2. Managing identities
2.1. Pre-requisite
You should:
have a machine setup as described in Basic Tutorial setup
be able to install dirac components
2.2. Tutorial goal
Very quickly when using DIRAC, you will need to manage identities of people and their proxies. This is done with the ProxyManager
service and with several configuration options.
In this tutorial, we will install the ProxyManager
, create a new group, and define some Shifter
.
2.3. Further reading
2.4. Installing the ProxyManager
This section is to be performed as diracuser
with dirac_admin
group proxy:
[diracuser@dirac-tuto ~]$ source ~/DiracInstallation/bashrc
[diracuser@dirac-tuto ~]$ dirac-proxy-init -g dirac_admin
The ProxyManager
will host delegated proxies of the users. As any other service, it is very easy to install with the dirac-admin-sysadmin-cli
:
[diracuser@dirac-tuto ~]$ dirac-admin-sysadmin-cli -H dirac-tuto
And then in the CLI:
[dirac-tuto]$ install db ProxyDB
MySQL root password:
Adding to CS Framework/ProxyDB
Database ProxyDB from DIRAC/FrameworkSystem installed successfully
[dirac-tuto]$ install service Framework ProxyManager
Loading configuration template /home/diracuser/DiracInstallation/DIRAC/FrameworkSystem/ConfigTemplate.cfg
Adding to CS service Framework/ProxyManager
service Framework_ProxyManager is installed, runit status: Run
Note
The ProxyDB contains sensitive information. For production environment, it is recommended that you keep this in a separate database with different credentials and strict access control.
2.5. Testing the ProxyManager
The simplest way to test it is to upload your user proxy:
[diracuser@dirac-tuto ~]$ dirac-proxy-init
Generating proxy...
Uploading proxy for dirac_user...
Proxy generated:
subject : /C=ch/O=DIRAC/OU=DIRAC CI/CN=ciuser/CN=6045995638
issuer : /C=ch/O=DIRAC/OU=DIRAC CI/CN=ciuser
identity : /C=ch/O=DIRAC/OU=DIRAC CI/CN=ciuser
timeleft : 23:59:59
DIRAC group : dirac_user
rfc : True
path : /tmp/x509up_u501
username : ciuser
properties : NormalUser
Proxies uploaded:
DN | Group | Until (GMT)
/C=ch/O=DIRAC/OU=DIRAC CI/CN=ciuser | dirac_user | 2020/04/09 14:43
As you can see, the ProxyDB now contains a delegated proxy for the ciuser
with the group dirac_user
.
If you use a proxy with the ProxyManagement
permission, like the dirac_admin
group has, you can retrieve proxies stored in the DB:
[diracuser@dirac-tuto ~]$ dirac-proxy-init -g dirac_admin
Generating proxy...
Proxy generated:
subject : /C=ch/O=DIRAC/OU=DIRAC CI/CN=ciuser/CN=5472309786
issuer : /C=ch/O=DIRAC/OU=DIRAC CI/CN=ciuser
identity : /C=ch/O=DIRAC/OU=DIRAC CI/CN=ciuser
timeleft : 23:59:59
DIRAC group : dirac_admin
rfc : True
path : /tmp/x509up_u501
username : ciuser
properties : AlarmsManagement, ServiceAdministrator, CSAdministrator, JobAdministrator, FullDelegation, ProxyManagement, Operator
[diracuser@dirac-tuto ~]$ dirac-admin-get-proxy ciuser dirac_user
Proxy downloaded to /home/diracuser/proxy.ciuser.dirac_user
2.6. Adding a new group
Groups are useful to manage permissions and separate activities. For example, we will create a new group dirac_data
, and decide to use that group for all the data centrally managed.
Using the Configuration Manager
application in the WebApp using the dirac_admin
group, create a new section dirac_data
in /Registry/Groups
:
Users = ciuser
Properties = NormalUser
AutoUploadProxy = True
You should now be able to get a proxy belonging to the dirac_data group that will be automatically uploaded:
[diracuser@dirac-tuto ~]$ dirac-proxy-init -g dirac_data
Generating proxy...
Uploading proxy for dirac_data...
Proxy generated:
subject : /C=ch/O=DIRAC/OU=DIRAC CI/CN=ciuser/CN=6009266000
issuer : /C=ch/O=DIRAC/OU=DIRAC CI/CN=ciuser
identity : /C=ch/O=DIRAC/OU=DIRAC CI/CN=ciuser
timeleft : 23:59:59
DIRAC group : dirac_data
rfc : True
path : /tmp/x509up_u501
username : ciuser
properties : NormalUser
Proxies uploaded:
DN | Group | Until (GMT)
/C=ch/O=DIRAC/OU=DIRAC CI/CN=ciuser | dirac_data | 2020/04/09 14:43
/C=ch/O=DIRAC/OU=DIRAC CI/CN=ciuser | dirac_user | 2020/04/09 14:43
Note
if you get Unauthorized query ( 1111 : Unauthorized query)
, it means the ProxyManager has not yet updated its internal configuration. Just restart it to save time, or wait.
2.7. Adding a Shifter
Shifter
is basically a role, to which you associate a given proxy, for example DataManager
(it could be anything). You can then tell your Components to use the DataManager
identity to perform certain operations (at random: data management operations ? :-) ).
Using the Configuration Manager
application in the WebApp, create a new section Shifter
in /Operations/Defaults
:
DataManager
{
User = ciuser
Group = dirac_data
}
You can now force any agent (don’t, unless you know what you are doing) to use a proxy instead of the host certificate by specifying the shifterProxy
option.