AMGA Server Installation and configuration - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

AMGA Server Installation and configuration

Description:

Third EELA Tutorial for Managers and Users. Rio de Janeiro, ... Configure ntpd as illustrated in the SysAdmin Intro tutorial. FP62004Infrastructures6-SSA-026409 ... – PowerPoint PPT presentation

Number of Views:27
Avg rating:3.0/5.0
Slides: 20
Provided by: ClaudioC51
Category:

less

Transcript and Presenter's Notes

Title: AMGA Server Installation and configuration


1
AMGA Server Installation and configuration
  • Tony Calanducci
  • INFN Catania
  • Third EELA Tutorial for Managers and Users
  • Rio de Janeiro, 26-30 June 2006

2
Outline
  • How to install an AMGA Server
  • AMGA Server Configuration
  • Reference

3
Installation requirements
  • Start from a fresh install of SLC 3.0.x
  • Verify that apt is installed and properly
    configured
  • rpm -qa grep apt
  • Install apt if necessary
  • Create a /etc/apt/source.list.d/egee-ca.list file
    with this line
  • rpm  http//grid018.ct.infn.it/rep glite_sl3-i386
    security
  • Run apt-get update
  • Configure ntpd as illustrated in the SysAdmin
    Intro tutorial

4
Security pre-requisites
  • Install the RPMs of all the CA supported by EGEE
  • apt-get install lcg-CA
  • If you plan to use certificates released by
    unsupported EGEE CAs, be sure that their public
    key, signing policy and CRLs (usually distributed
    with an rpm) are installed in /etc/grid-security/c
    ertificates.
  • For the VO GILDA, the RPM is available at
  • https//gilda.ct.infn.it/RPMS/ca_GILDA-1.0-2.i386
    .rpm
  • Additionally install the RPMs of GILDA and EELA
    VOMS
  • https//gilda.ct.infn.it/RPMS/edg-voms-vo-gilda-1.
    0-0.noarch.rpm
  • https//gilda.ct.infn.it/RPMS/lcg-voms-vo-eela_1.0
    -0_noarch.rpm

5
Security pre-requisites (II)
  • Download and install edg-utils-system RPM from
  • http//grid018.ct.infn.it/rep/glite_sl3-i386/RPMS/
    edg-utils-system-1.8.2-1_sl3.noarch.rpm
  • Edit /etc/cron.d/edg-fetch-crl to look like
  • PATH/sbin/bin/usr/sbin/usr/bin
  • 39 2,8,14,20 root /opt/edg/etc/cron/edg-fetc
    h-crl-cron gtgt /var/log/edg-fetch-crl-cron.log
    2gt1
  • Request a X509 host certificate for the AMGA
    Server you are going to install from a
    Certification Autority (CA). For example, to get
    host certificates from the GILDA CA, go to
  • https//gilda.ct.infn.it/CA/mgt/restricted/srvreq.
    php
  • Install host certificates (hostcert.pem and
    hostkey.pem) in /etc/grid-security.
  • chmod 644 hostcert.pem
  • chmod 400 hostkey.pem

6
AMGA Server and Client RPMs
  • The following packages are necessary to use AMGA
    and must be installed first unixODBC, libxml2
    and Boost-lib. You can get the package via
  • apt-get install unixODBC
  • apt-get install libxml2
  • apt-get install boost
  • Download and install the latest AMGA server and
    client from the AMGA download directory
    (http//project-arda-dev.web.cern.ch/project-arda-
    dev/metadata/downloads/)
  • http//project-arda-dev.web.cern.ch/project-arda-d
    ev/metadata/downloads/glite-amga-server-1.2.3-1.SL
    C3.i386.rpm
  • http//project-arda-dev.web.cern.ch/project-arda-d
    ev/metadata/downloads/glite-amga-cli-1.2.3-1.SLC3.
    i386.rpm

7
DB and ODBC installation
  • You also need a database and the appropriate ODBC
    driver. AMGA currently supports 4 different
    database backends via ODBC drivers (PostgreSQL,
    MySQL, Oracle and SQLite).
  • Install postgreSQL that comes with SLC with
  • apt-get install rh-postgresql-server
    rh-postgresql
  • Install a postgreSQL ODBC driver (at least
    version 08.01.0200)
  • Download it from http//project-arda-dev.web.cern
    .ch/project-arda-dev/metadata/downloads/amga-odbc.
    tar.gz
  • Just run the INSTALL.sh script after unpacking
  • NB dont use the postgresql-odbc package that
    comes with SLC. Its too old and AMGA will not
    work with it

8
postgreSQL configuration
  • Initialize the DB configuration
  • /etc/init.d/rhdb start
  • /etc/init.d/rhdb stop
  • Uncomment out the line and set the parameter to
    true in /var/lib/pgsql/data/postgresql.conf as
    follow
  • tcpip_socket true
  • This is needed to enable TCP/IP connections used
    by the ODBC driver
  • Add the following lines to /var/lib/pgsql/data/pg_
    hba.conf
  • host    metadata arda            127.0.0.1
    255.255.255.255      trust
  • local   metadata    arda                     
    trust
  • (Used to authorize the arda db user to connect
    to the metadata db)

9
postgreSQL configuration (II)
  • Start again postgreSQL
  • /etc/init.d/rhdb start
  • Create the DB user arda allowing him to create
    new DBs
  • su postgres -c 'createuser -d -A arda'
  • Create the Unix user arda
  • adduser arda
  • Let arda user create metadata DB
  • su arda -c 'createdb metadata'
  • Allow stored procedures for metadata db
  • su postgres c createlang -d metadata plpgsql

10
ODBC driver configuration
  • The ODBC data source is created by appending the
    following lines to /etc/odbc.ini
  • PSQL  Description     AMGA metadata
    catalogue database  Driver          PostgreSQL
     Trace           No  TraceFil       
    /tmp/metadata/odbc.log  Database       
    metadata  Servername      localhost
     Port            5432  ReadOnly        No
  • Double check the /etc/odbcinst.ini ensuring it
    contains the proper settings for the postgreSQL
    ODBC driver (it should have been configure by the
    INSTALL.sh during the installation)

11
ODBC Testing and metadata DB creation
  • To test if the ODBC was set up correctly you can
    use the generic unixODBC CLI tool
  • isql PSQL metadata
  • Now you can initialize the database using the
    createInitialXXX.sql scripts (where XXX has to be
    replaced with the DB of choice which you will
    find in /opt/glite/share/doc/glite-amga-server-1.2
    .3/)
  • su arda psql metadata lt /opt/glite/share/doc/gli
    te-amga-server-1.2.3/createInitialPG.sql
  • If you want to use also ACL per entries you need
    also to create some store procedures with
  • psql metadata lt /opt/glite/share/doc/glite-amga-se
    rver-1.2.3/proceduresPSQL.sql

12
AMGA initial configuration
  • /etc/mdserver.conf contains all the variables you
    need to set up and fine tune the AMGA server. By
    default it configures AMGA with no authentication
    checks.
  • Start the AMGA server with
  • /etc/init.d/mdservice start
  • AMGA server demon should be listening on 8822
    port
  • lsof -i grep 8822
  • mdserver 13856 root 6u IPv4 27296
    TCP 8822 (LISTEN)
  • mdserver 13857 root 6u IPv4 27296
    TCP 8822 (LISTEN)
  • mdserver 13860 root 6u IPv4 27296
    TCP 8822 (LISTEN)

13
AMGA testing
  • Log in into a User Interface where the AMGA
    Client tools are installed.
  • You can check it with rpm qa grep -i amga
  • Copy the amga client template config file from
    /etc/mdclient.config to your home as
    .mdclient.config
  • cp /etc/mdclient.config HOME/.mdclient.config
  • Edit the Host variable filling it with the right
    hostname and ensure Login one equals to root
  • Connect to the AMGA server using the AMGA
    mdclient tool
  • mdclient
  • Connecting to amgarm3.trigrid.it8822...
  • ARDA Metadata Server 1.2.3
  • Querygt whoami
  • gtgt root
  • Querygt

14
Create a root user
  • Inside the Mdclient shell, create the root user
    (called also role inside AMGA) with
  • Querygt user_create root
  • Bind the amga root role to the subject of the
    AMGA administrator (you in this case)
  • Querygt user_subject_add root 'C IT, O GILDA,
    OU Personal Certificate, L INFN Catania, CN
    Tony Calanducci, emailAddress
    tony.calanducci_at_ct.infn.it
  • You can get it by
  • openssl x509 -in usercert.pem -subject -noout
    -nameopt oneline
  • You can also define an AMGA root passwd if you
    plan to enable also password authentication,
    with
  • Querygt user_password_change root bondia

15
Enabling Certificate Authentication
  • Edit /etd/mdserver.config in AMGA server and
    change the following variables
  • UseSSL 1
  • RequireAuthentication 1
  • AllowCertificateAuthentication 1
  • CertFile /etc/grid-security/hostcert.pem
  • KeyFile /etc/grid-security/hostkey.pem
  • TrustedCertDir /etc/grid-security/certificates
  • AllowGridProxyLogin 1
  • MyProxyHack 1
  • Enable the users from the VOs you want to give
    access to
  • VirtualOrganizations gilda(gilda), eela(eela)
  • VOGroupMap gilda/gilda(gildausers),
    eela(eelausers)
  • Restart the AMGA server with
  • /etc/init.d/mdserver restart

16
Test the VOMS proxy authentication
  • Log in to the UI and edit the HOME/.mdclient.conf
    ig
  • Login NULL
  • UseSSL require
  • AuthenticateWithCertificate 1
  • UseGridProxy 1
  • Initialize your proxy asking the membership to
    one of the enabled VO (gilda for example)
  • Start the mdclient tool. You should be
    authenticated as gilda user(role) belonging to
    gildausers group
  • mdclient
  • Connecting to amgarm3.trigrid.it8822...
  • ARDA Metadata Server 1.2.3
  • Querygt whoami
  • gtgt gilda
  • Querygt grp_member
  • gtgt gildausers

17
Set up a collection per each VO
  • Initialize the voms proxy with the user defined
    as root.
  • Change the previous HOME/.mdclient.config to
    login as root
  • Start the Mdclient. You should be authenticated
    as root (by your subject)
  • mdclient
  • Connecting to amgarm3.trigrid.it8822...
  • ARDA Metadata Server 1.2.3
  • Querygt whoami
  • gtgt root
  • Create a root collection for each VO you support.
    You can also create specific collection to
    support specific roles or applications.
  • createdir /gilda
  • createdir /eela

18
Set up collections for VOs (II)
  • Anyone will be allowed to read the new
    collections, but we want also grant write
    permissions to the VO users
  • Querygt acl_show /gilda
  • gtgt root rwx
  • gtgt systemanyuser rx
  • Querygt acl_add /gilda gildausers rwx
  • Querygt acl_show gilda
  • gtgt root rwx
  • gtgt gildausers rwx
  • gtgt systemanyuser rx
  • You could achieve the same results changing the
    ownership of the /gilda collection with
  • chown /gilda gilda
  • If you dont allow others to read inside /gilda
    collection remove from the ACLs the
    systemanyuser group
  • Querygt acl_remove /gilda/ systemanyuser

19
References
  • AMGA project Homepage
  • http//project-arda-dev.web.cern.ch/project-arda-d
    ev/metadata/
  • AMGA Documentation
  • http//project-arda-dev.web.cern.ch/project-arda-d
    ev/metadata/pages.html
  • AMGA Users and Administrators manual
  • http//project-arda-dev.web.cern.ch/project-arda-d
    ev/metadata/downloads/amga-manual_1_2_3.pdf
  • AMGA Installation Notes on GILDA Team Wiki
  • https//grid.ct.infn.it/twiki/bin/view/GILDA/AMGA
Write a Comment
User Comments (0)
About PowerShow.com