Tutorial manual
EGRID Tutorial for version 1.0
Configurazioni necessarie per gliteUI
Forgot your password?
The ECAR webservice
The ECAR webservice
| Author: | Riccardo Murri, Antonio Messina |
|---|---|
| Data: | 2005-12-30 23:03:25 +0100 (ven, 30 dic 2005) |
| Revision: | $Revision$ |
What is ECAR?
ECAR is a secure SOAP webservice interface to query the LFC server POSIX ACL-like access authorization mechanism. By a call to ECAR's canAccess method, a client can discover if a Grid user (identified by certificate subject DN and a list of VOMS FQANs) can open a "logical file name", stored on a LFC catalog.
ECAR was conceived as a means of propagating authorization information from an LFC server to a StoRM SRM server; this way, authorization information can be centrally managed in the LFC metadata catalog and propagated to the servers where data is actually stored. The storm-authz-ecar package implements this policy system for the StoRM SRM server.
ECAR comprises: ecar-server the server program, that actually responds to web service requests (over SSL-secured https channel); ecar-client a command-line client, that can be used to test the service or to implement simple scripts to query the ECAR server.
Features
- all communication is secure and encrypted with SSL.
- support HTTP keep-alive for avoid SSL handshake overhead in case of multiple requests.
- easy to install
- precompiled binaries for Scientific Linux CERN 3.0.5 and Debian 3.1 (sarge).
Security implications
The ECAR server needs to have sufficent privileges to query the LFC server for the ACL of any file it is requested. Therefore, the ECAR server should run with root privileges on the same host where the LFC server is running.[#1] If a request is processed, for access to a file whose the ECAR server cannot read, an error is returned to the ECAR webservice client.
| [2] | The root user on the local host is not required by LFC to present Grid credentials, and may perform any operation on the LFC catalog. |
The ECAR server will never change an ACL or other metadata in the LFC namespace; all ECAR accesses to LFC namespace are read-only.
Further information
Some resources are available online:
- ecar-server
- Man page for the ecar-server program.
- ecar-client
- Man page for the ecar-client command-line test client.
- `storm-authz-ecar`_
- An "AuthorizationSource" class to make the StoRM SRM server a client of the ECAR service; this way, authorization information can be centrally managed in the LFC server and propagated to the SRM servers on the SEs.
Download & Install
Source code
You can download the ECAR source code from the EGRID CVS and Subversion repository at http://www.egrid.it/cvs/products/ecar/?root=svn .
RPM packages / Scientific Linux CERN
You can download .rpm packages (tested on Scientific Linux CERN 3.0.5) from http://www.egrid.it/download/rpm/RPMS.egrid
The EGRID apt repository is kept up-to-date with the latest precompiled binary package of ECAR; you can install ECAR from the repository with the following procedure:
add the EGRID repository to your APT repository list:
echo http://www.egrid.it/download/rpm \ >> /etc/apt/sources.list.d/egrid.list apt-get updateinstall ECAR:
apt-get install ecarstart the ECAR server process:
service ecar startconfigure ECAR to run after every reboot:
chkconfig --add ecar chkconfig ecar on
Debian packages / Debian 3.1 (sarge)
Download .deb packages (install on Debian sarge) from http://www.egrid.it/download/deb
The EGRID apt repository is kept up-to-date with the latest precompiled binary package of ECAR; you can install ECAR from the repository with the following procedure:
add the EGRID repository to your APT repository list:
echo http://www.egrid.it/download/deb \ >> /etc/apt/sources.list apt-get updateinstall ECAR:
apt-get install ecarstart the ECAR server process:
/etc/init.d/ecar startconfigure ECAR to run after every reboot:
update-rc.d ecar defaults 80
Copyright and license
ECAR is copyright (c) 2006 Antonio Messina <antonio.messina@ictp.it> and Riccardo Murri <riccardo.murri@ictp.it> for the ICTP project EGRID.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
