T2BTracAccess
Automatic generation of the authorized DNs list
Only people from becms and beapps can login to the T2B Trac Wiki. Login restriction is achieved through the https config. on mon :
[root@mon ~]# cat /etc/httpd/conf.d/ssl.conf
...
<Location "/trac/t2b">
SetHandler mod_python
PythonHandler trac.web.modpython_frontend
PythonOption TracEnvParentDir /var/www/trac
PythonOption TracUriRoot /trac
SSLVerifyClient require
SSLOptions +FakeBasicAuth +StdEnvVars
SSLRequireSSL
AuthType Basic
AuthName "test server"
AuthUserFile /tmp/get-dns/t2b-auth
Require valid-user
</Location>
Each line in /tmp/get-dns/t2b-auth is a DN followed by ":" followed by an encrypted password that will not be used. The generation of the file /tmp/get-dns/t2b-auth is not done on mon, because it does not have the middleware tools. Instead, the list is generated on cream02 with the script /root/get_dns.pl that is run with a crontask :
[root@cream02 ~]# crontab -e ... */15 * * * * ( date --iso-8601=seconds --utc; /root/get_dns.pl) >> /var/log/get_dns.log 2>&1 ...
The list is then copied from cream02 to mon thanks to a crontask on qnat :
[root@qnat ~]# crontab -e ... 0 * * * * scp cream02.iihe.ac.be:/root/get-dns/t2b-auth mon.iihe.ac.be:/tmp/get-dns/ ...
Gory details
How the DNs list is generated on cream02
It is done with a Perl script that generates a config file ("conf") with the following content :
group vomss://voms01.begrid.be:8443/voms/beapps?/beapps .beapps group vomss://voms01.begrid.be:8443/voms/betest?/betest .betest group vomss://voms.cern.ch:8443/voms/cms?/cms/becms .cms
The script will then execute the following command :
/usr/sbin/edg-mkgridmap --conf conf --output out
The DNs are then extracted from the output file ("out") to generate the content of /root/get-dns/t2b-auth.