Back to Perun main page

This page is not up-to-date, please see https://wiki.metacentrum.cz/wiki/Facility_managers%27s_manual

Perun server

The installation of the Perun server is described in detail at https://github.com/CESNET/perun-ansible/blob/master/README.md

Slave scripts

• Gen script creates file .tar.gz with data for end services and for files VERSION and SERVICE.

File VERSION contains version of gen scripts checked by slave script. File SERVICE contains service's name. According to this name end machine selects service slave script.

• End machine runs script/opt/perun/bin/perun. This script decide which script should be run (depending on content file SERVICE).
• As a transport layer SSH is used. Using SSH key, only /opt/perun/bin/perun is set to run at the end machine.

Debian package repository

Adding MetaCentrum Repository to a Debian host

If the file /etc/apt/sources.list.d/meta_repo.list is not already created, put there the following:

deb https://repo.metacentrum.cz/ all main pilot

deb-src https://repo.metacentrum.cz/ all main pilot

Following key (PGP PUBLIC KEY BLOCK) must be put into a file and added into the list of trusted keys by the following command:

apt-key add /tmp/key 

PGP key: A385CDB0

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQINBFcd5LoBEADM6Z0mBxlzRt4hM19beSOFqHF9jZBMhefCmccufOJXvzy6pS65
nT+PRYbcjVCmg8MQatRK4eag2/Eq+2Sxev525g4ptUhQl/gSkjA+bHr4RDMDsdxO
4NJqYwbs+9PVibA/pxppY12ICq9+oU4ixZnqUD9CzLT2YiVJBbDfRFmEzgUK4nyW
2z3Ai5P1mgZBj/1/lLnvAimnzHLmcavmDfnwcrTio2oMAi7sRrbnFN6syYBXWc6y
lN0GXxmF1UYqQqKsl2AdDr0/jTSD4omKZ7BNycFHQcezxpw5aOqLgGX9H2nZcMSe
LoBj+vrPsg6jvO1tl/9JDSoB0WV5ADEU6YdvlFoVuHfG+q8r/mCvQSu4rObfRNtw
hlVVg3Usnx0S9OVAPsNdHD8tAa+KEx285gW4iGx2ZVUA1BvvSdwfTI9AaQJPGBIC
k8mvHTpmlMYToipk4RbOyL1Kf7/tQC6Dy9ezKfmW0RTgpOEuiOtkwmQQ9QdNTYfC
6aaXf9rOrW9F+P6YbtmzbSMHNkiizwqH+KVnumYSI3N7w2BcsW756YIybY0vrv5D
4o0joOXGm+9a3kFeeun/75/892wwBjH43GhpM6cS2V7yO0u6PAoNMcPqFQZoETFS
kNnkAI0dVDkbpPk/lb3K2gCjV+npvBjRmP4ObEhcTJO3D94XMA3SowkptwARAQAB
tFhNZXRhQ2VudHJ1bSBQYWNrYWdlIFJlcG9zaXRvcnkgKE1ldGFDZW50cnVtIFBh
Y2thZ2UgUmVwb3NpdG9yeSBQR1Aga2V5KSA8bWV0YUBjZXNuZXQuY3o+iQI+BBMB
AgAoBQJXHeS6AhsDBQkSzAMABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRA1
c/2Uo4XNsBA+EACxHXz1Gl+nXBYAyfkKVPmbHju9MumZl8QurblyBQMSmCQY2xGS
ZTxsLZNKEoXYCHf/t73rLc0qSsDBJ8Asa/Ow2YzAzFCd4phb1WM/jHys5g0ZOQLM
Eje2mPd/vIIgVz8l96YleRD7LClZMsQ68A1r15rwG5OyR0ZG5W5JlKdlDafsg8xB
ML3iEcGQO2JDEjQC6RmI+PuR21QLfVNQUWkl8Rpp6b0l+A2OBnhX9n5CImFQEeTg
xicqxGT7Mj9Ey9pkhyg3IbXyo2VjALVoyzrNvmjvKK1M6xZ70WGcKYX8HQLbF7Qt
NRxnKns0d2luzkDCpKBb/oi/AmlYfLmVkZL+cUl8O0Ab2U+Sj7o9Ib+OohrOh82R
eoqD6vSfbYeDwugptUf8iO/iCeQgnUKP378leRQTdmg8tvhlc91cePCiSdMmCVQP
3WiFGtuiLk9f+1hHx0Gk4vk9pP8POeQD3WFbRGbH+LhQf5S4QCUifHSpCSlSiAcV
DqlWycDdXfiDSQg04741Fwq4ZOWShvdwtVijuGh9KOTO+facoGnk4HiCMGeFdgOW
2+t9c0Z3odSWCobDBzw8kWsE88t0X4Eubvp1tL7TPE+nvRqgnyDjoMbjoYWiSvD3
8C9uBPJjqBsqusDQC0qLJFzgkyd84alI4e1ZXpoHSGzz1hAb8sRIQVUiKbkCDQRX
HeS6ARAAyUIdr5QSfzhCH2hFtPuqjMH5tAuXx+8LZdhwtgICjaEVrpQq9sRJgPSS
dONOstEkaFWUm1B8jGACz1EJY48JfKxol7V0eBCV4hVgN4CNLm23E46FKq/20GuY
ckp/mZiwq784801TK24+KBqAon4PbEPilAEtE7u50pxvQGrvCdMXSOhm7cZ7lS5s
qD19QplS/wTjUwCXcbUVhgIcSK6+lP8FDBECFQyVUNBVA4lZA2EFMRJFMckbitaf
a2xY5uKUipIrdm0NIqtL5QT6xdO5DHx/z+WhnnwFhq7J/xhFihRcxghM/fIavIEd
hpaPz8fzoT2uJdt4VdLviFSqZpXSS+Lue3mj5DSZ5OPNdvZVOskL++30tnRyK7VE
Yj/cdUAIp5dwpGn2ZYDUQ+4G2tYBKCOnd6wYeViIggOv51DW4dTk101yL50vs9yU
0BPkO/nTZR6+eDXrznYHjdQ7M26j3HYxRtDiggwKYw8yw4cWOBCwniAoEi50PyMu
kMgoA1KryhBBCkqrn5tQ7/0YcPylHwCXG1aoenpO1A/SgsSE43x6ZQ2gdfG5v3hp
0vw2Te/e30rSZdAkd9vEsliAH3n7J9ZoYhAWZKAXOOufL84f8wXMRWv8cMNlvD7M
ahRSyYbBOL8jU5JXamfAL+XMPDDbfBrmHmRmMnu22DzyxWtJHm8AEQEAAYkCJQQY
AQIADwUCVx3kugIbDAUJEswDAAAKCRA1c/2Uo4XNsP5xD/oDSNtFeJf4OajymmPv
iEwFHknLo9egs4DAPdWvXdt8mSlMM9Rk+6cLd7hmUj4HEnM6ZhmmHkRQgBHmh4gp
fW1MER/o84KX5KP/eGk4s5sdDLb0ZQ8FfhDGPYF7hC30FeemAltt3PJO31lCEAel
ecVFBjlIJ81Q/AEl1xLu1A7eT9mirP3T6VZ3anQMTAf3aRUU9d0z2Crk3vsFdM/3
cQE2NPnUCE3lK+1CTZngLAJRr0MhR6JXRzMsaUVAUiO4jj6l1Yo1WJvJ8PDiKOzh
R8XdsfaDGQWCTHukWbAXie0o6lBQ3yQ2O2Zhik94TVr3GVeiNhqfM9TjtBJ42fvQ
2bXB8hTb+GoDXR9t8BcnLXfguxIVJfnxtxYUiwPqNQ6UNpEICnmJhBJfWXGxMFDb
oJHyqT294UWelTSnwtz7q1k2svMxeYtaGBEPKLPmb/Eq9X/i3Wut/wck1gKfdq95
IZmB8KeWYyZAOLwqUAjnbMwPzYu5YeHkyirdGjXqVE6+BRhB9XPsJSDQ1xWBgqjC
ygVJzr/To8+t/rwpL8+uq0EOlYH5ey8bNjqBzUM20TGoqAx0zT+/iAx0djOiu+Gk
y3UqKf6H787QwP90XmuSoCXW8APOUQt9yxYSH3lyZuli5XWcVJy3rBSHZ7Bu2pLl
CCYVEMnIv7FoeP+tP6YAdlv9cQ==
=JK6b
-----END PGP PUBLIC KEY BLOCK-----

LDAP

• Information about groups are exported into LDAP.
• Data are pushed via LDAPc component into LDAP which use Auditer. Delay in communication takes a couple of seconds.

• Inner structure schema:

            dc=perun,dc=cesnet,dc=cz
                       |
              -------------------
              |                  |
        perunVoId=voId        ou=People
              |                  |
     perunGroupId=groupId perunUserId=userId ...

LDAP - related schemas

• Following schemas are required:

 inetUser.schema
 tenOperEntry.schema
 perun.schema

• Current perun.schema
  • perun-schema.ldif – https://github.com/CESNET/perun/blob/production/perun-utils/ldapc-scripts/schemas/perun-schema.ldif
  • inetuser-schema.ldif – https://github.com/CESNET/perun/blob/production/perun-utils/ldapc-scripts/schemas/inetUser-schema.ldif
  • tenOperEntry-schema.ldif – https://github.com/CESNET/perun/blob/production/perun-utils/ldapc-scripts/schemas/tenOperEntry-schema.ldif

LDAP - entities and attributes description

• PerunPerson or PerunUser - for user image in LDAP (taken from Perun)

 perunId - main user ID in form of number
 mail - user email taken from his profile, not necessary preffered one 
 preferredMail - preffered email 
 entryStatus - not ised at the moment, user is active in all cases or does not exist in LDAP
 sn - user's surname
 givenName - user's name
 cn - name and surname (without middleName) 
 o - user's organisation
 uidNumber;x-ns-* - user's UID in particular namespace (marked as *). For example cesnet, metacentrum etc.
 login;x-ns-* - user login in particular namespace (marked as *). For example cesnet, metacentrum etc.
 userCertificateSubject - subject of one user certificate (can be multivalue)  
 eduPersonalPrincipalNames - external logins of all IDP users external identities (can be multivalue) 
 memberOf - defines membership in particular group 
 isServiceUser - being service user value is 1, otherwise value is 0
 memberOfPerunVo - defines ID of Vo where user is member (active one)
 libraryIDs - IDs in library

• PerunVo, defines image of VO in LDAP

 perunVoId - main VO ID 
 o - VO short name
 description - VO long name
 uniqueMember - defines relationship between user and the vo (members group) 

• PerunGroup, image of group under particular VO in LDAP

 cn - group name
 perunUniqueGroupName - group name with all parent group and also with Vo name in notation (VoName:parentGroupName:groupName)
 description - group description
 perunGroupId - main group ID 
 perunParentGroup - main parent group ID (if exist) 
 assignedToResourceId - resource ID where group is assigned to 
 uniqueMember - defines relationship between user and the group in the direction of "user is member in the group"
 owner - group owner (if exists)

• PerunResource, image of resource under particular VO in LDAP

 perunResourceId - id of resource in perun
 perunVoId - id of vo where this resource exists
 perunFacilityId - id of facility where this resource is assigned to
 assignedGroupId - ids of assigned groups to this resource

LDAP - entity searching

• Searching by command in CLI:

 ldapsearch -x -H ldap://localhost:389/ -b "dc=perun,dc=cesnet,dc=cz" "(perunUserId=13889)"
 - where ldap://localhost:389/ is necessary to replace by server address for remote access 
 - "(perunUserId=13889)" is searching condition (could be changed to perunVoId=, perunGroupId= etc.)
 - filter can be added at the end, for example ldapsearch -x -H ldap://localhost:389/ -b "dc=perun,dc=cesnet,dc=cz" "(perunUserId=13889)" sn cn givenName 
 (return sn, cn and givenName)