-
Notifications
You must be signed in to change notification settings - Fork 132
/
gplazma.properties
290 lines (243 loc) · 10.1 KB
/
gplazma.properties
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
# -----------------------------------------------------------------------
# Default values for gPlazma configuration
# -----------------------------------------------------------------------
@DEFAULTS_HEADER@
# -----------------------------------------------------------------------
# Common properties
# -----------------------------------------------------------------------
#
# gPlazma comes in two versions: the one available before 1.9.12
# (gPlazma-1) and the new gPlazma (gPlazma-2). This section contains
# options that apply equally to gPlazma-1 or gPlazma-2.
#
# ---- The gPlazma version to run
#
# Valid values are "1" and "2". Selecting "1" chooses gPlazma-1, the
# implementation of gPlazma available in dCache versions prior to
# 1.9.12. Selecting "2" chooses the new gPlazma.
#
(obsolete)gplazma.version = gplazma 1 and 2 integrated into a single component.
# ---- Name of the gPlazma cell
#
# The name gPlazma will use when running. This name will be
# registered as well-known to other services. This is important if
# you wish to run multiple gPlazma cells as they will need different
# names.
#
gplazma/cell.name=gPlazma
# ---- Name used by doors
#
# The name of the gPlazma cell a door will contact. This becomes
# important when you have multiple gPlazma instances in a dCache
# system with different doors talking to different gPlazma cells.
#
gplazma=gPlazma
# ---- Number of concurrent requests to process.
#
# The number of login requests that gPlazma will process
# concurrently. Setting this number too high may result in large
# spikes of CPU activity and the potential to run out of memory.
# Setting the numebr too lower results in potentially slow login
# activity.
#
gPlazmaNumberOfSimultaneousRequests=30
# ---- Use gPlazma as a module
#
# This property controls whether an extra gplazma service is run in
# the door's domain. This extra gplazma service is not well-known,
# so doors located in other domains will not use it. The local
# gPlazma may be used for load-balancing or to supply domain-specific
# gPlazma configuration (e.g., authorising additional access).
#
# Note that configuring a domain to host both a door configured with
# gPlazma as a module and the global 'gplazma' service is not
# supported.
#
# Specifying 'true' starts an extra gplazma service, as described
# above.
#
# Specifying 'false' has no effect.
#
(one-of?true|false)useGPlazmaAuthorizationModule=false
# ---- Use the centralised gPlazma service
#
# This property controls whether a door will use the central gplazma
# service or a local kpwd file when authenticating a user. It
# affects the FTP doors (ftp, gridftp, kerberosftp).
#
# If the property is set to 'true' then the door will use the
# 'gplazma' service to authenticate and map a user.
#
# If 'false' then a kpwd file is used instead. The kpwdFile property
# must point to a valid kpwd file.
#
(one-of?true|false)useGPlazmaAuthorizationCell=true
# -----------------------------------------------------------------------
# Properties for gPlazma
# -----------------------------------------------------------------------
#
# The following properties are for the version of gPlazma
# available with 1.9.12 and later.
#
# ---- Location of the configuration file
#
# The location of the gPlazma configuration file. This controls
# which plugins are used to authenticate end-users, in which order
# and how the plugins are configured.
#
gplazma.configuration.file=${dcache.paths.etc}/gplazma.conf
# ---- path to gplazma1 policy file
(deprecated)gplazmaPolicy=${gplazma.legacy.config}
gplazma.legacy.config=${dcache.paths.etc}/dcachesrm-gplazma.policy
# -----------------------------------------------------------------------
# Properties for gPlazma 2 plugins
# -----------------------------------------------------------------------
# ---- Path of the grid-mapfile file
gplazma.gridmap.file=${grid.path}/grid-mapfile
# ---- Path of the storage-authzdb file
gplazma.authzdb.file=${grid.path}/storage-authzdb
# ---- Mapping order for determining the UID
#
# The storage-authzdb file maps names to UID, one or more GIDs, and a
# number of attributes.
#
# The authzdb plugin is typically used with other plugins and map
# user credentials to user and group names. Typical examples are
# gridmap (maps DN to user name) and vorolemap (maps FQAN to group
# name). The authzdb plugin maps both user names and group names to
# UID and GIDs.
#
# The authzdb plugin can be configured how it selects the mapping
# that determines the UID to use. The property is an ordered comma
# separated list of shortcuts of principal that are consulted to
# select among several possible mappings. The available principle
# shortcuts are:
#
# uid Some protocols (specifically DCAP) allow the client to specify
# a UID explicitly. The UID can be used to disambiguate between
# several available mappings. Note that a client provided UID is
# not in itself enough to authorize use of a mapping.
#
# login Some protocols (DCAP, FTP, among others) allow a login name
# to be specified in addition to regular X.509 or Kerberos
# authentication. The login name may be used to disambiguate
# between several available mappings. Note that a client
# provided login name is not in itself enough to authorize use
# of a mapping.
#
# user The authzdb plugin is always combined with other plugins,
# such as the gridmap plugin. Such plugins map may map to user
# names, which both authorize the use of a mapping in
# storage-authzdb and may determine the mapping being used.
#
# group The authzdb plugin is always combined with other plugins,
# such as the vorolemap plugin. Such plugins map may map to
# group names, which both authorize the use of a mapping in
# storage-authzdb and may determine the mapping being used. In
# this case the primary group name will determine the mapping
# from which the UID is taken.
#
# With the default setting tha set of candidate mappings (the
# mappings the user is authorized to use) is determined by the user
# and group names generated by other plugin (eg gridmap and
# vorolemap). To select one of the mappings, a user provided UID is
# consulted; if not avilable a user provided login name is consulted;
# if not available the mapping of a user name generated by another
# plugin is consulted (eg gridmap); if not available the mapping of a
# primary group name generated by another plugin is consulted (eg
# vorolemap).
#
# A typical reason to change the default is if one wants to give
# priority to the group name mapping rather than the user name
# mapping; Eg when combined with gridmap and vorolemap, changing this
# property to uid,login,group,user means that the primary group name
# as generated by vorolemap determines the UID and only if that is
# not available will the user name generated by gridmap be used.
#
gplazma.authzdb.uid=uid,login,user,group
# ---- Mapping order for determining the primary GID
#
# Similar to gplazma.authzdb.uid, but determines how the primary GID
# is selected. The same principal shortcuts are available, with the
# exception of uid; instead a user provided GID is consulted when the
# gid shortcut is used.
#
# A typical reason to change the default is if one wants to give
# priority to the user name mapping rather than the group name
# mapping; Eg when combined with gridmap and vorolemap, changing this
# property to gid,login,user,group means that the user name as
# generated by gridmap determines the primary GID and only if that is
# not available will the primary group name generated by vorolemap be
# used.
#
gplazma.authzdb.gid=gid,login,group,user
# ---- Path to the vomsdir directory
gplazma.vomsdir.dir=${grid.path}/vomsdir
# ---- Path to the directory containing trusted CA certificates
gplazma.vomsdir.ca=${grid.ca.path}
# ---- Path to the grid-vorolemap file
gplazma.vorolemap.file=${grid.path}/grid-vorolemap
# ---- Password of the host key, if any
gplazma.argus.hostkey.password=
# ---- Path to the PEM encoded host key
gplazma.argus.hostkey=${grid.hostcert.key}
# ---- Path to the PEM encoded host certificate
gplazma.argus.hostcert=${grid.hostcert.cert}
# ---- Path to the directory containing trusted CA certificates
gplazma.argus.ca=${grid.ca.path}
# ---- Argus resource ID
gplazma.argus.resource=dcache
# ---- Argus action ID
gplazma.argus.action=access
# ---- Argus endpoint
gplazma.argus.endpoint=https://localhost:8154/authz
# ---- Path to kpwd file
gplazma.kpwd.file=${kpwdFile}
# ---- NIS server host
gplazma.nis.server=nisserv.domain.com
# ---- NIS domain name
gplazma.nis.domain=domain.com
# ---- JAAS application name
#
# Identifies the section in the JAAS configuration to use.
#
gplazma.jaas.name=gplazma
# ---- Path to the PEM encoded host key
gplazma.xacml.hostkey=${grid.hostcert.key}
# ---- Path to the PEM encoded host certificate
gplazma.xacml.hostcert=${grid.hostcert.cert}
# ---- Path to the directory containing trusted CA certificates
gplazma.xacml.ca=${grid.ca.path}
# ---- LDAP plugin
#
# LDAP server host
gplazma.ldap.server = ldap.example.com
# LDAP server port number
gplazma.ldap.port = 389
gplazma.ldap.organization = o=SITE,c=CONTRY
gplazma.ldap.tree.people = People
gplazma.ldap.tree.groups = Groups
#
# The search filter to use to locate a user's entry in the LDAP directory.
# It must contain the special token "%s" which will be replaced with the
# supplied username value before the name is used
#
# Some examples:
# "(uid=%s)"
# "(&(uid=%s)(objectClass=inetOrgPerson))"
#
gplazma.ldap.userfilter = (uid=%s)
# ---- BanFile plugin
#
# BanFile config file
gplazma.banfile.path = ${dcache.paths.etc}/ban.conf
# -----------------------------------------------------------------------
# Obsolete properties.
# -----------------------------------------------------------------------
#
# The following properties are no longer supported and have no
# effect.
#
(obsolete)gPlazmaRequestTimeout=
(obsolete)delegateToGPlazma=
(forbidden)gPlazmaNumberOfSimutaneousRequests=use gPlazmaNumberOfSimultaneousRequests instead