What can Perun control
- 1 Directly controlled functions
- 1.1 User's accounts
- 1.2 Home directories
- 1.3 Project directories
- 1.4 Replications
- 1.5 NFS4 access
- 1.6 Root access
- 1.7 SSH keys
- 1.8 AFS groups and their members
- 1.9 Eduroam
- 1.10 PBS monitor and other information for PBS
- 1.11 Information system of CESNET
- 1.12 VOMS
- 1.13 OPENVPN
- 1.14 For fedcloud
- 1.15 Access to licence server Flexlm
- 1.16 Postal services
- 1.17 Apache
- 1.18 Clouds
- 1.19 LDAPs
- 1.20 Gridmaps
- 1.21 Data repositories
- 1.22 Documents, libraries etc.
- 1.23 Samba
- 1.24 Kerberos
- 1.25 Hadoop
- 1.26 CEITEC
- 1.27 EGI
- 2 Indirectly controlled functions
Directly controlled functions
They are controlled by perun services group, fs_scratch and passwd. Files created by services are propagated to computational nodes and more processed. Mailaliases service belongs to these services too. It controls creation of mail aliases at target node.
Home directories controls service fs_home to nodes where they have to be created. Related with this service is k5login service which maintains ".k5login" files in home directories. Home directories are created on storages and several frontends.
They are created by service fs_project at Data storages current in Jihlava. Groups which can acces to project directory need to be assigned to resource target to project directory.
Replications are created by fs_replicas service. Currently is run at nodes "store1.du1/2/3.cesnet.cz" facilities "fe.du1/2/3.cesnet.cz".
Is controlled by passwd_nfs4, group_nfs4 on storages.
Is realized by k5login_root service which is usually assigned to the special resource created for this purpose. This is concerned computationl nodes, storages and operational machines too.
By a simillar way is realized service sshkeys_root which kept ssh keys with root access at selected machines.
Service sshkeys is target to mantain of files of users ssh keys. Similarly service sshkeys_root controles file with ssh keys for root access.
AFS groups and their members
These functions are controlled by services afs and afs_group. Currently are used on facility AFS-ICS.
Service eduroam_radius creates list of eduroam identities. Currently it is located on facilities "eduroam" and "radius.ics.muni.cz".
PBS monitor and other information for PBS
PBS and PBS monitor is supported by services pbsmon_json, pbs_phys_cluster, pbsmon_users, pbs_pre and pbs_publication_fairshare.
Service pbs_pre marked computational nodes as controlled by PBS or torque, real propagation of information about users is executed on "arien.ics.muni.cz", "wagap.cerit-sc.cz" and "zkusebni_planovac". Similarly goes service pbs_phys_cluster too, which works on "arien.ics.muni.cz" and "wagap.cerit-sc.cz".
Service pbsmon_json transfer information about accessible machines and clusters and it is executed on "segin.ics.muni.cz".
Services pbsmon_users and pbs_publication_fairshare provide to PBS information about users, second one with regard to publications; pbsmon_users is executed on "segin.ics.muni.cz", pbs_publication_fairshare is propagated to "arien.ics.muni.cz" and "wagap.cerit-sc.cz".
Information system of CESNET
Service users_export selects information about users from DB and propagates them to IS. As target of propagation is created facility "Informacni system CESNET".
Service voms controlles VOMS server for South African Grid - Catch All VO, for EGI, VOCE, Auger VOs by facilities "voms1.egee.cesnet.cz" and "voms2.grid.cesnet.cz".
Service openvpn generates list of IGTF certificates of users who are permitted to use OpenVPN system. Currently service is not realized.
Service fedcloud_export ensures updating of users data in fedcloud infrastructure. Service is propagated to facilities which names are started with "egi-fedcloud-"
Access to licence server Flexlm
Access is realized by flexlm_iptables service based on IP address. Service is placed at "skirit.ics.muni.cz", "skiritf.ics.muni.cz" and "lm.zcu.cz", but currently is not used.
Service mailman upkeeps members of mailinglists in software Mailman. Special version of service for MetaCenter is named mailman_meta.
Service mailman_owners controls list of managers of mailnglists in software Mailman.
Service sympa has simillar function as mailman but it doesn't cooperate with Mailman software.
Files for Apache controls service apache_basic_auth which adds or deletes data in file Apache basic auth. The service is realized at facility "projekty.ics.muni.cz".
Next service apache_ssl creates list of DN of certificates of users, who are permitted for access to specific directory and propagates it to Apache configuration. Service is placed at facilities "naiglos.ics.muni.cz", "aiglos.zcu.cz" and "pakiti.ics.muni.cz".
For clouds are created following sercices:
- fedcloud_export - service updates users in fedcloud infrastructure. It is realized at facilities "egi-fedcloud-infn-ct","egi-fedcloud-sztaki","egi-fedcloud-cesnet","egi-fedcloud-gwdg" and "egi-fedcloud-i3m-upv".
- metacloud_export - special version of previous service for MetaCenter. It is placed at "carach.ics.muni.cz" facility.
- owncloud_vo_mapping - special service for OwnCloud instance of MetaCenter, where mapping of users to virtual organisations is needed. It is assigned to the same facilities as fedcloud_export service.
- cloudidp - service for ???, realized at facility "CloudIdP at GARR".
- Special functionality is realized beyond perun services. It pushes flat structure of perun to Perun LDAP, where it is usable for other different cooperating systems.
- Services ldap_ad_ceitec and ldap_vsb_vi. The first one is prepared at MU instance of Perun but it has not been used yet. The second one is ready to use for arrangement of access to VŠB tools but it has not been used yet too.
Service gridmap creates GRIDMAPFILEs for MetaCenter an KYPO. It is placed at facility facility "metalb.ics.muni.cz".
Service du_users_export is special export of users for CESNETs purposes. Service is realized at "fe.du1.cesnet.cz","fe.du2.cesnet.cz" a "fe.du3.cesnet.cz" facilities.
Service samba_du is special version of service samba for Data reporitories of CESNET. It is placed at facility "ldap.du2.cesnet.cz".
Documents, libraries etc.
Service docdb controls access to DocDB document server. It is document database for CERIT-SC. Service is realized at facility "DocDB-CERIT" with destination at "marach.ics.muni.cz".
Service redmine-MU controls access to redmine of MU. It is placed at "Redmine-UVT", updates https://projekty2.ics.muni.cz/.
Service samba_du controls access to shared filesystem SAMBA. It is placed at facility "ldap.du2.cesnet.cz".
Service pkinit passes user logins including realms on Kerberos. All DNs of user certificates including X509 external identities passes on Kerberos too. Service is realized at "naiglos.ics.muni.cz".
Services hadoop_base and hadoop_hdfs controls access to HADOOP server, which allowes fast working with extremely big data. Services are placed at node "hador-c1.ics.muni.cz" at facility "hador-cluster.ics.muni.cz".
- Service labkey controls LabKey server for group Proteomics of project CEITEC. It is realized at facility "labkey.ics.muni.cz".
- Service ldap_ad_ceitec creates LDAP for project CEITEC (see LDAPs).
Service appDB updates "appDB" database of users for EGI. It is realized at facility "appDB.egi.eu" on host "perun.metacentrum.cz".
Indirectly controlled functions
- Access to "meetings.cesnet.cz" (system for booking and controlling of videoconferencial resources) - it is realized by perun's API. Service user especially created for CESNET directly asks to Perun by RPC. If needed LDAP can be asked too.
Example: user from ÚVT MU has to be a member of "uvt" VO and a member in group "projects:shongo:users:uvt" in VO "einfra" simultaneously.
- accesses to RT - they are realized by LDAP which is created by Perun (see LDAPs). Currently are in Perun created groups for each queue which name starts with "RT" and these are selected by RT system from LDAP. More systemic solution is preparing.
Attribut authority is used for:
- consolidation of user identities
- membership in groups through different organizations
- authorization in Apache
- authorization in DokuWiki
- configuration of Shibboleth SP
- authentication at Mailman for MetaCenter
- authentication at Mailman for CERIT-SC
- authentication at DocDb for CERIT-SC