gplazma: Comply with new configuration policy

The option to implicitly embed gPlazma as a 'module' has been
removed. Instead one can now add a local gplazma service to a
domain and choose not to export it by setting gplazma.cell.export
to false. This has the same effect.

The ability for plain ftp to not use gPlazma at all and use a
local kpwd file has been removed. The same effect can be achieved
by configuring a local gplazma service and let the ftp door use it.

New properties

gplazma.cell.name
gplazma.cell.limits.threads
gplazma.cell.export
gplazma.service.pnfsmanager

Obsolete properties

kpwdFile
useGPlazmaAuthorizationModule
useGPlazmaAuthorizationCell

Removed properties

gplazma.version

Target: trunk
Require-book: yes
Require-notes: yes
Acked-by: Paul Millar <paul.millar@desy.de>
Patch: http://rb.dcache.org/r/5722/

modules/cells/src/main/java/dmg/cells/nucleus/CellAdapter.java

@@ -139,7 +139,7 @@ public CellAdapter(String  cellName,
             _definedSetup = null;
         }
 
-        if (_args.hasOption("export")) {
+        if (_args.hasOption("export") && (_args.getOption("export").isEmpty() || Boolean.parseBoolean(_args.getOption("export")))) {
             export();
         }
 

modules/dcache-ftp/src/main/java/diskCacheV111/doors/AbstractFtpDoorV1.java

@@ -76,7 +76,6 @@ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 import java.io.BufferedOutputStream;
 import java.io.BufferedReader;
 import java.io.EOFException;
-import java.io.File;
 import java.io.IOException;
 import java.io.InputStreamReader;
 import java.io.OutputStreamWriter;
@@ -148,7 +147,6 @@ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 import dmg.util.StreamEngine;
 
 import org.dcache.acl.enums.AccessType;
-import org.dcache.auth.KauthFileLoginStrategy;
 import org.dcache.auth.LoginReply;
 import org.dcache.auth.LoginStrategy;
 import org.dcache.auth.Origin;
@@ -505,24 +503,6 @@ private static String buildChecksumList(){
     )
     protected boolean _isProxyRequiredOnActive;
 
-    /**
-     * If true, the door will first contact the login service for
-     * login processing.
-     */
-    @Option(
-        name = "use-login-service",
-        description = "Whether to use the login service",
-        defaultValue = "false"
-    )
-    protected boolean _useLoginService;
-
-    @Option(
-        name = "kpwd-file",
-        description = "Path to kpwd file",
-        defaultValue = ""
-    )
-    protected String _kpwdFilePath;
-
      /**
      * File (StageConfiguration.conf) containing DNs and FQANs whose owner are allowed to STAGE files
      * (i.e. allowed to copy file from dCache in case file is stored on tape but not on disk).
@@ -1205,24 +1185,7 @@ protected void init()
         _gPlazmaStub =
                 new CellStub(this, new CellPath(_gPlazma), 30000);
 
-        if (_useLoginService) {
-            _loginStrategy = new RemoteLoginStrategy(_gPlazmaStub);
-        } else {
-            /* Use kpwd file if login service is not enabled.
-             */
-            if (Strings.isNullOrEmpty(_kpwdFilePath)) {
-                String s = "-kpwd-file file argument wasn't specified";
-                _logger.error(s);
-                throw new IllegalArgumentException(s);
-            }
-            File file = new File(_kpwdFilePath);
-            if (!file.exists()) {
-                String s = "File not found: " + file;
-                _logger.error(s);
-                throw new IllegalArgumentException(s);
-            }
-            _loginStrategy = new KauthFileLoginStrategy(file);
-        }
+        _loginStrategy = new RemoteLoginStrategy(_gPlazmaStub);
 
         /* Data channel port range used when client issues PASV
          * command.

modules/dcache/src/main/resources/org/dcache/services/login/gplazma.xml

@@ -15,7 +15,7 @@
 	factory-method="newFixedThreadPool"
 	destroy-method="shutdown">
     <description>Thread pool for message processing</description>
-    <constructor-arg value="${gPlazmaNumberOfSimultaneousRequests}"/>
+    <constructor-arg value="${gplazma.cell.limits.threads}"/>
   </bean>
 
   <bean id="timeout-thread"
@@ -40,7 +40,7 @@
     <description>PnfsManager client module</description>
     <constructor-arg>
       <bean class="dmg.cells.nucleus.CellPath">
-        <constructor-arg value="${dcache.service.pnfsmanager}"/>
+        <constructor-arg value="${gplazma.service.pnfsmanager}"/>
       </bean>
     </constructor-arg>
   </bean>

skel/bin/dcache

@@ -782,12 +782,12 @@ case "$1" in
             command="$1"
             shift
 
-            kpwdFile="$(getProperty kpwdFile)"
+            kpwdFile="$(getProperty gplazma.kpwd.file)"
             if [ ! -e "$kpwdFile" ]; then
                 touch "$kpwdFile"
             fi
 
-            CLASSPATH="$(getProperty dcache.paths.classpath)" quickJava org.dcache.auth.KAuthFile "$command" "$(getProperty kpwdFile)" "$@"
+            CLASSPATH="$(getProperty dcache.paths.classpath)" quickJava org.dcache.auth.KAuthFile "$command" "$(getProperty gplazma.kpwd.file)" "$@"
         fi
         ;;
 

skel/share/defaults/dcache.properties

@@ -565,24 +565,6 @@ trustStore=${dcache.paths.etc}/certificates.jks
 trustStorePassword=dcache
 
 
-#  -----------------------------------------------------------------------
-#          Filesystem Locations
-#  -----------------------------------------------------------------------
-
-
-#  ---- SRM/GridFTP authentication file
-#
-#   Do not change unless you know what you are doing.
-#
-#  An example file is located in share/examples/gPlazma directory.  Copy
-#  this file into ${dcache.paths.etc} directory and modify as appropriate.
-#
-kpwdFile=${dcache.paths.etc}/dcache.kpwd
-
-
-
-
-
 #  -----------------------------------------------------------------------
 #         common to gsiftp and srm
 #  -----------------------------------------------------------------------

skel/share/defaults/ftp.properties

@@ -30,9 +30,6 @@ ftp.authn.hostcert.key=${grid.hostcert.key}
 ftp.authn.hostcert.cert=${grid.hostcert.cert}
 ftp.authn.capath=${grid.ca.path}
 
-#  Account and password file for plain authentication
-ftp.authn.kpwd=${kpwdFile}
-
 # Authorization file for tape protection
 ftp.authz.staging=${dcache.authz.staging}
 ftp.authz.staging.pep=${dcache.authz.staging.pep}
@@ -218,3 +215,4 @@ ftp.service.billing=${dcache.service.billing}
 (forbidden)ftp/port=Use ftp.net.port instead
 (forbidden)ftp.read-only=Use ftp.authz.readonly
 (forbidden)ftp/kerberos.service-principle-name=Use ftp.authn.kerberos.service-principle-name
+(forbidden)ftp.authn.kpwd=Use gPlazma instead (possibly a localized gPlazma instance for this door)

skel/share/defaults/gplazma.properties

@@ -8,33 +8,15 @@
 #   will be lost when you next upgrade.
 
 
-
-#  -----------------------------------------------------------------------
-#         Common properties
-#  -----------------------------------------------------------------------
-#
-#  gPlazma comes in two versions: the one available before 1.9.12
-#  (gPlazma-1) and the new gPlazma (gPlazma-2).  This section contains
-#  options that apply equally to gPlazma-1 or gPlazma-2.
-#
-
-#  ---- The gPlazma version to run
-#
-#  Valid values are "1" and "2".  Selecting "1" chooses gPlazma-1, the
-#  implementation of gPlazma available in dCache versions prior to
-#  1.9.12.  Selecting "2" chooses the new gPlazma.
-#
-(obsolete)gplazma.version = gplazma 1 and 2 integrated into a single component.
-
-
 #  ---- Name of the gPlazma cell
 #
 #  The name gPlazma will use when running.  This name will be
 #  registered as well-known to other services.  This is important if
 #  you wish to run multiple gPlazma cells as they will need different
 #  names.
 #
-gplazma/cell.name=gPlazma
+gplazma.cell.name=gPlazma
+gplazma/cell.name=${gplazma.cell.name}
 
 
 #  ---- Number of concurrent requests to process.
@@ -45,51 +27,24 @@ gplazma/cell.name=gPlazma
 #  Setting the numebr too lower results in potentially slow login
 #  activity.
 #
-gPlazmaNumberOfSimultaneousRequests=30
+(deprecated)gPlazmaNumberOfSimultaneousRequests=30
+gplazma.cell.limits.threads=${gPlazmaNumberOfSimultaneousRequests}
 
 
-#  ---- Use gPlazma as a module
-#
-#  This property controls whether an extra gplazma service is run in
-#  the door's domain.  This extra gplazma service is not well-known,
-#  so doors located in other domains will not use it.  The local
-#  gPlazma may be used for load-balancing or to supply domain-specific
-#  gPlazma configuration (e.g., authorising additional access).
+#  ---- Whether to export the gPlazma cell as a well known cell
 #
-#  Note that configuring a domain to host both a door configured with
-#  gPlazma as a module and the global 'gplazma' service is not
-#  supported.
+#  This property controls whether the gPlazma cell is published as
+#  a well known cell. Well known cells are addressable through their
+#  cell name, while other cells are only addressable from other domains
+#  using their fully qualified cell address.
 #
-#  Specifying 'true' starts an extra gplazma service, as described
-#  above.
-#
-#  Specifying 'false' has no effect.
-#
-(one-of?true|false)useGPlazmaAuthorizationModule=false
-
-
-#  ---- Use the centralised gPlazma service
-#
-#  This property controls whether a door will use the central gplazma
-#  service or a local kpwd file when authenticating a user.  It
-#  affects the FTP doors (ftp, gridftp, kerberosftp).
-#
-#  If the property is set to 'true' then the door will use the
-#  'gplazma' service to authenticate and map a user.
-#
-#  If 'false' then a kpwd file is used instead.  The kpwdFile property
-#  must point to a valid kpwd file.
-#
-(one-of?true|false)useGPlazmaAuthorizationCell=true
-
-
-#  -----------------------------------------------------------------------
-#         Properties for gPlazma
-#  -----------------------------------------------------------------------
-#
-#  The following properties are for the version of gPlazma
-#  available with 1.9.12 and later.
+#  Sometimes one may want to have a local gPlazma instance used by
+#  doors in the same domain. This can be achieved by adding the gplazma
+#  service to such a domain and setting the gplazma.cell.export property
+#  to false. In past versions of dCache, this has been referred to
+#  as using gPlazma as a module.
 #
+gplazma.cell.export=true
 
 #  ---- Location of the configuration file
 #
@@ -99,8 +54,12 @@ gPlazmaNumberOfSimultaneousRequests=30
 #
 gplazma.configuration.file=${dcache.paths.etc}/gplazma.conf
 
+#  ---- Properties for communicating with other services
+gplazma.service.pnfsmanager=${dcache.service.pnfsmanager}
+
+
 #  -----------------------------------------------------------------------
-#         Properties for gPlazma 2 plugins
+#         Properties for gPlazma plugins
 #  -----------------------------------------------------------------------
 
 #  ---- Path of the grid-mapfile file
@@ -217,6 +176,7 @@ gplazma.argus.action=access
 gplazma.argus.endpoint=https://localhost:8154/authz
 
 #  ---- Path to kpwd file
+(deprecated)kpwdFile=${dcache.paths.etc}/dcache.kpwd
 gplazma.kpwd.file=${kpwdFile}
 
 #  ---- NIS server host
@@ -254,14 +214,11 @@ gplazma.ldap.tree.people = People
 gplazma.ldap.tree.groups = Groups
 
 #  -----------------------------------------------------------------------
-#         Obsolete properties.
+#         Old properties.
 #  -----------------------------------------------------------------------
 #
-#  The following properties are no longer supported and have no
-#  effect.
+#  The following properties are no longer supported.
 #
-(obsolete)gPlazmaRequestTimeout=
-(obsolete)delegateToGPlazma=
-(obsolete)gplazmaPolicy=gPlazma version 1 is no longer supported
-(obsolete)gplazma.legacy.config=gPlazma version 1 is no longer supported
-(forbidden)gPlazmaNumberOfSimutaneousRequests=use gPlazmaNumberOfSimultaneousRequests instead
+(forbidden)useGPlazmaAuthorizationModule=Use gplazma.cell.export
+(forbidden)useGPlazmaAuthorizationCell=Use gplazma instead
+

skel/share/services/admin-ssh2.batch

@@ -32,7 +32,5 @@ test -i ${AccessControlCell}
 exec env createAcl.exe -ifnotok
 onerror shutdown
 
-exec file:${dcache.paths.share}/cells/embedded-gPlazma.fragment
-
 create org.dcache.cells.UniversalSpringCell ${cell.nameSsh2} \
     "classpath:org/dcache/services/ssh2/ssh2Admin.xml -export"

skel/share/services/dcap.batch

@@ -26,7 +26,6 @@ check dcap.net.listen
 check -strong dcache.paths.share
 
 exec file:${dcache.paths.share}/cells/stage.fragment dcap doors
-exec file:${dcache.paths.share}/cells/embedded-gPlazma.fragment
 
 set env arguments-plain "-localOk"
 set env arguments-auth "-pswdfile=${dcap.authn.passwd} -authorization=required"

skel/share/services/ftp.batch

@@ -44,10 +44,8 @@ check ftp.transaction-log
 check ftp.net.listen
 check ftp.net.internal
 check ftp.mover.queue
-check ftp.authn.kpwd
 
 exec file:${dcache.paths.share}/cells/stage.fragment ftp doors
-exec file:${dcache.paths.share}/cells/embedded-gPlazma.fragment
 
 create dmg.cells.services.login.LoginManager ${ftp.cell.name} \
   "${ftp.net.port} ${ftp.implementation} \
@@ -78,7 +76,6 @@ create dmg.cells.services.login.LoginManager ${ftp.cell.name} \
    -maxStreamsPerClient=${ftp.limits.streams-per-client} \
    -defaultStreamsPerClient=1 \
    -deleteOnConnectionClosed=${ftp.delete-on-failure} \
-   -use-login-service=${useLoginService} \
    -io-queue=${ftp.mover.queue} \
    -stageConfigurationFilePath=${ftp.authz.staging} \
    -ftp-adapter-internal-interface=${ftp.net.internal} \
@@ -87,7 +84,6 @@ create dmg.cells.services.login.LoginManager ${ftp.cell.name} \
    -proxyActive=${ftp.proxy.on-active} \
    -tlog=${ftp.transaction-log} \
    -read-only=${ftp.authz.readonly} \
-   -kpwd-file=${ftp.authn.kpwd} \
    -kdc-list=${ftp.authn.kerberos.key-distribution-center-list} \
    -svc-principal=${ftp.authn.kerberos.service-principle-name} \
    -service-key=${ftp.authn.hostcert.key} \