Forgot your password?
ecar-server(8)
NAME
ecar-service - Webservice to check LFC access based on user DN and FQANs
SYNOPSIS
ecar-server [OPTIONS]
Run a webservice implementing functions that check if a user (identified by DN and FQANs) can access a certain entry in LFC namespace. Only trusted clients are allowed to connect.
Options:
- -C, --ca-directory DIR
-
Look for CA certificates and CRLs in directory DIR. By default,
looks in the directory pointed to by
X509_CERT_DIRor, if that is empty, in /etc/grid-security/certificates. - -M, --max-threads NUM
- Create a pool of M threads to serve webservice requests; each thread consumes a connection to the LFC backend database, and all threads are created when the program starts.
- -j, --cert-and-key-file FILE
- Read SSL certificate and key from FILE, which should be in PEM-encoded format.
- -L, --lfc-host HOST
- Contact LFC server on host HOST.
- -p, --port PORT
-
Listen on TCP port PORT. By default, use the port specified in
/etc/services for the
ecarservice, or port 8859/tcp if noecarservice is found. - -q, --max-queued LIMIT
- Maximum number of accepted connections, that have been enqueued for processing. Set this to 0 to allow the queue to grow without bounds. By default, the queue is limited to 64 entries.
- -d, --debug
- Don't daemonize after startup: that is, do not fork and rdetach from the terminal. Also, be very verbose in logging and output log messages to stderr.
- -N, --nsconfig-file FILE
- Read LFC database access parameters from FILE (default: /opt/lcg/etc/NSCONFIG).
- -m, --lcgdm-mapfile FILE
- Read LFC mapfile from FILE (default: /opt/lcg/etc/lcgdm-mapfile). This file is read when no FQANs are received by ecar, and contains a mapping DN <-> FQANs.
- -P, --pid-file FILE
- Write pid of the process to the FILE file (default: /var/run/ecar.pid).
- -s, --syslog FACILITY
-
Log messages on syslog FACILITY. By default, log on syslog
facility
daemon. - -v, --verbose
- Increase verbosity of messages sent to syslog. By default, ecar-server is very quiet, and logs only errors.
- --help
- Print help text and exit.
- -V, --version
- Print version number and exit.
DESCRIPTION
ecar-server serves SOAP/HTTP requests for the ecar:canAccess method. The purpose of the ecar:canAccess webservice method is to allow trusted hosts to inquiry whether a Grid user (identified by certificate subject DN and a list of VOMS FQANs) has certain access rights (read, write, traverse) on a LFC file or directory.
ecar-server should run as user root on the same host where the LFC daemon runs, so that it can read ACLs in the LFC namespace without restrictions. If ecar-server cannot read the ACL on a file, it will return an error to its client.
ecar-server will read DN->VO mappings from LFC's lcgdm-mapfile
and use that if a client presents a DN and no FQANs. If no mapping is
found in lcgdm-mapfile, client request will be rejected with an
error. The internal cache of DN->VO mappings extracted from
lcgdm-mapfile is refreshed every 3600 seconds (1 hour), but you may
force an update by sending the process the SIGHUP signal. You can
specify an alternate location for the lcgdm-mapfile with the
--lcgdm-mapfile option.
ecar-server uses LFC's NSCONFIG file to read MySQL connection
parameters. The NSCONFIG file should contain a single line in the
format user/password@host . You can specify an alternate
location for the NSCONFIG with the -N option.
All network traffic is encrypted using SSL. By contrast with most LCG/EGEE Grid services, ecar-service needs that SSL certificate and private key reside in the same file (in PEM format); it is enough to just concatenate the usual hostcert.pem and hostkey.pem :
# create ecar-server SSL certificate file cd /etc/grid-security cat hostcert.pem hostkey.pem > ecar.pem chmod 0400 ecar.pem
You can specify an alternate location for the SSL certificate+key file
with the -j/--cert-and-key-file option.
Activity log verbosity
By default, ecar-server is very quiet, and logs only errors.
You can increase the verbosity level by giving one or more -v
options on the command line:
-v
- Logs each new connection IP; logs failed SSL negotiations. If a connection is rejected due to TCP wrappers settings, log the IP of the rejected connection.
-vv
-
Logs the parameters passed to the
ecar:canAccessmethod, and the results of the mapping user credentials with LFC'sCns_dbauthorization database. -vvv
- Log start/end of connection processing by worker threads.
Shutting down the ECAR server
Within 5 seconds of reception of a SIGTERM, ecar-server will
initiate a shutdown sequence: it will no longer accept connections,
and will effectively terminate as soon as all already queued requests
are completed.
Security implications
Every connecting client is required to authenticate itself with an SSL
X.509 certificate signed by a trusted CA (one whose certificate is
found in the trsuted CA dir; see -C option).
You can further restrict the clients allowed to connect using the
standard TCP wrappers files /etc/hosts.allow and
/etc/hosts.deny; use service name ecar to configure access
restrictions for ecar-server.
BUGS
When SSL is enabled and a connection arrives on an IP address that does not resolve to the commmonName in the SSL X.509 certificate, the server accepts the request, but immediately returns without dispatching it to the SOAP processor.
There's no way to turn off SSL other than recompiling the sources.
DOWNLOAD
You can download RPM packages of the EGRID software from http://www.egrid.it/download/rpm/RPMS.egrid; Debian packages from http://www.egrid.it/download/deb/egrid.
You can access the source code for this software from the EGRID CVS at http://www.egrid.it/cvs/products/ecar
COPYRIGHT AND LICENCE INFORMATION
Antonio Messina antonio.messina@ictp.it and Riccardo Murri riccardo.murri@ictp.it for the ICTP project EGRID http://www.egrid.it/.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
