Difference between revisions of "Master Portal Administrator Guide"
(initial outline) |
(intro + credstore (myproxy)) |
||
Line 1: | Line 1: | ||
= Introduction = | = Introduction = | ||
+ | |||
+ | The Master Portal is a central component in the [[AARC_Pilot | AARC Piloting]] work. The Master Portal caches long lived user proxies into its Credential Store, and returns short lived proxies on demand to a trusted portal (Science Gateway) for authenticated users. This page is dedicated for Master Portal operators and administrators who wish to configure their Master Portals. | ||
= Credential Store Configuration = | = Credential Store Configuration = | ||
− | + | The Master Portal cannot be operated without its Credential Store. Missing the Credential Store from your setup will render your Master Portal unable to cache and retrieve any proxy certificates. Without the Credential Store a Master Portal can still be used for user authentication (via [https://docs.google.com/document/d/1cs3peO9FxA81KN-1RC6Z-auEFIwRbJpZ-SFuKbQzS50/pub OIDC]), but it's [[OAuth_for_MyProxy_GetProxy_Endpoint | GetProxy Endpoint]] will be unable to retrieve proxy certificates. | |
+ | |||
+ | == MyProxy Server == | ||
+ | |||
+ | The Credential Store is nothing else than a simple [http://grid.ncsa.illinois.edu/myproxy/serverinstall.html MyProxy Server] installation running in Credential Store mode. It being an unmodified MyProxy Server, you can tailor its configuration to your needs following the official MyProxy Server [http://grid.ncsa.illinois.edu/myproxy/adminguide.html admin guide]. In order to run it as a Credential Store backend for the Master Portal, you will need the following set of configurations: | ||
+ | |||
+ | accepted_credentials <Master Portal Host DN> | ||
+ | authorized_retrievers <Master Portal Host DN> | ||
+ | authorized_renewers <Master Portal Host DN> | ||
+ | default_authorized_renewers <Master Portal Host DN> | ||
+ | trusted_retrievers <Master Portal Host DN> | ||
+ | |||
+ | cert_dir /etc/grid-security/certificates | ||
+ | max_proxy_lifetime 264 | ||
+ | |||
+ | The Master Portal authenticates to the MyProxy Server via its host certificates. Make sure to configure the DN of the host certificate of the Master Portal ('''<Master Portal Host DN>''') as the authorized party in the MyProxy Server configuration snippet above. If you are interested to see what each of those individual authrizations stand for please consult the man page of myproxy-server.config. The '''cert_dir''' has to point to the set of trust roots trusted by the MyProxy Server. The '''max_proxy_lifetime''' determines the maximum lifetime in hours that a returned proxy credential can have. Since the Master Portal is only allowed to release short lived proxy certificates, a lifetime of 264 hours (11 days) is imposed by default. The MyProxy Server will be able to release proxies with shorter lifetime on demand, but not with bigger lifetime than that of '''max_proxy_lifetime'''. | ||
+ | |||
+ | === VOMS Support === | ||
+ | |||
+ | The MyProxy Server returns returns non-vomsified proxies by default, but it has support for releasing VOMS-ified proxies as well. Asking for VOMS-ified proxies is also supported in the Master Portal via the [[OAuth_for_MyProxy_GetProxy_Endpoint | GetProxy Endpoint]]. In order to enable VOMS support in the MyProxy Server, set '''allow_voms_attribute_requests''' | ||
+ | |||
+ | allow_voms_attribute_requests True | ||
+ | |||
+ | === Self-Authorized Rertieval === | ||
+ | |||
+ | The MyProxy Server disallows self renewal of certificates by default, but this function can be enabled. By enabling this, users possessing a valid proxy certificate will be able to renew it (prolong its lifetime) by directly talking to the MyProxy Server, and without the intervention of any of the web components (such as the Master Portal). This setup is still experimental and it does not affect the [[AARC_Pilot_-_Architecture#Detailed_Flow | delegation scenario]] involving the Master Portal, therefore it is safe to unset when not needed. | ||
+ | |||
+ | authorized_renewers "/DC=NL/DC=Example/O=*" | ||
+ | allow_self_authorization True | ||
+ | |||
+ | In the above configuration snippet the '''authorized_renewers''' should contain a "DN regex". This regex should be the common bit of the DNs of the proxy certificates stored in the MyProxy Server. This configuration will '''NOT''' allow users to renew other user's credentials, because there are per-credential policies in place that restricts the access of a single proxy certificate to it's own full "DN regex". These policies are added to each credential during their upload by the Master Portal. | ||
+ | |||
+ | == Trust Root == | ||
* deploy trust root | * deploy trust root | ||
+ | |||
+ | == Extras == | ||
* discuss purge-er script (cron) just so operators are aware | * discuss purge-er script (cron) just so operators are aware |
Revision as of 11:07, 18 August 2016
Introduction
The Master Portal is a central component in the AARC Piloting work. The Master Portal caches long lived user proxies into its Credential Store, and returns short lived proxies on demand to a trusted portal (Science Gateway) for authenticated users. This page is dedicated for Master Portal operators and administrators who wish to configure their Master Portals.
Credential Store Configuration
The Master Portal cannot be operated without its Credential Store. Missing the Credential Store from your setup will render your Master Portal unable to cache and retrieve any proxy certificates. Without the Credential Store a Master Portal can still be used for user authentication (via OIDC), but it's GetProxy Endpoint will be unable to retrieve proxy certificates.
MyProxy Server
The Credential Store is nothing else than a simple MyProxy Server installation running in Credential Store mode. It being an unmodified MyProxy Server, you can tailor its configuration to your needs following the official MyProxy Server admin guide. In order to run it as a Credential Store backend for the Master Portal, you will need the following set of configurations:
accepted_credentials <Master Portal Host DN> authorized_retrievers <Master Portal Host DN> authorized_renewers <Master Portal Host DN> default_authorized_renewers <Master Portal Host DN> trusted_retrievers <Master Portal Host DN> cert_dir /etc/grid-security/certificates max_proxy_lifetime 264
The Master Portal authenticates to the MyProxy Server via its host certificates. Make sure to configure the DN of the host certificate of the Master Portal (<Master Portal Host DN>) as the authorized party in the MyProxy Server configuration snippet above. If you are interested to see what each of those individual authrizations stand for please consult the man page of myproxy-server.config. The cert_dir has to point to the set of trust roots trusted by the MyProxy Server. The max_proxy_lifetime determines the maximum lifetime in hours that a returned proxy credential can have. Since the Master Portal is only allowed to release short lived proxy certificates, a lifetime of 264 hours (11 days) is imposed by default. The MyProxy Server will be able to release proxies with shorter lifetime on demand, but not with bigger lifetime than that of max_proxy_lifetime.
VOMS Support
The MyProxy Server returns returns non-vomsified proxies by default, but it has support for releasing VOMS-ified proxies as well. Asking for VOMS-ified proxies is also supported in the Master Portal via the GetProxy Endpoint. In order to enable VOMS support in the MyProxy Server, set allow_voms_attribute_requests
allow_voms_attribute_requests True
Self-Authorized Rertieval
The MyProxy Server disallows self renewal of certificates by default, but this function can be enabled. By enabling this, users possessing a valid proxy certificate will be able to renew it (prolong its lifetime) by directly talking to the MyProxy Server, and without the intervention of any of the web components (such as the Master Portal). This setup is still experimental and it does not affect the delegation scenario involving the Master Portal, therefore it is safe to unset when not needed.
authorized_renewers "/DC=NL/DC=Example/O=*" allow_self_authorization True
In the above configuration snippet the authorized_renewers should contain a "DN regex". This regex should be the common bit of the DNs of the proxy certificates stored in the MyProxy Server. This configuration will NOT allow users to renew other user's credentials, because there are per-credential policies in place that restricts the access of a single proxy certificate to it's own full "DN regex". These policies are added to each credential during their upload by the Master Portal.
Trust Root
- deploy trust root
Extras
- discuss purge-er script (cron) just so operators are aware
Master Portal Configuration
- DB tables
- web container general (reverse proxy httpd+tomcat)
- oa4mp server config
- oa4mp client config