Instalace Peruna
Jump to navigation
Jump to search
This page is not up-to-date, please see https://wiki.metacentrum.cz/wiki/Facility_managers%27s_manual
Perun server
The installation of the Perun server is described in detail at https://github.com/CESNET/perun-ansible/blob/master/README.md
Slave scripts
- Gen script creates file .tar.gz with data for end services and for files VERSION and SERVICE.
File VERSION contains version of gen scripts checked by slave script. File SERVICE contains service's name. According to this name end machine selects service slave script.
- End machine runs script/opt/perun/bin/perun. This script decide which script should be run (depending on content file SERVICE).
- As a transport layer SSH is used. Using SSH key, only /opt/perun/bin/perun is set to run at the end machine.
Debian package repository
Adding MetaCentrum Repository to a Debian host
If the file /etc/apt/sources.list.d/meta_repo.list is not already created, put there the following:
deb https://repo.metacentrum.cz/ all main pilot deb-src https://repo.metacentrum.cz/ all main pilot
Following key (PGP PUBLIC KEY BLOCK) must be put into a file and added into the list of trusted keys by the following command:
apt-key add /tmp/key
PGP key: A385CDB0
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1 mQINBFcd5LoBEADM6Z0mBxlzRt4hM19beSOFqHF9jZBMhefCmccufOJXvzy6pS65 nT+PRYbcjVCmg8MQatRK4eag2/Eq+2Sxev525g4ptUhQl/gSkjA+bHr4RDMDsdxO 4NJqYwbs+9PVibA/pxppY12ICq9+oU4ixZnqUD9CzLT2YiVJBbDfRFmEzgUK4nyW 2z3Ai5P1mgZBj/1/lLnvAimnzHLmcavmDfnwcrTio2oMAi7sRrbnFN6syYBXWc6y lN0GXxmF1UYqQqKsl2AdDr0/jTSD4omKZ7BNycFHQcezxpw5aOqLgGX9H2nZcMSe LoBj+vrPsg6jvO1tl/9JDSoB0WV5ADEU6YdvlFoVuHfG+q8r/mCvQSu4rObfRNtw hlVVg3Usnx0S9OVAPsNdHD8tAa+KEx285gW4iGx2ZVUA1BvvSdwfTI9AaQJPGBIC k8mvHTpmlMYToipk4RbOyL1Kf7/tQC6Dy9ezKfmW0RTgpOEuiOtkwmQQ9QdNTYfC 6aaXf9rOrW9F+P6YbtmzbSMHNkiizwqH+KVnumYSI3N7w2BcsW756YIybY0vrv5D 4o0joOXGm+9a3kFeeun/75/892wwBjH43GhpM6cS2V7yO0u6PAoNMcPqFQZoETFS kNnkAI0dVDkbpPk/lb3K2gCjV+npvBjRmP4ObEhcTJO3D94XMA3SowkptwARAQAB tFhNZXRhQ2VudHJ1bSBQYWNrYWdlIFJlcG9zaXRvcnkgKE1ldGFDZW50cnVtIFBh Y2thZ2UgUmVwb3NpdG9yeSBQR1Aga2V5KSA8bWV0YUBjZXNuZXQuY3o+iQI+BBMB AgAoBQJXHeS6AhsDBQkSzAMABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRA1 c/2Uo4XNsBA+EACxHXz1Gl+nXBYAyfkKVPmbHju9MumZl8QurblyBQMSmCQY2xGS ZTxsLZNKEoXYCHf/t73rLc0qSsDBJ8Asa/Ow2YzAzFCd4phb1WM/jHys5g0ZOQLM Eje2mPd/vIIgVz8l96YleRD7LClZMsQ68A1r15rwG5OyR0ZG5W5JlKdlDafsg8xB ML3iEcGQO2JDEjQC6RmI+PuR21QLfVNQUWkl8Rpp6b0l+A2OBnhX9n5CImFQEeTg xicqxGT7Mj9Ey9pkhyg3IbXyo2VjALVoyzrNvmjvKK1M6xZ70WGcKYX8HQLbF7Qt NRxnKns0d2luzkDCpKBb/oi/AmlYfLmVkZL+cUl8O0Ab2U+Sj7o9Ib+OohrOh82R eoqD6vSfbYeDwugptUf8iO/iCeQgnUKP378leRQTdmg8tvhlc91cePCiSdMmCVQP 3WiFGtuiLk9f+1hHx0Gk4vk9pP8POeQD3WFbRGbH+LhQf5S4QCUifHSpCSlSiAcV DqlWycDdXfiDSQg04741Fwq4ZOWShvdwtVijuGh9KOTO+facoGnk4HiCMGeFdgOW 2+t9c0Z3odSWCobDBzw8kWsE88t0X4Eubvp1tL7TPE+nvRqgnyDjoMbjoYWiSvD3 8C9uBPJjqBsqusDQC0qLJFzgkyd84alI4e1ZXpoHSGzz1hAb8sRIQVUiKbkCDQRX HeS6ARAAyUIdr5QSfzhCH2hFtPuqjMH5tAuXx+8LZdhwtgICjaEVrpQq9sRJgPSS dONOstEkaFWUm1B8jGACz1EJY48JfKxol7V0eBCV4hVgN4CNLm23E46FKq/20GuY ckp/mZiwq784801TK24+KBqAon4PbEPilAEtE7u50pxvQGrvCdMXSOhm7cZ7lS5s qD19QplS/wTjUwCXcbUVhgIcSK6+lP8FDBECFQyVUNBVA4lZA2EFMRJFMckbitaf a2xY5uKUipIrdm0NIqtL5QT6xdO5DHx/z+WhnnwFhq7J/xhFihRcxghM/fIavIEd hpaPz8fzoT2uJdt4VdLviFSqZpXSS+Lue3mj5DSZ5OPNdvZVOskL++30tnRyK7VE Yj/cdUAIp5dwpGn2ZYDUQ+4G2tYBKCOnd6wYeViIggOv51DW4dTk101yL50vs9yU 0BPkO/nTZR6+eDXrznYHjdQ7M26j3HYxRtDiggwKYw8yw4cWOBCwniAoEi50PyMu kMgoA1KryhBBCkqrn5tQ7/0YcPylHwCXG1aoenpO1A/SgsSE43x6ZQ2gdfG5v3hp 0vw2Te/e30rSZdAkd9vEsliAH3n7J9ZoYhAWZKAXOOufL84f8wXMRWv8cMNlvD7M ahRSyYbBOL8jU5JXamfAL+XMPDDbfBrmHmRmMnu22DzyxWtJHm8AEQEAAYkCJQQY AQIADwUCVx3kugIbDAUJEswDAAAKCRA1c/2Uo4XNsP5xD/oDSNtFeJf4OajymmPv iEwFHknLo9egs4DAPdWvXdt8mSlMM9Rk+6cLd7hmUj4HEnM6ZhmmHkRQgBHmh4gp fW1MER/o84KX5KP/eGk4s5sdDLb0ZQ8FfhDGPYF7hC30FeemAltt3PJO31lCEAel ecVFBjlIJ81Q/AEl1xLu1A7eT9mirP3T6VZ3anQMTAf3aRUU9d0z2Crk3vsFdM/3 cQE2NPnUCE3lK+1CTZngLAJRr0MhR6JXRzMsaUVAUiO4jj6l1Yo1WJvJ8PDiKOzh R8XdsfaDGQWCTHukWbAXie0o6lBQ3yQ2O2Zhik94TVr3GVeiNhqfM9TjtBJ42fvQ 2bXB8hTb+GoDXR9t8BcnLXfguxIVJfnxtxYUiwPqNQ6UNpEICnmJhBJfWXGxMFDb oJHyqT294UWelTSnwtz7q1k2svMxeYtaGBEPKLPmb/Eq9X/i3Wut/wck1gKfdq95 IZmB8KeWYyZAOLwqUAjnbMwPzYu5YeHkyirdGjXqVE6+BRhB9XPsJSDQ1xWBgqjC ygVJzr/To8+t/rwpL8+uq0EOlYH5ey8bNjqBzUM20TGoqAx0zT+/iAx0djOiu+Gk y3UqKf6H787QwP90XmuSoCXW8APOUQt9yxYSH3lyZuli5XWcVJy3rBSHZ7Bu2pLl CCYVEMnIv7FoeP+tP6YAdlv9cQ== =JK6b -----END PGP PUBLIC KEY BLOCK-----
LDAP
- Information about groups are exported into LDAP.
- Data are pushed via LDAPc component into LDAP which use Auditer. Delay in communication takes a couple of seconds.
- Inner structure schema:
dc=perun,dc=cesnet,dc=cz | ------------------- | | perunVoId=voId ou=People | | perunGroupId=groupId perunUserId=userId ...
- Following schemas are required:
inetUser.schema tenOperEntry.schema perun.schema
- Current perun.schema
- perun-schema.ldif – https://github.com/CESNET/perun/blob/production/perun-utils/ldapc-scripts/schemas/perun-schema.ldif
- inetuser-schema.ldif – https://github.com/CESNET/perun/blob/production/perun-utils/ldapc-scripts/schemas/inetUser-schema.ldif
- tenOperEntry-schema.ldif – https://github.com/CESNET/perun/blob/production/perun-utils/ldapc-scripts/schemas/tenOperEntry-schema.ldif
LDAP - entities and attributes description
- PerunPerson or PerunUser - for user image in LDAP (taken from Perun)
perunId - main user ID in form of number mail - user email taken from his profile, not necessary preffered one preferredMail - preffered email entryStatus - not ised at the moment, user is active in all cases or does not exist in LDAP sn - user's surname givenName - user's name cn - name and surname (without middleName) o - user's organisation uidNumber;x-ns-* - user's UID in particular namespace (marked as *). For example cesnet, metacentrum etc. login;x-ns-* - user login in particular namespace (marked as *). For example cesnet, metacentrum etc. userCertificateSubject - subject of one user certificate (can be multivalue) eduPersonalPrincipalNames - external logins of all IDP users external identities (can be multivalue) memberOf - defines membership in particular group isServiceUser - being service user value is 1, otherwise value is 0 memberOfPerunVo - defines ID of Vo where user is member (active one) libraryIDs - IDs in library
- PerunVo, defines image of VO in LDAP
perunVoId - main VO ID o - VO short name description - VO long name uniqueMember - defines relationship between user and the vo (members group)
- PerunGroup, image of group under particular VO in LDAP
cn - group name perunUniqueGroupName - group name with all parent group and also with Vo name in notation (VoName:parentGroupName:groupName) description - group description perunGroupId - main group ID perunParentGroup - main parent group ID (if exist) assignedToResourceId - resource ID where group is assigned to uniqueMember - defines relationship between user and the group in the direction of "user is member in the group" owner - group owner (if exists)
- PerunResource, image of resource under particular VO in LDAP
perunResourceId - id of resource in perun perunVoId - id of vo where this resource exists perunFacilityId - id of facility where this resource is assigned to assignedGroupId - ids of assigned groups to this resource
LDAP - entity searching
- Searching by command in CLI:
ldapsearch -x -H ldap://localhost:389/ -b "dc=perun,dc=cesnet,dc=cz" "(perunUserId=13889)" - where ldap://localhost:389/ is necessary to replace by server address for remote access - "(perunUserId=13889)" is searching condition (could be changed to perunVoId=, perunGroupId= etc.) - filter can be added at the end, for example ldapsearch -x -H ldap://localhost:389/ -b "dc=perun,dc=cesnet,dc=cz" "(perunUserId=13889)" sn cn givenName (return sn, cn and givenName)