:
         – /etc/init.d/rhdb start
         – /etc/init.d/rhdb stop
    • Uncomment out the line and set the parameter to true
      in /var/lib/pgsql/data/postgresql.conf as follow:
         – tcpip_socket = true
    •        This is needed to enable TCP/IP connections used by the ODBC
        driver
    • Add the following lines to
      /var/lib/pgsql/data/pg_hba.conf:
         – host metadata arda                                      127.0.0.1 255.255.255.255                     trust
         – local metadata arda                                             trust
    •       (Used to authorize the arda db user to connect to
        the metadata db)
FP6−2004−Infrastructures−6-SSA-026409                                   Third EELA Tutorial, Rio de Janeiro, 26-30 June 2006   8
                                                  postgreSQL configuration (II)
                   E-infrastructure shared between Europe and Latin America



    • Start again postgreSQL:
         – /etc/init.d/rhdb start
    • Create the DB user arda allowing him to create new
      DBs:
         – su postgres -c 'createuser -d -A arda'
    • Create the Unix user arda:
         – adduser arda
    • Let arda user create metadata DB:
         – su arda -c 'createdb metadata'
    • Allow stored procedures for metadata db:
         – su postgres –c ‘createlang -d metadata plpgsql’




FP6−2004−Infrastructures−6-SSA-026409                                   Third EELA Tutorial, Rio de Janeiro, 26-30 June 2006   9
                                                           ODBC driver configuration
                   E-infrastructure shared between Europe and Latin America



    • The ODBC data source is created by appending the
      following lines to /etc/odbc.ini:
         – [PSQL]
            Description = AMGA metadata catalogue database
            Driver      = PostgreSQL
            Trace       = No
            TraceFil     = /tmp/metadata/odbc.log
            Database      = metadata
            Servername       = localhost
            Port       = 5432
            ReadOnly       = No
    • Double check the /etc/odbcinst.ini ensuring it contains
      the proper settings for the postgreSQL ODBC driver (it
      should have been configure by the INSTALL.sh during
      the installation)
FP6−2004−Infrastructures−6-SSA-026409                                   Third EELA Tutorial, Rio de Janeiro, 26-30 June 2006   10
                          ODBC Testing and metadata DB creation
                   E-infrastructure shared between Europe and Latin America



    • To test if the ODBC was set up correctly you can use
      the generic unixODBC CLI tool:
         – isql PSQL metadata
    • Now you can initialize the database using the
      createInitialXXX.sql scripts (where XXX has to be
      replaced with the DB of choice which you will find in
      /opt/glite/share/doc/glite-amga-server-1.2.3/)
         – su arda
           psql metadata < /opt/glite/share/doc/glite-amga-server-
           1.2.3/createInitialPG.sql
         – If you want to use also ACL per entries you need also to
           create some store procedures with
               psql metadata < /opt/glite/share/doc/glite-amga-server-
                1.2.3/proceduresPSQL.sql


FP6−2004−Infrastructures−6-SSA-026409                                   Third EELA Tutorial, Rio de Janeiro, 26-30 June 2006   11
                                                            AMGA initial configuration
                   E-infrastructure shared between Europe and Latin America



    • /etc/mdserver.conf contains all the variables you need
      to set up and fine tune the AMGA server. By default it
      configures AMGA with no authentication checks.
    • Start the AMGA server with:
         – /etc/init.d/mdservice start


    • AMGA server demon should be listening on 8822 port:
         – lsof -i | grep 8822
         – mdserver 13856               root       6u IPv4 27296                TCP *:8822 (LISTEN)
         – mdserver 13857               root       6u IPv4 27296                TCP *:8822 (LISTEN)
         – mdserver 13860               root       6u IPv4 27296                TCP *:8822 (LISTEN)




FP6−2004−Infrastructures−6-SSA-026409                                   Third EELA Tutorial, Rio de Janeiro, 26-30 June 2006   12
                       E-infrastructure shared between Europe and Latin America
                                                                                                    AMGA testing
    • Log in into a User Interface where the AMGA Client
      tools are installed.
         – You can check it with ‘rpm –qa | grep -i amga’
    • Copy the amga client template config file from
      /etc/mdclient.config to your home as .mdclient.config
         – cp /etc/mdclient.config $HOME/.mdclient.config
    • Edit the Host variable filling it with the right hostname
      and ensure Login one equals to root
    • Connect to the AMGA server using the AMGA mdclient
      tool:
         –   $mdclient
         –   Connecting to amgarm3.trigrid.it:8822...
         –   ARDA Metadata Server 1.2.3
         –   Query> whoami
         –   >> root
         –   Query>
FP6−2004−Infrastructures−6-SSA-026409                                       Third EELA Tutorial, Rio de Janeiro, 26-30 June 2006   13
                   E-infrastructure shared between Europe and Latin America
                                                                                     Create a root user
    • Inside the Mdclient shell, create the root user (called
      also ‘role’ inside AMGA) with:
         – Query> user_create root
    • Bind the amga root role to the subject of the AMGA
      administrator (you in this case):
         – Query> user_subject_add root 'C = IT, O = GILDA, OU =
           Personal Certificate, L = INFN Catania, CN = Tony
           Calanducci, emailAddress = tony.calanducci@ct.infn.it‘
               You can get it by:
                 • openssl x509 -in usercert.pem -subject -noout -nameopt oneline
    • You can also define an AMGA root passwd if you plan
      to enable also password authentication, with:
         – Query> user_password_change root ‘bondia’


FP6−2004−Infrastructures−6-SSA-026409                                   Third EELA Tutorial, Rio de Janeiro, 26-30 June 2006   14
                             Enabling Certificate Authentication
                   E-infrastructure shared between Europe and Latin America


    • Edit /etd/mdserver.config in AMGA server and change
      the following variables:
        –   UseSSL = 1
        –   RequireAuthentication = 1
        –   AllowCertificateAuthentication = 1
        –   CertFile = /etc/grid-security/hostcert.pem
        –   KeyFile = /etc/grid-security/hostkey.pem
        –   TrustedCertDir = /etc/grid-security/certificates
        –   AllowGridProxyLogin = 1
        –   MyProxyHack = 1
    • Enable the users from the VOs you want to give access
      to:
        – VirtualOrganizations = gilda(gilda), eela(eela)
        – VOGroupMap = gilda:/gilda(gilda:users), eela(eela:users)
    • Restart the AMGA server with
        – /etc/init.d/mdserver restart
FP6−2004−Infrastructures−6-SSA-026409                                   Third EELA Tutorial, Rio de Janeiro, 26-30 June 2006   15
                         Test the VOMS proxy authentication
                   E-infrastructure shared between Europe and Latin America



    • Log in to the UI and edit the $HOME/.mdclient.config:
         –   Login = NULL
         –   UseSSL = require
         –   AuthenticateWithCertificate = 1
         –   UseGridProxy = 1
    • Initialize your proxy asking the membership to one of
      the enabled VO (gilda for example)
    • Start the mdclient tool. You should be authenticated as
      gilda user(role) belonging to gilda:users group
         – $ mdclient
         –   Connecting to amgarm3.trigrid.it:8822...
         –   ARDA Metadata Server 1.2.3
         –   Query> whoami
         –   >> gilda
         –   Query> grp_member
         –   >> gilda:users

FP6−2004−Infrastructures−6-SSA-026409                                   Third EELA Tutorial, Rio de Janeiro, 26-30 June 2006   16
                                          Set up a collection per each VO
                   E-infrastructure shared between Europe and Latin America



    • Initialize the voms proxy with the user defined as root.
    • Change the previous $HOME/.mdclient.config to login
      as root
    • Start the Mdclient. You should be authenticated as root
      (by your subject):
         –   $ mdclient
         –   Connecting to amgarm3.trigrid.it:8822...
         –   ARDA Metadata Server 1.2.3
         –   Query> whoami
         –   >> root
    •   Create a root collection for each VO you support. You can also create
        specific collection to support specific roles or applications.
         – createdir /gilda
         – createdir /eela



FP6−2004−Infrastructures−6-SSA-026409                                   Third EELA Tutorial, Rio de Janeiro, 26-30 June 2006   17
                                                 Set up collections for VOs (II)
                   E-infrastructure shared between Europe and Latin America



    • Anyone will be allowed to read the new collections, but
      we want also grant write permissions to the VO users:
         –   Query> acl_show /gilda
         –   >> root rwx
         –   >> system:anyuser rx
         –   Query> acl_add /gilda gilda:users rwx
         –   Query> acl_show gilda
         –   >> root rwx
         –   >> gilda:users rwx
         –   >> system:anyuser rx
    • You could achieve the same results changing the
      ownership of the /gilda collection with
         – chown /gilda gilda
    • If you don’t allow others to read inside /gilda collection
      remove from the ACLs the system:anyuser group:
         – Query> acl_remove /gilda/ system:anyuser

FP6−2004−Infrastructures−6-SSA-026409                                   Third EELA Tutorial, Rio de Janeiro, 26-30 June 2006   18
                   E-infrastructure shared between Europe and Latin America
                                                                                                     References
    • AMGA project Homepage:
         – http://project-arda-dev.web.cern.ch/project-arda-dev/metadata/


    • AMGA Documentation:
         – http://project-arda-dev.web.cern.ch/project-arda-
           dev/metadata/pages.html


    • AMGA User’s and Administrator’s manual:
         – http://project-arda-dev.web.cern.ch/project-arda-
           dev/metadata/downloads/amga-manual_1_2_3.pdf


    • AMGA Installation Notes on GILDA Team Wiki:
         – https://grid.ct.infn.it/twiki/bin/view/GILDA/AMGA

FP6−2004−Infrastructures−6-SSA-026409                                   Third EELA Tutorial, Rio de Janeiro, 26-30 June 2006

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:6
posted:2/21/2012
language:English
pages:19