Difference between revisions of "LancsXrd"

From GridPP Wiki
Jump to: navigation, search
(Lancaster Xroot Server setup)
(Useful Pages)
Line 4: Line 4:
 
(list in progress)
 
(list in progress)
 
https://twiki.cern.ch/twiki/bin/view/AtlasComputing/StorageSetUp#Recommendation
 
https://twiki.cern.ch/twiki/bin/view/AtlasComputing/StorageSetUp#Recommendation
 +
 
(new) https://xrootd-howto.readthedocs.io/en/latest/
 
(new) https://xrootd-howto.readthedocs.io/en/latest/
 +
 
https://wlcg-authz-wg.github.io/wlcg-authz-docs/token-based-authorization/configuration/xrootd/
 
https://wlcg-authz-wg.github.io/wlcg-authz-docs/token-based-authorization/configuration/xrootd/
  

Revision as of 16:37, 2 February 2022

Lancaster Xroot Server setup

Useful Pages

(list in progress) https://twiki.cern.ch/twiki/bin/view/AtlasComputing/StorageSetUp#Recommendation

(new) https://xrootd-howto.readthedocs.io/en/latest/

https://wlcg-authz-wg.github.io/wlcg-authz-docs/token-based-authorization/configuration/xrootd/

Configs

main config

starting with systemctl start xrootd@server, puts https on port 1094 too 

# cat /etc/xrootd/xrootd-server.cfg 
###########################################################################
# This is a very simple sample configuration file sufficient to start an  #
# xrootd data server using the default port 1094. This server runs by     #
# itself (stand-alone) and does not assume it is part of a cluster. You   #
# can then connect to this server to access files in '/tmp'.              #
# Consult the the reference manuals on how to create more complicated     #
# configurations.                                                         #
#                                                                         #
# On successful start-up you will see 'initialization completed' in the   #
# last message. You can now connect to the xrootd server.                 #
#                                                                         #
# Note: You should always create a *single* configuration file for all    #
# daemons related to xrootd.                                              #
###########################################################################

# The export directive indicates which paths are to be exported. While the
all.export /cephfs/grid
all.sitename UKI-NORTHGRID-LANCS-HEP
# The adminpath and pidpath variables indicate where the pid and various
# IPC files should be placed
#
all.adminpath /var/spool/xrootd
all.pidpath /run/xrootd

#chksumming
xrootd.chksum adler32

#root tpc
ofs.tpc  ttl 7 15 xfr 9 pgm /usr/bin/xrdcp --server 

#auth stuff largely from Sam
xrootd.seclib /usr/lib64/libXrdSec.so
sec.protocol /lib64 gsi -certdir:/etc/grid-security/certificates \
                    -cert:/etc/grid-security/xrdcert.pem \
                    -key:/etc/grid-security/xrdkey.pem \
                    -crl:1 \
                    -authzfun:libXrdSecgsiAUTHZVO.so \
                    -gmapopt:10 -gmapto:0 \
                    -vomsat:extract -vomsfun:libXrdVoms.so

acc.authdb /etc/grid-security/authdb
ofs.authorize

#token stuff from https://wlcg-authz-wg.github.io/wlcg-authz-docs/token-based-authorization/configuration/xrootd/

ofs.authlib ++ libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg
ofs.authlib ++ libXrdMacaroons.so 
ofs.authorize 1

# Pass the bearer token to the Xrootd authorization framework.
http.header2cgi Authorization authz


#http stuff
# In order to enable the xrdhttp.socket run:
#	systemctl enable xrdhttp@http.socket
# In order to start the xrdhttp.socket run:
#	systemctl start xrdhttp@http.socket
#
xrd.protocol http:1094 /usr/lib64/libXrdHttp.so
#xrd.protocol https:1094 /usr/lib64/libXrdHttp.so
#xrd.protocol http:80 /usr/lib64/libXrdHttp.so

http.secxtractor libXrdHttpVOMS.so

#https
#basics
http.cadir /etc/grid-security/certificates
http.cert /etc/grid-security/xrdcert.pem
http.key /etc/grid-security/xrdkey.pem
http.secretkey areallygoodsecret
http.cipherfilter ALL:!LOW:!EXP:!MD5:!MD2


#other http stuff
http.listingdeny yes
http.staticpreload http://static/robots.txt /etc/xrootd/robots.txt
http.desthttps yes

authdb

/etc/grid-security/certificates, fetch-crl, vomsdir set up as normal. 


# cat /etc/grid-security/authdb
### Define users
## o - organisation/VO r - role g - group
#test users
= xgridppusr o: gridpp 
= xdteamusr o: dteam
= xopsuser o: ops
= xwlcguser o: wlcg
= wlcgtknusr o: https://wlcg.cloud.cnaf.infn.it/ g: /wlcg
#atlas
= xatlasprd o: atlas r: production
= xatlasplt o: atlas r: pilot
= xatlasukprd o: atlas r: production g: uk
= xatlasukusr o: atlas g: uk
= xatlasusr o: atlas
#hyperk
= xhyperkprd o: hyperk.org r: production
= xhyperkusr o: hyperk.org
### Define acceses
## a - all-rights l - list (don't forget) r - read w - write
x xgridppusr /cephfs/grid/gridpp a /cepfs/grid/srr lr
x xdteamusr /cephfs/grid/dteam a /cephfs/grid/wlcg a /cepfs/grid/srr lr
x xatlasprd /cephfs/grid/atlas a /cepfs/grid/srr lr
x xatlasplt /cephfs/grid/atlas/atlasdatadisk lr /cephfs/grid/atlas/atlaslocalgroupdisk lr /cephfs/grid/atlas/atlasscratchdisk lrw /cepfs/grid/srr lr
x xatlasukprd /cephfs/grid/atlas/atlasdatadisk lr /cephfs/grid/atlas/atlaslocalgroupdisk a /cephfs/grid/atlas/atlasscratchdisk lrw /cepfs/grid/srr lr
x xatlasukusr /cephfs/grid/atlas/atlasdatadisk lr /cephfs/grid/atlas/atlaslocalgroupdisk lrw /cephfs/grid/atlas/atlasscratchdisk lrw /cepfs/grid/srr lr
x xatlasusr /cephfs/grid/atlas/atlaslocalgroupdisk lr /cephfs/grid/atlas/atlasdatadisk lr  /cephfs/grid/atlas/atlasscratchdisk lrw /cepfs/grid/srr lr
x xopsuser /cephfs/grid/ops lrw /cepfs/grid/srr lr
x xwlcguser /cephfs/grid/wlcg a /cepfs/grid/srr lr
x wlcgtknusr /cephfs/grid/wlcg a /cepfs/grid/srr lr
x xhyperkprd /cephfs/grid/hyperk.org a /cepfs/grid/srr lr
x xhyperkusr /cephfs/grid/hyperk.org/ lr /cepfs/grid/srr lr
Retrieved from "https://www.gridpp.ac.uk/w/index.php?title=LancsXrd&oldid=21127"