T2BTracAccess
Automatic generation of the authorized DNs list
Only people from becms and beapps can login to the T2B Trac Wiki. Login restriction is achieved through the https config. on mon :
[root@mon ~]# cat /etc/httpd/conf.d/ssl.conf ... <Location "/trac/t2b"> SetHandler mod_python PythonHandler trac.web.modpython_frontend PythonOption TracEnvParentDir /var/www/trac PythonOption TracUriRoot /trac SSLVerifyClient require SSLOptions +FakeBasicAuth +StdEnvVars SSLRequireSSL AuthType Basic AuthName "test server" AuthUserFile /tmp/get-dns/t2b-auth Require valid-user </Location>
Each line in /tmp/get-dns/t2b-auth is a DN followed by ":" followed by an encrypted password that will not be used. The generation of the file /tmp/get-dns/t2b-auth is not done on mon, because it does not have the middleware tools. Instead, the list is generated on cream02 with the script /root/get_dns.pl that is run with a crontask :
[root@cream02 ~]# crontab -e ... */15 * * * * ( date --iso-8601=seconds --utc; /root/get_dns.pl) >> /var/log/get_dns.log 2>&1 ...
The list is then copied from cream02 to mon thanks to a crontask on qnat :
[root@qnat ~]# crontab -e ... 0 * * * * scp cream02.iihe.ac.be:/root/get-dns/t2b-auth mon.iihe.ac.be:/tmp/get-dns/ ...
Gory details
How the DNs list is generated on cream02
It is done with a Perl script that generates a config file ("conf") with the following content :
group vomss://voms01.begrid.be:8443/voms/beapps?/beapps .beapps group vomss://voms01.begrid.be:8443/voms/betest?/betest .betest group vomss://voms.cern.ch:8443/voms/cms?/cms/becms .cms
The script will then execute the following command :
/usr/sbin/edg-mkgridmap --conf conf --output out
The DNs are then extracted from the output file ("out") to generate the content of /root/get-dns/t2b-auth.