-
Notifications
You must be signed in to change notification settings - Fork 20
ESGFNode|EnhancedEndUserDownloadGridFTPModule
| Wiki Reorganisation |
|---|
| This page has been classified for reorganisation. It has been given the category MOVE. |
| The content of this page will be revised and moved to one or more other pages in the new wiki structure. |
This GridFTP callout module is an improved security model version of the [ GridFTP Token Authorization callout module ](http://www.ci.uchicago.edu/wiki/bin/view/ESGPro ject/GridFTPServerWithTokenAuthorizationModuleConfig) . It primarily allows end user downloads from the ESG Datanodes and communicates with an Authorization Service for transfer decisions. This page documents how to install and configure it for this.
This module is referred to as the ESG SAML (GridFTP callout) module.
For anything on the page to work, the Globus GridFTP server must be installed on your system! For documentation on installing the GridFTP server, please consult this page:
If GridFTP is already installed, it is still required that the GridFTP server be upgraded to at least version 3.24. If you're unsure if you have that version, please upgrade by following the simple upgrade instructions here:
NOTE : This module also requires the libglobus_adq C library, so it's a pre-requisite that you follow the instructions at the following page BEFORE attempting anything on this page:
You will also need to know where the "libglobus_adq" directory is located, since this project refers to it.
Retrieve and unpack the ESG SAML module from here:
Some sample instructions are below (perhaps with an older version of the above tarball; adjust commands accordingly):
neillm@boiler:~/tmp_working$ wget http://rainbow.llnl.gov/dist/globus/gridftp/authz_esgsaml_callout-03-09-2010-2.tar.gz
...
neillm@boiler:~/tmp_working$ tar -xzf authz_esgsaml_callout-03-09-2010-2.tar.gz
neillm@boiler:~/tmp_working$ cd authz_esgsaml_callout/source/
From within this source directory, we need to create a symlink to the "libglobus_adq" directory which should be installed as a pre-requisite to this installation. For this example, my libadq directory is located at _ ~/tmp_working/libglobus_adq-0.9.1 _ . Let's create the symlink and build this module:
# create the symlink to libglobus_adq
neillm@boiler:~/tmp_working/authz_esgsaml_callout/source$ ln -s ~/tmp_working/libglobus_adq-0.9.1 libglobus_adq
# first run the bootstrap script
neillm@boiler:~/tmp_working/authz_esgsaml_callout/source$ ./bootstrap
ERROR Please specify GLOBUS_LOCATION
# Oops! Be sure to set the GLOBUS_LOCATION at this point
neillm@boiler:~/tmp_working/authz_esgsaml_callout/source$ export GLOBUS_LOCATION=/usr/local/gt-cvs
neillm@boiler:~/tmp_working/authz_esgsaml_callout/source$ ./bootstrap
installing globus_automake_pre link
... snip ...
running autoconf
# Now run configure (CAREFULLY specify the architecture of your system using the --with-flavor flag)
neillm@boiler:~/tmp_working/authz_esgsaml_callout/source$ ./configure --prefix=/usr/local/gt-cvs --with-flavor=gcc64dbg
checking whether to enable maintainer-specific portions of Makefiles... no
Dependencies Complete
checking for a BSD-compatible install... /usr/bin/install -c
... snip ...
config.status: executing default commands
# finally, make and make install the project
neillm@boiler:~/tmp_working/authz_esgsaml_callout/source$ make && make install
# NOTE: this requires libxslt-dev and uuid-dev packages
After installation, we still have yet to configure the module by creating a configuration file located at _ /etc/grid-security/esgsaml_auth.conf _ . This file should contain the following contents:
# ESG SAML Auth config file
#
AUTHSERVICE=https://esg.ucar.edu/saml/soap/secure/authorizationService.htm
Although it should be adjusted for the particular gateway that needs to be contacted.
This Authorization Service will be contacted by the Module and passed the OpenID of the user (pulled by GridFTP from the MyProxy certificate the user was issued), along with the operation type (i.e. "read") and file name. The result of the Authorization service will determine if the user is able to transfer the file or not.
Note: Should the _ /etc/grid-security/esgsaml_auth.conf _ file not exist at run-time, the module checks an alternate location specified by the environment variable ESGSAML_AUTH_CONFIG_FILE . If neither is found, the module attempts to use hardcoded defaults (which likely will not yield good results).
The following contents must be placed in _ /etc/grid-security/gsi-authz.conf _ in order for the module's methods to be called properly from the GridFTP server. NOTE: If your system is a 32bit system, replace gcc64dbg with gcc32dbg.
GLOBUS_GSI_AUTHZ_SYSTEM_INIT libglobus_authz_esgsaml_callout_gcc64dbg.so authz_esgsaml_system_init_callout
GLOBUS_GSI_AUTHZ_SYSTEM_DESTROY libglobus_authz_esgsaml_callout_gcc64dbg.so authz_esgsaml_system_destroy
GLOBUS_GSI_AUTHZ_HANDLE_INIT libglobus_authz_esgsaml_callout_gcc64dbg.so authz_esgsaml_handle_init_callout
GLOBUS_GSI_AUTHORIZE_ASYNC libglobus_authz_esgsaml_callout_gcc64dbg.so authz_esgsaml_authorize_async_callout
GLOBUS_GSI_AUTHZ_CANCEL libglobus_authz_esgsaml_callout_gcc64dbg.so authz_esgsaml_cancel_callout
GLOBUS_GSI_AUTHZ_HANDLE_DESTROY libglobus_authz_esgsaml_callout_gcc64dbg.so authz_esgsaml_handle_destroy_callout
GLOBUS_GSI_AUTHZ_HANDLE_DESTROY libglobus_authz_esgsaml_callout_gcc64dbg.so authz_esgsaml_handle_destroy_callout
GLOBUS_GSI_GET_AUTHORIZATION_IDENTITY libglobus_authz_esgsaml_callout_gcc64dbg.so globus_gsi_authz_esgsaml_get_authorization_identity_callout
A copy of this file is located at _ authz_esgsaml_callout/source/authz_callouts_esgsaml.cfg _ , included with the distributed package.
If you need to use another location other than /etc/grid-security/gsi- authz.conf, set the environment variable GSI_AUTHZ_CONF to the appropriate location.
Download and install the above module as follows:
neillm@boiler:/tmp$ wget http://rainbow.llnl.gov/dist/globus/gridftp/customgsiauthzinterface.tar.gz
...
neillm@boiler:/tmp$ tar -xzf customgsiauthzinterface.tar.gz
neillm@boiler:/tmp$ cd customgsiauthzinterface
neillm@boiler:/tmp/customgsiauthzinterface$ ./bootstrap
ERROR Please specify GLOBUS_LOCATION
neillm@boiler:/tmp/customgsiauthzinterface$ export GLOBUS_LOCATION=/GLOBUS_LOCATION
neillm@boiler:/tmp/customgsiauthzinterface$ ./bootstrap
installing globus_automake_pre link
installing globus_automake_post link
installing globus_automake_pre_top link
installing globus_automake_post_top link
installing Makefile.am in the pkgdata directory
running aclocal -I /usr/local/gt-cvs/share/globus_aclocal
/usr/local/gt-cvs/share/globus_aclocal/gpt_autoconf_macros.m4:2: warning: underquoted definition of GPT_INIT
/usr/local/gt-cvs/share/globus_aclocal/gpt_autoconf_macros.m4:2: run info '(automake)Extending aclocal'
/usr/local/gt-cvs/share/globus_aclocal/gpt_autoconf_macros.m4:2: or see http://sources.redhat.com/automake/automake.html#Extending-aclocal
running libtoolize --copy --force
libtoolize: putting auxiliary files in `.'.
libtoolize: copying file `./ltmain.sh'
libtoolize: You should add the contents of the following files to `aclocal.m4':
libtoolize: `/usr/share/aclocal/ltoptions.m4'
libtoolize: `/usr/share/aclocal/ltversion.m4'
libtoolize: `/usr/share/aclocal/ltsugar.m4'
libtoolize: `/usr/share/aclocal/lt~obsolete.m4'
libtoolize: Consider adding `AC_CONFIG_MACRO_DIR([m4])' to configure.in and
libtoolize: rerunning libtoolize, to keep the correct libtool macros in-tree.
libtoolize: Consider adding `-I m4' to ACLOCAL_AMFLAGS in Makefile.am.
running automake --copy -add-missing --foreign
configure.in:13: installing `./install-sh'
configure.in:13: installing `./missing'
configure.in:8: installing `./config.guess'
configure.in:8: installing `./config.sub'
running gpt_create_automake_rules --excludes=doxygen
running autoconf
neillm@boiler:/tmp/customgsiauthzinterface$ ./configure --prefix=/GLOBUS_LOCATION --with-flavor=gcc64dbg
checking whether to enable maintainer-specific portions of Makefiles... no
Dependencies Complete
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
configure: creating ./config.status
config.status: creating Makefile
config.status: creating pkgdata/Makefile
config.status: creating pkgdata/pkg_data_src.gpt
config.status: creating version.h
neillm@boiler:/tmp/customgsiauthzinterface$ make && make install
... snip ...
Once you have the package built the only change necessary is to the gridftp config options:
Use '-acl customgsiauthzinterface' to load this, and '-no-cas' to disable the builtin interface.
Nothing changes with your gsi-authz.conf files or your other modules.
If you want to see what's going on for particular transfers, you can enable logging to a file in the ESG SAML callout module. To do this, set the following environment variables BEFORE starting the GridFTP server:
export GLOBUS_GSI_AUTHZ_DEBUG_LEVEL=2
export GLOBUS_GSI_AUTHZ_DEBUG_FILE=/ABSOLUTE/PATH/TO/LOGFILE
Finally, these instructions need to be followed for enabling wildcards in the GridMap file:
After this, starting the GridFTP server should be possible using the properly configured ESG SAML callout module!
To start the GridFTP server, use a command similar to the following:
$GLOBUS_LOCATION/sbin/globus-gridftp-server -p PORT -acl customgsiauthzinterface -no-cas
And if you want GridFTP logging enabled, use something like this:
$GLOBUS_LOCATION/sbin/globus-gridftp-server -p PORT -d ALL -logfile /PATH/TO/GFTPLOG -acl customgsiauthzinterface -no-cas
If you see an error starting GridFTP similar to this:
[root@vm-125-67 sbin]# ./globus-gridftp-server -p 20212 -d ALL -logfile /tmp/GFTPLOG -acl customgsiauthzinterface -no-cas
Error: Failed to initialize:
globus_gsi_authz: Callout returned an error
globus_callout_module: Error with dynamic library: couldn't dlopen libglobus_authz_esgsaml_callout_gcc64dbg.so: libglobus_authz_esgsaml_callout_gcc64dbg.so: cannot open shared object file: No such file or directory
... It is caused by the system not being able to find the proper module in the LD_LIBRARY_PATH. One solution is to research ldconfig for your platform and find how to fix this permanently, and another is to fix it by pointing the command line to where the library is located. For example:
[root@vm-125-67 sbin]# LD_LIBRARY_PATH=/usr/local/gt4.2.1-enhanced-gridftp-sec/lib ./globus-gridftp-server -p 20212 -d ALL -logfile /tmp/GFTPLOG -acl customgsiauthzinterface -no-cas
If the !GridFTP server always ALLOWS the download and the GLOBUS_GSI_AUTHZ_DEBUG_FILE shows sparse lines like this each time a transfer is attempted:
in authz_esgsaml_system_init_callout, system state is 0x2b9536d1d500
Using configuration option
AUTHSERVICE=https://esg.prototype.ucar.edu/saml/soap/secure/authorizationService.htm
globus_l_gsi_authz_activate entering
globus_l_gsi_authz_activate exiting
This indicates that there is a problem with the modules. Be sure that the gsicustomauthzinterface module is installed (see the above section titled _ Installing the Additional Plugin for Port information (REQUIRED) _ ).
If the above module is definitely installed the Authz Module is getting called and instead you see logged lines like this following:
in authz_esgsaml_system_init_callout, system state is 0x2b2829222500
Using configuration option
AUTHSERVICE=https://HOSTNAME/saml/soap/secure/authorizationService.htm
in authz_esgsaml_handle_init_callout
service name is file
context is ecc8410, system state is 0x2aaaac00c9c0
Got user DN: /MY/USER/DN
Found user's OpenID: https://SOMEHOST/myopenid/USERNAME
in authz_esgsaml_authorize_async_callout, action is read, object is //PATH/TO/FILE,
system state is 0x2aaaac00c9c0
Got Action "read" with object "//PATH/TO/FILE"
Calling out to auth service https://HOSTNAME/saml/soap/secure/authorizationService.htm
to retrieve SAML Assertion
for identity https://SOMEHOST/myopenid/USERNAME,
file //PATH/TO/FILE, and action read
Retrieved SAML assertion response for
https://SOMEHOST/myopenid/USERNAME, but response is not "PERMIT"
This indicates that the transfer is failing because the file object that is looked up at the Authorization Service level is in an invalid format. In this case it looks like "//PATH/TO/FILE", and yet it should look like "gsiftp://HOSTNAME:PORT//PATH/TO/FILE". This error is usually solved by making sure that your GridFTP server is upgraded to a later version. Please see the following page to upgrade your GridFTP server