LancsXrd
From GridPP Wiki
Revision as of 16:31, 2 February 2022 by Matthew Doidge 09da329419 (Talk | contribs)
Lancaster Xroot Server setup
Configs
main config
starting with systemctl start xrootd@server, puts https on port 1094 too
# cat /etc/xrootd/xrootd-server.cfg ########################################################################### # This is a very simple sample configuration file sufficient to start an # # xrootd data server using the default port 1094. This server runs by # # itself (stand-alone) and does not assume it is part of a cluster. You # # can then connect to this server to access files in '/tmp'. # # Consult the the reference manuals on how to create more complicated # # configurations. # # # # On successful start-up you will see 'initialization completed' in the # # last message. You can now connect to the xrootd server. # # # # Note: You should always create a *single* configuration file for all # # daemons related to xrootd. # ########################################################################### # The export directive indicates which paths are to be exported. While the all.export /cephfs/grid all.sitename UKI-NORTHGRID-LANCS-HEP # The adminpath and pidpath variables indicate where the pid and various # IPC files should be placed # all.adminpath /var/spool/xrootd all.pidpath /run/xrootd #chksumming xrootd.chksum adler32 #root tpc ofs.tpc ttl 7 15 xfr 9 pgm /usr/bin/xrdcp --server #auth stuff largely from Sam xrootd.seclib /usr/lib64/libXrdSec.so sec.protocol /lib64 gsi -certdir:/etc/grid-security/certificates \ -cert:/etc/grid-security/xrdcert.pem \ -key:/etc/grid-security/xrdkey.pem \ -crl:1 \ -authzfun:libXrdSecgsiAUTHZVO.so \ -gmapopt:10 -gmapto:0 \ -vomsat:extract -vomsfun:libXrdVoms.so acc.authdb /etc/grid-security/authdb ofs.authorize #token stuff from https://wlcg-authz-wg.github.io/wlcg-authz-docs/token-based-authorization/configuration/xrootd/ ofs.authlib ++ libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg ofs.authlib ++ libXrdMacaroons.so ofs.authorize 1 # Pass the bearer token to the Xrootd authorization framework. http.header2cgi Authorization authz #http stuff # In order to enable the xrdhttp.socket run: # systemctl enable xrdhttp@http.socket # In order to start the xrdhttp.socket run: # systemctl start xrdhttp@http.socket # xrd.protocol http:1094 /usr/lib64/libXrdHttp.so #xrd.protocol https:1094 /usr/lib64/libXrdHttp.so #xrd.protocol http:80 /usr/lib64/libXrdHttp.so http.secxtractor libXrdHttpVOMS.so #https #basics http.cadir /etc/grid-security/certificates http.cert /etc/grid-security/xrdcert.pem http.key /etc/grid-security/xrdkey.pem http.secretkey areallygoodsecret http.cipherfilter ALL:!LOW:!EXP:!MD5:!MD2 #other http stuff http.listingdeny yes http.staticpreload http://static/robots.txt /etc/xrootd/robots.txt http.desthttps yes
authdb
/etc/grid-security/certificates, fetch-crl, vomsdir set up as normal.
# cat /etc/grid-security/authdb ### Define users ## o - organisation/VO r - role g - group #test users = xgridppusr o: gridpp = xdteamusr o: dteam = xopsuser o: ops = xwlcguser o: wlcg = wlcgtknusr o: https://wlcg.cloud.cnaf.infn.it/ g: /wlcg #atlas = xatlasprd o: atlas r: production = xatlasplt o: atlas r: pilot = xatlasukprd o: atlas r: production g: uk = xatlasukusr o: atlas g: uk = xatlasusr o: atlas #hyperk = xhyperkprd o: hyperk.org r: production = xhyperkusr o: hyperk.org ### Define acceses ## a - all-rights l - list (don't forget) r - read w - write x xgridppusr /cephfs/grid/gridpp a /cepfs/grid/srr lr x xdteamusr /cephfs/grid/dteam a /cephfs/grid/wlcg a /cepfs/grid/srr lr x xatlasprd /cephfs/grid/atlas a /cepfs/grid/srr lr x xatlasplt /cephfs/grid/atlas/atlasdatadisk lr /cephfs/grid/atlas/atlaslocalgroupdisk lr /cephfs/grid/atlas/atlasscratchdisk lrw /cepfs/grid/srr lr x xatlasukprd /cephfs/grid/atlas/atlasdatadisk lr /cephfs/grid/atlas/atlaslocalgroupdisk a /cephfs/grid/atlas/atlasscratchdisk lrw /cepfs/grid/srr lr x xatlasukusr /cephfs/grid/atlas/atlasdatadisk lr /cephfs/grid/atlas/atlaslocalgroupdisk lrw /cephfs/grid/atlas/atlasscratchdisk lrw /cepfs/grid/srr lr x xatlasusr /cephfs/grid/atlas/atlaslocalgroupdisk lr /cephfs/grid/atlas/atlasdatadisk lr /cephfs/grid/atlas/atlasscratchdisk lrw /cepfs/grid/srr lr x xopsuser /cephfs/grid/ops lrw /cepfs/grid/srr lr x xwlcguser /cephfs/grid/wlcg a /cepfs/grid/srr lr x wlcgtknusr /cephfs/grid/wlcg a /cepfs/grid/srr lr x xhyperkprd /cephfs/grid/hyperk.org a /cepfs/grid/srr lr x xhyperkusr /cephfs/grid/hyperk.org/ lr /cepfs/grid/srr lr