dCache has many parameters that can be used to configure the systems
behaviour. You can find all these parameters well documented and together
with their default values in the properties files in
/usr/share/dcache/defaults/. To use
non-default values, you have to set the new values in
/etc/dcache/dcache.conf or in the layout file.
Do not change the defaults in the properties files! After changing a
parameter you have to restart the concerned cells.
Refer to the file gplazma.properties for a full list
of properties for gPlazma One commonly used property is
gplazma.cell.limits.threads, which is used to
set the maximum number of concurrent requests to gPlazma. The default
value is 30.
Setting the value for
gplazma.cell.limits.threads too high may
result in large spikes of CPU activity and the potential to run out of
memory. Setting the number too low results in potentially slow login
activity.
This section describes how to activate the Username/Password access for
WebDAV. It uses dcache.kwpd file as an example
format for storing Username/Password information. First make sure
gPlazma2 is enabled in the /etc/dcache/dcache.conf
or in the layout file.
Example:
Check your WebDAV settings: enable the HTTP access, disallow the
anonymous access, disable requesting and requiring the client
authentication and activate basic authentication.
webdav.authn.protocol=http webdav.authz.anonymous-operations=NONE webdav.authn.accept-client-cert=false webdav.authn.require-client-cert=false webdav.authn.basic=true
Adjust the /etc/dcache/gplazma.conf to use the
kpwd plug-in (for more information see also the section called “Plug-ins”).
It will look something like this:
auth optional kpwd map requisite kpwd session requisite kpwd
The /etc/dcache/dcache.kpwd file is the place
where you can specify the username/password record. It should contain
the username and the password hash, as well as UID, GID, access
mode and the home, root and fsroot directories:
# set passwd passwd tanja 6a4cd089 read-write 500 100 / / /
The passwd-record could be automatically generated by the dCache kpwd-utility, for example:
[root] #dcache kpwd dcuseradd -u 500 -g 100 -h / -r / -f / -w read-write -p dickerelch tanja
Some file access examples:
curl -u tanja:dickerelch http://webdav-door.example.org:2880/pnfs/
wget --user=tanja --password=dickerelch http://webdav-door.example.org:2880/pnfs/
This section describes how to configure gplazma to enable the
webadmin servlet in authenticated mode with a grid certificate as
well as with a username/password and how to give a user
administrator access.
Example:
In this example for the
/etc/dcache/gplazma.conf file the
X.509 plug-in plugin is used for the authentication step with
the grid certificate and the kpwd plug-in plugin is used for
the authentication step with username/password.
auth optional x509 auth optional kpwd map requisite kpwd session requisite kpwd
The following example will show how to set up the
/etc/dcache/dcache.kpwd file:
version 2.1 mapping "/C=DE/O=ExampleOrganisation/OU=EXAMPLE/CN=John Doe" john # the following are the user auth records login john read-write 1700 1000 / / / /C=DE/O=ExampleOrganisation/OU=EXAMPLE/CN=John Doe # set pwd passwd john 8402480 read-write 1700 1000 / / /
This maps the DN of a grid certificate
subject=/C=DE/O=ExampleOrganisation/OU=EXAMPLE/CN=John Doe
to the user john and the
entry
login john read-write 1700 1000 / / / /C=DE/O=GermanGrid/OU=DESY/CN=John Doe
applies unix-like values to john, most important is the
1000, because it is the assigned
GID. This must match the value of the
httpd.authz.admin-gid configured in your
webadmin. This is sufficient for login using a
certificate. The entry:
passwd john 8402480 read-write 1700 1000 / / /
enables username/password login, such as a valid login would
be user john with
some password. The password is encrypted with the
kpwd-algorithm (also see the section called “The kpwd plug-in”)
and then stored in the file. Again the
1000 here is the assigned GID.