Instalace Peruna

Z MetaCentrum
Přejít na: navigace, hledání

Back to Perun main page

Slave scripts

  • Gen script creates file .tar.gz with data for end services and for files VERSION and SERVICE.

File VERSION contains version of gen scripts checked by slave script. File SERVICE contains service's name. According to this name end machine selects service slave script.

  • End machine runs script/opt/perun/bin/perun. This script decide which script should be run (depending on content file SERVICE).
  • As a transport layer SSH is used. Using SSH key, only /opt/perun/bin/perun is set to run at the end machine.

Debian package repository

Adding MetaCentrum Repository to a Debian host

If the file /etc/apt/sources.list.d/meta_repo.list is not already created, put there the following:

deb ftp://repo.metacentrum.cz/ all main pilot
deb ftp://repo.metacentrum.cz/ jessie main pilot

deb-src ftp://repo.metacentrum.cz/ all main pilot
deb-src ftp://repo.metacentrum.cz/ jessie main pilot

Pro Debian 9:

 deb ftp://repo.metacentrum.cz/ all main pilot
 deb ftp://repo.metacentrum.cz/ stretch main pilot

 deb-src ftp://repo.metacentrum.cz/ all main pilot
 deb-src ftp://repo.metacentrum.cz/ stretch main pilot

Following key (PGP PUBLIC KEY BLOCK) must be put into a file and added into the list of trusted keys by the following command:

apt-key add /tmp/key 

PGP key: A385CDB0

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQINBFcd5LoBEADM6Z0mBxlzRt4hM19beSOFqHF9jZBMhefCmccufOJXvzy6pS65
nT+PRYbcjVCmg8MQatRK4eag2/Eq+2Sxev525g4ptUhQl/gSkjA+bHr4RDMDsdxO
4NJqYwbs+9PVibA/pxppY12ICq9+oU4ixZnqUD9CzLT2YiVJBbDfRFmEzgUK4nyW
2z3Ai5P1mgZBj/1/lLnvAimnzHLmcavmDfnwcrTio2oMAi7sRrbnFN6syYBXWc6y
lN0GXxmF1UYqQqKsl2AdDr0/jTSD4omKZ7BNycFHQcezxpw5aOqLgGX9H2nZcMSe
LoBj+vrPsg6jvO1tl/9JDSoB0WV5ADEU6YdvlFoVuHfG+q8r/mCvQSu4rObfRNtw
hlVVg3Usnx0S9OVAPsNdHD8tAa+KEx285gW4iGx2ZVUA1BvvSdwfTI9AaQJPGBIC
k8mvHTpmlMYToipk4RbOyL1Kf7/tQC6Dy9ezKfmW0RTgpOEuiOtkwmQQ9QdNTYfC
6aaXf9rOrW9F+P6YbtmzbSMHNkiizwqH+KVnumYSI3N7w2BcsW756YIybY0vrv5D
4o0joOXGm+9a3kFeeun/75/892wwBjH43GhpM6cS2V7yO0u6PAoNMcPqFQZoETFS
kNnkAI0dVDkbpPk/lb3K2gCjV+npvBjRmP4ObEhcTJO3D94XMA3SowkptwARAQAB
tFhNZXRhQ2VudHJ1bSBQYWNrYWdlIFJlcG9zaXRvcnkgKE1ldGFDZW50cnVtIFBh
Y2thZ2UgUmVwb3NpdG9yeSBQR1Aga2V5KSA8bWV0YUBjZXNuZXQuY3o+iQI+BBMB
AgAoBQJXHeS6AhsDBQkSzAMABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRA1
c/2Uo4XNsBA+EACxHXz1Gl+nXBYAyfkKVPmbHju9MumZl8QurblyBQMSmCQY2xGS
ZTxsLZNKEoXYCHf/t73rLc0qSsDBJ8Asa/Ow2YzAzFCd4phb1WM/jHys5g0ZOQLM
Eje2mPd/vIIgVz8l96YleRD7LClZMsQ68A1r15rwG5OyR0ZG5W5JlKdlDafsg8xB
ML3iEcGQO2JDEjQC6RmI+PuR21QLfVNQUWkl8Rpp6b0l+A2OBnhX9n5CImFQEeTg
xicqxGT7Mj9Ey9pkhyg3IbXyo2VjALVoyzrNvmjvKK1M6xZ70WGcKYX8HQLbF7Qt
NRxnKns0d2luzkDCpKBb/oi/AmlYfLmVkZL+cUl8O0Ab2U+Sj7o9Ib+OohrOh82R
eoqD6vSfbYeDwugptUf8iO/iCeQgnUKP378leRQTdmg8tvhlc91cePCiSdMmCVQP
3WiFGtuiLk9f+1hHx0Gk4vk9pP8POeQD3WFbRGbH+LhQf5S4QCUifHSpCSlSiAcV
DqlWycDdXfiDSQg04741Fwq4ZOWShvdwtVijuGh9KOTO+facoGnk4HiCMGeFdgOW
2+t9c0Z3odSWCobDBzw8kWsE88t0X4Eubvp1tL7TPE+nvRqgnyDjoMbjoYWiSvD3
8C9uBPJjqBsqusDQC0qLJFzgkyd84alI4e1ZXpoHSGzz1hAb8sRIQVUiKbkCDQRX
HeS6ARAAyUIdr5QSfzhCH2hFtPuqjMH5tAuXx+8LZdhwtgICjaEVrpQq9sRJgPSS
dONOstEkaFWUm1B8jGACz1EJY48JfKxol7V0eBCV4hVgN4CNLm23E46FKq/20GuY
ckp/mZiwq784801TK24+KBqAon4PbEPilAEtE7u50pxvQGrvCdMXSOhm7cZ7lS5s
qD19QplS/wTjUwCXcbUVhgIcSK6+lP8FDBECFQyVUNBVA4lZA2EFMRJFMckbitaf
a2xY5uKUipIrdm0NIqtL5QT6xdO5DHx/z+WhnnwFhq7J/xhFihRcxghM/fIavIEd
hpaPz8fzoT2uJdt4VdLviFSqZpXSS+Lue3mj5DSZ5OPNdvZVOskL++30tnRyK7VE
Yj/cdUAIp5dwpGn2ZYDUQ+4G2tYBKCOnd6wYeViIggOv51DW4dTk101yL50vs9yU
0BPkO/nTZR6+eDXrznYHjdQ7M26j3HYxRtDiggwKYw8yw4cWOBCwniAoEi50PyMu
kMgoA1KryhBBCkqrn5tQ7/0YcPylHwCXG1aoenpO1A/SgsSE43x6ZQ2gdfG5v3hp
0vw2Te/e30rSZdAkd9vEsliAH3n7J9ZoYhAWZKAXOOufL84f8wXMRWv8cMNlvD7M
ahRSyYbBOL8jU5JXamfAL+XMPDDbfBrmHmRmMnu22DzyxWtJHm8AEQEAAYkCJQQY
AQIADwUCVx3kugIbDAUJEswDAAAKCRA1c/2Uo4XNsP5xD/oDSNtFeJf4OajymmPv
iEwFHknLo9egs4DAPdWvXdt8mSlMM9Rk+6cLd7hmUj4HEnM6ZhmmHkRQgBHmh4gp
fW1MER/o84KX5KP/eGk4s5sdDLb0ZQ8FfhDGPYF7hC30FeemAltt3PJO31lCEAel
ecVFBjlIJ81Q/AEl1xLu1A7eT9mirP3T6VZ3anQMTAf3aRUU9d0z2Crk3vsFdM/3
cQE2NPnUCE3lK+1CTZngLAJRr0MhR6JXRzMsaUVAUiO4jj6l1Yo1WJvJ8PDiKOzh
R8XdsfaDGQWCTHukWbAXie0o6lBQ3yQ2O2Zhik94TVr3GVeiNhqfM9TjtBJ42fvQ
2bXB8hTb+GoDXR9t8BcnLXfguxIVJfnxtxYUiwPqNQ6UNpEICnmJhBJfWXGxMFDb
oJHyqT294UWelTSnwtz7q1k2svMxeYtaGBEPKLPmb/Eq9X/i3Wut/wck1gKfdq95
IZmB8KeWYyZAOLwqUAjnbMwPzYu5YeHkyirdGjXqVE6+BRhB9XPsJSDQ1xWBgqjC
ygVJzr/To8+t/rwpL8+uq0EOlYH5ey8bNjqBzUM20TGoqAx0zT+/iAx0djOiu+Gk
y3UqKf6H787QwP90XmuSoCXW8APOUQt9yxYSH3lyZuli5XWcVJy3rBSHZ7Bu2pLl
CCYVEMnIv7FoeP+tP6YAdlv9cQ==
=JK6b
-----END PGP PUBLIC KEY BLOCK-----

LDAP

  • Information about groups are exported into LDAP.
  • Data are pushed via LDAPc component into LDAP which use Auditer. Delay in communication takes a couple of seconds.


  • Inner structure schema:
            dc=perun,dc=cesnet,dc=cz
                       |
              -------------------
              |                  |
        perunVoId=voId        ou=People
              |                  |
     perunGroupId=groupId perunUserId=userId ...

LDAP - related schemas

  • Following schemas are required:
 inetUser.schema
 tenOperEntry.schema
 perun.schema

Installation

  • In slapd.conf change:
 suffix          "dc=perun,dc=cesnet,dc=cz"
 rootdn          "cn=admin,dc=perun,dc=cesnet,dc=cz"
 rootpw          {SSHA} (generated slapdpassed)
   
 access to attrs=userPassword,shadowLastChange
       by dn="cn=admin,dc=perun,dc=cesnet,dc=cz" write
       by anonymous auth
       by self write
       by * none
 access to *
       by dn="cn=admin,dc=perun,dc=cesnet,dc=cz" write
       by * read
 attributeoptions x-ns-
  • ldapadd -f init-perun.ldif -x -D cn=admin,dc=perun,dc=cesnet,dc=cz -W
  • Example of schema
 # Structure:
 # dc=perun,dc=cesnet,dc=cz
 #  - ou=People    (organizationalUnit)
 #  - perunId=<userId>  (perunPerson)
 #  - o=VO1    (perunOrganization)
 #  - cn=Group1   (perunGroup)
 #  - cn=Group2   (perunGroup)
 #  - o=VO2    (perunOrganization)
 #  - cn=Group1   (perunGroup)
 
 # Examples:
 
 # A perunPerson
 
 dn: perunUserId=1234,ou=People,dc=perun,dc=cesnet,dc=cz
 objectclass: top
 objectclass: person
 objectclass: organizationalPerson
 objectclass: inetOrgPerson
 objectclass: perunUser
 objectclass: tenOperEntry
 objectclass: inetUser
 entryStatus: active|dead
 sn: surname
 cn: name surname
 givenName: name
 perunId: 1234
 mail: xx@yy.zz
 isServiceUser: 0
 preferedMail: aaa@bbb.ccc
 userCertificateSubject: \D
 userCertificateSubject: \E
 eduPersonPrincipalNames: aaa@bbb.cde
 o: Organisation from IdP
 uidNumber;x-ns-cesnet: 1523
 uidNumber;x-ns-lhota: 123
 login;x-ns-metacentrum: abbc
 login;x-ns-lhota: bbca
 memberOfPerunVo: vo1
 memberOf: perunGroupId=123456,perunVoId=12345,dc=perun,dc=cesnet,dc=cz
 libraryIDs: 123
 libraryIDs: 345
 
 # A perunVO
 
 dn: perunVoId=12345,dc=perun,dc=cesnet,dc=cz
 objectclass: top
 objectclass: organization
 objectclass: perunVO
 o: testVO1 (shortName)
 perunVoId: 12345
 description: Testovaci VO 1 (longName)
 
 # A perunGroup
 
 dn: perunGroupId=123456,perunVoId=12345,dc=perun,dc=cesnet,dc=cz
 objectclass: top
 objectclass: perunGroup
 cn: Group1 (Group name in Perun)
 perunUniqueGroupName: VO:ABC:Group1
 description: group description
 perunGroupId: 123456
 perunParentGroup: ABC
 perunParentGroupId: 12345
 assignedToResourceId: 12345
 uniqueMember: perunUserId=1234,ou=People,dc=perun,dc=cesnet,dc=cz
 uniqueMember: perunUserId=98765,ou=People,dc=perun,dc=cesnet,dc=cz
 # A perunResource
 dn: perunResourceId=123456,perunVoId=12345,dc=perun,dc=cesnet,dc=cz
 objectclass: top
 objectclass: perunGroup
 perunResourceId: 123456
 perunFacilityId: 123
 assignedGroupId: 753684

LDAP - entities and attributes description

  • PerunPerson or PerunUser - for user image in LDAP (taken from Perun)
 perunId - main user ID in form of number
 mail - user email taken from his profile, not necessary preffered one 
 preferredMail - preffered email 
 entryStatus - not ised at the moment, user is active in all cases or does not exist in LDAP
 sn - user's surname
 givenName - user's name
 cn - name and surname (without middleName) 
 o - user's organisation
 uidNumber;x-ns-* - user's UID in particular namespace (marked as *). For example cesnet, metacentrum etc.
 login;x-ns-* - user login in particular namespace (marked as *). For example cesnet, metacentrum etc.
 userCertificateSubject - subject of one user certificate (can be multivalue)  
 eduPersonalPrincipalNames - external logins of all IDP users external identities (can be multivalue) 
 memberOf - defines membership in particular group 
 isServiceUser - being service user value is 1, otherwise value is 0
 memberOfPerunVo - defines ID of Vo where user is member (active one)
 libraryIDs - IDs in library
  • PerunVo, defines image of VO in LDAP
 perunVoId - main VO ID 
 o - VO short name
 description - VO long name
 uniqueMember - defines relationship between user and the vo (members group) 
  • PerunGroup, image of group under particular VO in LDAP
 cn - group name
 perunUniqueGroupName - group name with all parent group and also with Vo name in notation (VoName:parentGroupName:groupName)
 description - group description
 perunGroupId - main group ID 
 perunParentGroup - main parent group ID (if exist) 
 assignedToResourceId - resource ID where group is assigned to 
 uniqueMember - defines relationship between user and the group in the direction of "user is member in the group"
 owner - group owner (if exists)
  • PerunResource, image of resource under particular VO in LDAP
 perunResourceId - id of resource in perun
 perunVoId - id of vo where this resource exists
 perunFacilityId - id of facility where this resource is assigned to
 assignedGroupId - ids of assigned groups to this resource

LDAP - entity searching

  • Searching by command in CLI:
 ldapsearch -x -H ldap://localhost:389/ -b "dc=perun,dc=cesnet,dc=cz" "(perunUserId=13889)"
 - where ldap://localhost:389/ is necessary to replace by server address for remote access 
 - "(perunUserId=13889)" is searching condition (could be changed to perunVoId=, perunGroupId= etc.)
 - filter can be added at the end, for example ldapsearch -x -H ldap://localhost:389/ -b "dc=perun,dc=cesnet,dc=cz" "(perunUserId=13889)" sn cn givenName 
 (return sn, cn and givenName)

Peruna configuration files

Location: /etc/perun

  • jdbc.properties - database connection definition
jdbc.url=jdbc:oracle:thin:@//svarog.ics.muni.cz:1522/svarog
jdbc.username=
jdbc.password=
jdbc.driver=oracle.jdbc.driver.OracleDriver
  • perun.properties - many options for Perun run
# Perun administrators
perun.admins = perunTests, perunController, perunEngine, perunRegistrar, perunSynchronizer, perunCabinet

# Grouper TopLevel Stem
perun.grouper.toplevelstem = perunMeta

# Principals for the Services
perun.service.principals = perunv3/engine@META

# Principals for the Engines
perun.engine.principals = perunv3/engine@META

# Principals for the Synchronizer
perun.synchronizer.principals = perunSynchronizer

# Principals for the Registrar
perun.registrar.principals = perunv3-registrar@META

# Principals for the Notificator
perun.notification.principals = perunNotifications

# Principal for the RPC
perun.rpc.principal = perunRpc

# DB type (oracle/postgresql)
perun.db.type = oracle

# Default group synchronization interval in fold of 5 minutes
perun.group.synchronization.interval = 1

# Timeout for group synchronization in minutes
perun.group.synchronization.timeout = 10

# Users who can do delegation
perun.rpc.powerusers = perunv3-registrar@META

# Perun DB Name
perun.perun.db.name = v3dev

# Perun RT URL
perun.rt.url = https://rt3.cesnet.cz/rt/REST/1.0/ticket/new

# Perun service user for RT tickets
perun.rt.serviceuser.username = perunv3-rt

# Perun service user for RT tickets
perun.rt.serviceuser.password = password

# Program which ensures password changes
perun.passwordManager.program = /usr/local/bin/perun.passwordManager
  • ldapc.properties
 ldap.url=ldap://localhost:389
 ldap.userDn=
 ldap.base=dc=perun,dc=cesnet,dc=cz
 ldap.password=
  • notif.properties
 notif.mailSmtpAuth=false
 notif.username=
 notif.password=
 notif.smtpHost=localhost
 notif.port=25
 notif.emailFrom=perunv3@metacentrum.cz
 notif.fromText=perunv3@metacentrum.cz
 notif.sendMessages=true
 notif.starttls=false
 notif.jabber.jabberServer=jabber.org
 notif.jabber.port=5222
 notif.jabber.serviceName=jabber.org
 notif.jabber.username=
 notif.jabber.password=
 notif.dispatcherName=notifications
  • perun-extSources.xml - configuration file with external resources. When changed, you must run ./loadExtSourcesDefinitions
  • log4j.properties - definition goals of logging