Upgrading from GPlazma1 to GPlazma2 on dCache 2.2.12

In preparation for upgrading to dCache 2.6 we need to reconfigure our dCache GPlazma configuration to go from gplazma1 to gplazma2. Paul Millar/dCache wrote a nice presentation on what is required at http://www.dcache.org/manuals/2013/workshop/slides/gPlazma.pdf Below are the details of how we handled this at AGLT2

Initial gplazma1 Configuration

On head01 we had the following files running GPlazma1 on June 12 2013:
  • /etc/dcache/dcache.conf

#gplazmaPolicy=${dcache.paths.etc}/dcachesrm-gplazma.policy

gplazma.legacy.config=${dcache.paths.etc}/dcachesrm-gplazma.policy

  • /etc/dcache/dcachesrm-gplazma.policy (relevant sections show below):

# Switches

xacml-vo-mapping="ON"

saml-vo-mapping="ON"

kpwd="OFF"

grid-mapfile="OFF"

gplazmalite-vorole-mapping="ON"


# Priorities

gplazmalite-vorole-mapping-priority="1"

xacml-vo-mapping-priority="2"

saml-vo-mapping-priority="3"

kpwd-priority="4"

grid-mapfile-priority="5"

# XACML-based grid VO role mapping

XACMLmappingServiceUrl="https://linat02.grid.umich.edu:8443/gums/services/GUMSXACMLAuthorizationServicePort"

# Time in seconds to cache the mapping in memory

xacml-vo-mapping-cache-lifetime="180"
# SAML-based grid VO role mapping

mappingServiceUrl="https://linat02.grid.umich.edu:8443/gums/services/GUMSAuthorizationServicePort"

# Time in seconds to cache the mapping in memory

saml-vo-mapping-cache-lifetime="180"
# Built-in gPLAZMAlite grid VO role mapping

gridVoRolemapPath="/etc/grid-security/grid-vorolemap"

gridVoRoleStorageAuthzPath="/etc/grid-security/storage-authzdb"

vomsValidation="false"

  • /etc/dcache/gplazma.conf

auth requisite gplazma1

map requisite gplazma1

session requisite gplazma1

This means we are using the gplazmalite-vorole-mapping, xacml-vo-mapping and the saml-vo-mapping capabilities (in that priority ordering). We need to transition these to gplazm2 following Paul Millar's presentation above.

The additional relevant files are
  • /etc/grid-security/grid-vorolemap
  • /etc/grid-security/gsi-authz.conf
  • /etc/grid-security/storage-authzdb

Transitioning to gplazma2

The presentation is nice but doesn't deal with transitioning SAML or XACML from gplazma1 to gplazma2. Searching on Google provided some hints that we can try.

Let's gather the detailed statements required for each mapping instance in the order of priority specificed in the dcachesrm-gplazma.policy file

gplazmalite-vorole-mapping

From the presentation we need the following gplazma2 statements for the gplazmalite-vorole-mapping:

auth optional x509

auth optional voms

map optional vorolemap

map sufficient authzdb

account requisite vorolemap

session sufficient authzdb

xacml-vo-mapping

From the presentation we need to add:

auth optional xacml

map sufficient authzdb

account requisite authzdb

session sufficient authzdb

saml-vo-mapping

Last mapping is saml-vo-mapping. I expect we no longer require this option since it is redundant with the XACML option above.

Creating the gplazma-new.conf file

auth optional x509

auth optional voms

auth optional xacml

map optional vorolemap

map sufficient authzdb

map sufficient authzdb

account requisite vorolemap

account requisite authzdb

session sufficient authzdb

session sufficient authzdb

Removing the redundancy in the auth and session gives us

auth optional x509

auth optional voms

auth optional xacml

map optional vorolemap

map sufficient authzdb

map sufficient authzdb

account requisite vorolemap

account requisite authzdb

session sufficient authzdb

Testing gplazma2

We will create the configuration and setup a temporary domain and door to test things with
  1. First step is to create the gplazma-new.conf file as /etc/dcache/gplazma-new.conf containing the contents listed above.
  2. Copy the existing /etc/dcache/gplazma.conf to /etc/dcache/gplazma-old.conf.
  3. Create a new [gplazma-newDomain] in the /etc/dcache/layouts/head01.conf file with gplazma using the /etc/dcache/gplazma-new.conf file
    • gplazma.configuration.file = /etc/dcache/gplazma-new.conf
    • gplazma/cell.name = gPlazma-new
    • gplazma = gPlazma-new
    • useGPlazmaAuthorizationCell=true
  4. Create a new door that uses the new gPlazma
    • Actually I just configured the web-dav and webadmin domains to use the new door by including the lines in 3. above in their domain config
  5. Specify the right service end-point for XACML in the head01.conf layout file
    • gplazma.xacml.service.url=https://linat02.grid.umich.edu:8443/gums/services/GUMSXACMLAuthorizationServicePort

In trying to get this to work I hit some snags.

  • In Paul's presentation he has 'authzdb' in some places and 'authdb' later (for the gplazma-new.conf file). I think authzdb is correct and I updated the notes above.
  • The 'vorole' is shown but this is rejected: '12 Jun 2013 14:42:27 (gPlazma-new) [] failed to create vorole: no such plugin'. I think vorolemap is correct and I updated the notes above.
  • I was unable to get either vorolemap or authzdb to load in the account section: 'plugin vorolemap (java class org.dcache.gplazma.plugins.VoRoleMapPlugin) does not support being loaded as type account' or 'plugin authzdb (java class org.dcache.gplazma.plugins.AuthzDbPlugin) does not support being loaded as type account'
I need to get these details fixed before we can proceed to migrate.

-- ShawnMcKee - 12 Jun 2013
Topic revision: r5 - 14 Jun 2013, ShawnMcKee
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback