(Re)Configuration of gPlazma on AGLT2

Due to issues with SRM failing that were traced to probable issues in gPlazma we are planning to implement some changes to gPlazma to see if they can resolve our problems.

From the 1.9.2-3 Release notes there are some issues to explore (also see the 1.9.2.5 Release notes)

• There is a new mapping method: XACML which should work well with GUMS
• Implementing a grid-vorolemap file for well-known users could help provide a fail-safe fall-thru option
• At AGLT2 we had set saml_vo-mapping-cache-lifetime to 0 (because of some gPlazma/GUMS caching issue in a prior dCache??). We could change this now:

The new GUMS with XACML also supports the older SAML callout, which can be enabled by setting saml-vo-mapping="ON" in the above set of lines. For the saml-vo-mapping, you will continue to use the same endpoint as before the upgrade. The corresponding lines will be the same as they were in the old policy file.

# SAML-based grid VO role mapping
mappingServiceUrl="https://gums.oursite.edu:8443/gums/services/GUMSAuthorizationServicePort"
# Time in seconds to cache the mapping in memory
#saml-vo-mapping-cache-lifetime="0

Implementation at AGLT2

The original file on AGLT2 was still the prior version from dCache 1.8.0! This may have been part of the problem. We updated to use the new

/opt/d-cache/etc/dcachesrm-policy

. The difference for AGLT2 is shown here:

root@head01 /opt/d-cache/etc# diff -urNp dcachesrm-gplazma.policy.rpmnew dcachesrm-gplazma.policy
--- dcachesrm-gplazma.policy.rpmnew     2009-04-23 08:13:10.000000000 -0400
+++ dcachesrm-gplazma.policy    2009-05-09 12:45:47.000000000 -0400
@@ -34,18 +34,18 @@
 # Turning all switches OFF leads the running system to a secure quasi-firewall mode.

 # Switches
-xacml-vo-mapping="OFF"
-saml-vo-mapping="OFF"
-kpwd="ON"
+xacml-vo-mapping="ON"
+saml-vo-mapping="ON"
+kpwd="OFF"
 grid-mapfile="OFF"
-gplazmalite-vorole-mapping="OFF"
+gplazmalite-vorole-mapping="ON"

 # Priorities
-xacml-vo-mapping-priority="5"
-saml-vo-mapping-priority="1"
-kpwd-priority="3"
-grid-mapfile-priority="4"
-gplazmalite-vorole-mapping-priority="2"
+xacml-vo-mapping-priority="1"
+saml-vo-mapping-priority="2"
+gplazmalite-vorole-mapping-priority="3"
+kpwd-priority="4"
+grid-mapfile-priority="5"

 # Configurable Options for Plugins|Services
 # #################################################################################
@@ -60,12 +60,12 @@ gridMapFilePath="/etc/grid-security/grid
 storageAuthzPath="/etc/grid-security/storage-authzdb"

 # XACML-based grid VO role mapping
-XACMLmappingServiceUrl="https://fledgling09.fnal.gov:8443/gums/services/GUMSXACMLAuthorizationServicePort"
+XACMLmappingServiceUrl="https://linat02.grid.umich.edu:8443/gums/services/GUMSXACMLAuthorizationServicePort"
 # Time in seconds to cache the mapping in memory
 xacml-vo-mapping-cache-lifetime="180"

 # SAML-based grid VO role mapping
-mappingServiceUrl="https://fledgling09.fnal.gov:8443/gums/services/GUMSAuthorizationServicePort"
+mappingServiceUrl="https://linat02.grid.umich.edu:8443/gums/services/GUMSAuthorizationServicePort"
 # Time in seconds to cache the mapping in memory
 saml-vo-mapping-cache-lifetime="180"

Next step was to actually provide an /etc/grid-security/grid-vorolemap file. We choose to provide a generic mapping for our accounts/roles

root@head01 /etc/grid-security# cat grid-vorolemap

"*" "/atlas/usatlas/Role=production" usatlas1
"*" "/atlas/Role=production" usatlas1
"*" "/atlas/Role=software" usatlas2
"*" "/atlas/usatlas" usatlas3
"*" "/atlas" usatlas4

I also updated our /etc/grid-security/storage-authzdb file:

version 2.1
authorize usatlas1 read-write 751564 55670 / / /
authorize usatlas2 read-write 789089 55670 / / /
authorize usatlas3 read-write 789090 55670 / /pnfs/aglt2.org/atlascalibdata /
authorize usatlas3 read-only 789090 55670 / /pnfs/aglt2.org/atlascalibdisk /
authorize usatlas3 read-only 789090 55670 / /pnfs/aglt2.org/atlasdatadisk /
authorize usatlas3 read-write 789090 55670 / /pnfs/aglt2.org/atlasgroupdisk /
authorize usatlas3 read-only 789090 55670 / /pnfs/aglt2.org/atlasmcdisk /
authorize usatlas3 read-only 789090 55670 / /pnfs/aglt2.org/atlasproddisk /
authorize usatlas3 read-write 789090 55670 / /pnfs/aglt2.org/atlasscratchdisk /
authorize usatlas3 read-write 789090 55670 / /pnfs/aglt2.org/atlasuserdisk /
authorize usatlas3 read-write 789090 55670 / /pnfs/aglt2.org/data /
authorize usatlas3 read-write 789090 55670 / /pnfs/aglt2.org/dq2 /
authorize usatlas4 read-write 834083 55670 / /pnfs/aglt2.org/atlascalibdata /
authorize usatlas4 read-only 834083 55670 / /pnfs/aglt2.org/atlascalibdisk /
authorize usatlas4 read-only 834083 55670 / /pnfs/aglt2.org/atlasdatadisk /
authorize usatlas4 read-write 834083 55670 / /pnfs/aglt2.org/atlasgroupdisk /
authorize usatlas4 read-only 834083 55670 / /pnfs/aglt2.org/atlasmcdisk /
authorize usatlas4 read-only 834083 55670 / /pnfs/aglt2.org/atlasproddisk /
authorize usatlas4 read-write 834083 55670 / /pnfs/aglt2.org/atlasscratchdisk /
authorize usatlas4 read-write 834083 55670 / /pnfs/aglt2.org/atlasuserdisk /
authorize usatlas4 read-write 834083 55670 / /pnfs/aglt2.org/data /
authorize usatlas4 read-write 834083 55670 / /pnfs/aglt2.org/dq2 /
authorize uscms01 read-write 751562 55671 / /pnfs/aglt2.org/data /
authorize uscms02 read-write 751563 55671 /pnfs/aglt2.org/data / /
authorize star read-write 789088 55669 / /pnfs/aglt2.org/data /
authorize gadu read-write 783718 55665 / /pnfs/aglt2.org/data /
authorize fermilab read-write 783718 55665 / /pnfs/aglt2.org/data /

This should better reflect ATLAS (and AGLT2) storage authorization policies.

Other Issues Found

In addition to have the older dcachesrm-policy file I found:

• Our /etc/grid-security/vomsdir was older and installed the most recent lcg-vomscerts rpms.
• We needed to have a copy of our hostcert.pem in the /etc/grid-security/vomsdir directory
• The /etc/grid-security/container[cert|key].pem files were expired. I recopied them from the /etc/grid-security/host[cert|key].pem

-- ShawnMcKee - 09 May 2009