T2BTracAccess

From T2B Wiki
Jump to navigation Jump to search

Automatic generation of the authorized DNs list

Only people from becms and beapps can login to the T2B Trac Wiki. Login restriction is achieved through the https config. on mon :

[root@mon ~]# cat /etc/httpd/conf.d/ssl.conf
...
<Location "/trac/t2b">
    SetHandler mod_python
    PythonHandler trac.web.modpython_frontend
    PythonOption TracEnvParentDir /var/www/trac
    PythonOption TracUriRoot /trac

    SSLVerifyClient require
    SSLOptions           +FakeBasicAuth +StdEnvVars
    SSLRequireSSL

    AuthType Basic
    AuthName "test server"
    AuthUserFile /tmp/get-dns/t2b-auth
    Require valid-user
</Location>

Each line in /tmp/get-dns/t2b-auth is a DN followed by ":" followed by an encrypted password that will not be used. The generation of the file /tmp/get-dns/t2b-auth is not done on mon, because it does not have the middleware tools. Instead, the list is generated on cream02 with the script /root/get_dns.pl that is run with a crontask :

[root@cream02 ~]# crontab -e
...
*/15 * * * * ( date --iso-8601=seconds --utc; /root/get_dns.pl) >> /var/log/get_dns.log 2>&1
...

The list is then copied from cream02 to mon thanks to a crontask on qnat :

[root@qnat ~]# crontab -e
...
0 * * * * scp cream02.iihe.ac.be:/root/get-dns/t2b-auth mon.iihe.ac.be:/tmp/get-dns/
...

Gory details

How the DNs list is generated on cream02

It is done with a Perl script that generates a config file ("conf") with the following content :

group vomss://voms01.begrid.be:8443/voms/beapps?/beapps .beapps
group vomss://voms01.begrid.be:8443/voms/betest?/betest .betest
group vomss://voms.cern.ch:8443/voms/cms?/cms/becms .cms

The script will then execute the following command :

/usr/sbin/edg-mkgridmap --conf conf --output out

The DNs are then extracted from the output file ("out") to generate the content of /root/get-dns/t2b-auth.


Template:TracNotice