/
gplazma.properties
240 lines (200 loc) · 8.71 KB
/
gplazma.properties
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
# -----------------------------------------------------------------------
# Default values for gPlazma configuration
# -----------------------------------------------------------------------
#
# This Java properties file contains default values for gPlazma
# configuration parameters. All values can be redefined in
# etc/dcache.conf. Do not modify any values here as your changes
# will be lost when you next upgrade.
# ---- Name of the gPlazma cell
#
# The name gPlazma will use when running.
gplazma.cell.name=gPlazma
# ---- Number of concurrent requests to process.
#
# The number of login requests that gPlazma will process
# concurrently. Setting this number too high may result in large
# spikes of CPU activity and the potential to run out of memory.
# Setting the number too lower results in potentially slow login
# activity.
#
(deprecated)gPlazmaNumberOfSimultaneousRequests=30
gplazma.cell.limits.threads=${gPlazmaNumberOfSimultaneousRequests}
# ---- Whether to export the gPlazma cell as a well known cell
#
# This property controls whether the gPlazma cell is published as
# a well known cell. Well known cells are addressable through their
# cell name, while other cells are only addressable from other domains
# using their fully qualified cell address.
#
# Sometimes one may want to have a local gPlazma instance used by
# doors in the same domain. This can be achieved by adding the gplazma
# service to such a domain and setting the gplazma.cell.export property
# to false. In past versions of dCache, this has been referred to
# as using gPlazma as a module.
#
(one-of?true|false)gplazma.cell.export=true
# ---- Location of the configuration file
#
# The location of the gPlazma configuration file. This controls
# which plugins are used to authenticate end-users, in which order
# and how the plugins are configured.
#
gplazma.configuration.file=${dcache.paths.etc}/gplazma.conf
# Cell address of pnfsmanager service
gplazma.service.pnfsmanager=${dcache.service.pnfsmanager}
# -----------------------------------------------------------------------
# Properties for gPlazma plugins
# -----------------------------------------------------------------------
# ---- Path of the grid-mapfile file
gplazma.gridmap.file=${dcache.paths.grid-security}/grid-mapfile
# ---- Path of the storage-authzdb file
gplazma.authzdb.file=${dcache.paths.grid-security}/storage-authzdb
# ---- Mapping order for determining the UID
#
# The storage-authzdb file maps names to UID, one or more GIDs, and a
# number of attributes.
#
# The authzdb plugin is typically used with other plugins and map
# user credentials to user and group names. Typical examples are
# gridmap (maps DN to user name) and vorolemap (maps FQAN to group
# name). The authzdb plugin maps both user names and group names to
# UID and GIDs.
#
# The authzdb plugin can be configured how it selects the mapping
# that determines the UID to use. The property is an ordered comma
# separated list of shortcuts of principal that are consulted to
# select among several possible mappings. The available principle
# shortcuts are:
#
# uid Some protocols (specifically DCAP) allow the client to specify
# a UID explicitly. The UID can be used to disambiguate between
# several available mappings. Note that a client provided UID is
# not in itself enough to authorize use of a mapping.
#
# login Some protocols (DCAP, FTP, among others) allow a login name
# to be specified in addition to regular X.509 or Kerberos
# authentication. The login name may be used to disambiguate
# between several available mappings. Note that a client
# provided login name is not in itself enough to authorize use
# of a mapping.
#
# user The authzdb plugin is always combined with other plugins,
# such as the gridmap plugin. Such plugins map may map to user
# names, which both authorize the use of a mapping in
# storage-authzdb and may determine the mapping being used.
#
# group The authzdb plugin is always combined with other plugins,
# such as the vorolemap plugin. Such plugins map may map to
# group names, which both authorize the use of a mapping in
# storage-authzdb and may determine the mapping being used. In
# this case the primary group name will determine the mapping
# from which the UID is taken.
#
# With the default setting tha set of candidate mappings (the
# mappings the user is authorized to use) is determined by the user
# and group names generated by other plugin (eg gridmap and
# vorolemap). To select one of the mappings, a user provided UID is
# consulted; if not avilable a user provided login name is consulted;
# if not available the mapping of a user name generated by another
# plugin is consulted (eg gridmap); if not available the mapping of a
# primary group name generated by another plugin is consulted (eg
# vorolemap).
#
# A typical reason to change the default is if one wants to give
# priority to the group name mapping rather than the user name
# mapping; Eg when combined with gridmap and vorolemap, changing this
# property to uid,login,group,user means that the primary group name
# as generated by vorolemap determines the UID and only if that is
# not available will the user name generated by gridmap be used.
#
gplazma.authzdb.uid=uid,login,user,group
# ---- Mapping order for determining the primary GID
#
# Similar to gplazma.authzdb.uid, but determines how the primary GID
# is selected. The same principal shortcuts are available, with the
# exception of uid; instead a user provided GID is consulted when the
# gid shortcut is used.
#
# A typical reason to change the default is if one wants to give
# priority to the user name mapping rather than the group name
# mapping; Eg when combined with gridmap and vorolemap, changing this
# property to gid,login,user,group means that the user name as
# generated by gridmap determines the primary GID and only if that is
# not available will the primary group name generated by vorolemap be
# used.
#
gplazma.authzdb.gid=gid,login,group,user
# ---- Path to the vomsdir directory
gplazma.vomsdir.dir=${dcache.authn.vomsdir}
# ---- Path to the directory containing trusted CA certificates
gplazma.vomsdir.ca=${dcache.authn.capath}
# ---- Path to the grid-vorolemap file
gplazma.vorolemap.file=${dcache.paths.grid-security}/grid-vorolemap
# ---- Password of the host key, if any
gplazma.argus.hostkey.password=
# ---- Path to the PEM encoded host key
gplazma.argus.hostkey=${dcache.authn.hostcert.key}
# ---- Path to the PEM encoded host certificate
gplazma.argus.hostcert=${dcache.authn.hostcert.cert}
# ---- Path to the directory containing trusted CA certificates
gplazma.argus.ca=${dcache.authn.capath}
# ---- Argus resource ID
gplazma.argus.resource=dcache
# ---- Argus action ID
gplazma.argus.action=access
# ---- Argus endpoint
gplazma.argus.endpoint=https://localhost:8154/authz
# ---- Path to kpwd file
(deprecated)kpwdFile=${dcache.paths.etc}/dcache.kpwd
gplazma.kpwd.file=${kpwdFile}
# ---- NIS server host
gplazma.nis.server=nisserv.example.org
# ---- NIS domain name
gplazma.nis.domain=example.org
# ---- JAAS application name
#
# Identifies the section in the JAAS configuration to use.
#
gplazma.jaas.name=gplazma
# ---- Path to the PEM encoded host key
gplazma.xacml.hostkey=${dcache.authn.hostcert.key}
# ---- Path to the PEM encoded host certificate
gplazma.xacml.hostcert=${dcache.authn.hostcert.cert}
# ---- Path to the directory containing trusted CA certificates
gplazma.xacml.ca=${dcache.authn.capath}
# ---- LDAP plugin
#
# LDAP server host
gplazma.ldap.server = ldap.example.org
# LDAP server port number
gplazma.ldap.port = 389
gplazma.ldap.organization = o=SITE,c=CONTRY
gplazma.ldap.tree.people = People
gplazma.ldap.tree.groups = Groups
#
# The search filter to use to locate a user's entry in the LDAP directory.
# It must contain the special token "%s" which will be replaced with the
# supplied username value before the name is used
#
# Some examples:
# "(uid=%s)"
# "(&(uid=%s)(objectClass=inetOrgPerson))"
#
gplazma.ldap.userfilter = (uid=%s)
# ---- BanFile plugin
#
# BanFile config file
gplazma.banfile.path = ${dcache.paths.etc}/ban.conf
# ---- htpasswd plugin
gplazma.htpasswd.file = ${dcache.paths.etc}/htpasswd
gplazma.htpasswd.file.cache-period = 1
gplazma.htpasswd.file.cache-period.unit = SECONDS
# -----------------------------------------------------------------------
# Old properties.
# -----------------------------------------------------------------------
#
# The following properties are no longer supported.
#
(forbidden)useGPlazmaAuthorizationModule=Use gplazma.cell.export
(forbidden)useGPlazmaAuthorizationCell=Use gplazma instead