Commit 8d106d3b authored by MUSSET Paul's avatar MUSSET Paul
Browse files

add option to enable AuthN/Z

parent d2fa84e4
......@@ -16,24 +16,38 @@
src: ../templates/docker-compose.yaml.j2
dest: /root/compose-config/docker-compose.yaml
- name: copy certificate
ansible.builtin.copy:
content: "{{ certificate }}"
owner: xrootd
group: xrootd
mode: '0600'
dest: /root/cert.pem
- name: copy private key
ansible.builtin.copy:
content: "{{ private_key }}"
owner: xrootd
group: xrootd
mode: '0400'
dest: /root/key.pem
- name: copy config files
ansible.builtin.copy:
src: ../files/config
dest: /root/compose-config/
notify: start xcache
- name: copy necessary files for authN/authZ
block:
- name: copy certificate
ansible.builtin.copy:
content: "{{ certificate }}"
owner: xrootd
group: xrootd
mode: '0600'
dest: /root/cert.pem
- name: copy private key
ansible.builtin.copy:
content: "{{ private_key }}"
owner: xrootd
group: xrootd
mode: '0400'
dest: /root/key.pem
- name: copy authfile
ansible.builtin.copy:
src: ../files/Authfile
dest: /root/compose-config/config
when: auth is defined and auth == true
- name: copy xcache-config
ansible.builtin.template:
src: ../templates/xcache-config.cfg.j2
dest: /root/compose-config/config
notify: start xcache
......@@ -5,8 +5,10 @@ services:
image: gitlab-registry.in2p3.fr/cc-escape/xcache-config/xcache:dev
ports:
- "1094:1094"
{% if auth is defined and auth %}
depends_on:
- voms-renewer
{% endif %}
volumes:
- type: bind
source: /mnt/xcache/ns
......@@ -25,6 +27,7 @@ services:
- type: volume
source: proxy-certificate
target: /tmp/proxy-certificate
{% if auth is defined and auth %}
secrets:
- source: cert
target: xrdcert.pem
......@@ -32,8 +35,10 @@ services:
- source: key
target: xrdkey.pem
mode: 0400
{% endif %}
restart: always
{% if auth is defined and auth %}
voms-renewer:
image: gitlab-registry.in2p3.fr/cc-escape/xcache-config/voms-proxy-init:dev
ports:
......@@ -50,6 +55,7 @@ services:
target: xrdkey.pem
mode: 0400
restart: always
{% endif %}
{% if test_machine is defined and test_machine %}
flusher:
......@@ -78,12 +84,12 @@ services:
FLUSHER_PORT: 80
{% endif %}
networks:
default:
driver_opts:
com.docker.network.driver.mtu: 1442
{% if auth is defined and auth %}
secrets:
cert:
file: /root/cert.pem
......@@ -92,3 +98,4 @@ secrets:
volumes:
proxy-certificate:
{% endif %}
......@@ -27,10 +27,12 @@ pfc.spaces data meta
# add http support
if exec xrootd
xrd.protocol http libXrdHttp.so
{% if auth is defined and auth %}
http.cadir /etc/grid-security/certificates
http.cert /run/secrets/xrdcert.pem
http.key /run/secrets/xrdkey.pem
http.secxtractor libXrdSecgsiVOMS.so
{% endif %}
fi
# cache log level
......@@ -41,6 +43,7 @@ fi
# sec.trace all
{% if auth is defined and auth %}
# authentication
xrootd.seclib libXrdSec.so
sec.protocol gsi -crl:0 -cert:/run/secrets/xrdcert.pem -key:/run/secrets/xrdkey.pem -gridmap:/dev/null -vomsfun:/usr/lib64/libXrdVoms.so -vomsfunparms:vos=escape
......@@ -49,3 +52,4 @@ sec.protbind * gsi
# authorization
ofs.authorize 1
acc.authdb /etc/xrootd/Authfile
{% endif %}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment