UNICORE VO System (UVOS) Server Service Reference Card

Functional description

UNICORE VO System (UVOS) is a client-server system, developed to be used as an additional tool for large distributed systems. Grid systems, especially UNICORE grid middleware, are the mainspring of the UVOS system. Although UVOS can be used with different systems, however is designed primarily to support UNICORE grid middleware.

The fundamental UVOS features are:

  • storing identities of grid users and other identifiable components (for example servers),
  • organising identities in hierarchical groups,
  • assigning arbitrary attributes to users in various ways,
  • supporting registrations requests (also called as 'VO applications'),
  • supporting authentication of web-browser based grid clients (from version 1.2).

UVOS exposes all those features as a remotely accessible operations (through a web services mechanism) with authorisation and authentication of access.

Daemons running

The UVOS server runs as a single Java process.

Init scripts and options (start|stop|restart|...)

The service is started and stopped using shell scripts in the bin/ folder of the installation.

If installed via a Linux distribution package, e.g. RPM or .deb, the service can be started with /etc/init.d/unicore-uvos-server {start|stop|restart}.

Configuration files location with example or template

Configuration files are in the conf/ folder of the installation. If installed via a Linux distribution package, e.g. RPM or .deb, the configuration files will be located in /etc/unicore/uvos-server.
  • uvosServer.conf - main configuration file, most important server's settings are here (ports, certificates, ...)
  • mail.properties - mail settings used to send notification emails.
  • mailTemplates.properties - templates of mail notifications.
  • log4j.properties - server logging settings
  • crlcheck.properties - CRL settings
  • datamap.properties - database connection settings

All files contain default sensible values and extensive comments.

Logfile locations (and management) and other useful audit information

Log files are by default placed in the logs/ directory in the installation, and rolled over daily. Details can be controlled in the logging.properties file

If installed via a Linux distribution package, e.g. RPM or .deb, the log files will be written to /var/log/unicore/uvos-server.

Open ports

By default HTTPS socket is created on the port 2443. It can be changed.

Optionally plain HTTP (insecure) port can be also opened (by default 2020). This is not suggested for production environment.

Possible unit test of the service

Unit tests are part of the build procedure and are executed automatically. When running, the service can be tested by using the UVOS CLC application, available in a separate package uvos-client.

Where is service state held (and can it be rebuilt)

The data is kept in the relational database. By default embedded database is used and its state is kept in the data/ directory in the installation root or /var/lib/unicore/uvos-server/data if installed via a Linux distribution package. PostgreSQL may be configured instead.

It is impossible to recreate a lost data using UVOS, therefore backing up the database is strongly suggested.

The configured database can be initialized to its initial state using initdb.sh script (or unicore-uvos-server-initdb if installed from RPM or deb package).

Cron jobs

N/A

Security information

Access control Mechanism description (authentication & authorization)

UVOS access is generally insecure if plain HTTP access is enabled, therefore it is assumed here that only HTTPS access is enabled (what is the default setting).

Authentication is configurable and can be done using:

  • client authenticated SSL (then client is authenticated to be an X.509 identity or DN identity)
  • HTTP login and password (BASIC auth) - then client is authenticated as email identity

Access control is controlled by a configurable authorization policy, which can be edited using client tools (VOManager or uvos-clc). There are 4 levels of access:

  • read
  • full read (allows also to read historical data)
  • identity control (allows to perform some basic write operations, rarely used)
  • write

If using a default policy access is granted basing on the attribute urn:authz:intervo:vo. Values read, fullRead, identityCtl and write are recognized and grants respective permissions to the attribute owner. Additionally everybody can read data about itself, and can read contents of each group it is a member of.

How to block/ban a user

(Note: this section explains how to ban a user from accessing the UVOS server, not how to ban a grid user from accessing grid resources which are configured to use UVOS)

There are three options:

  • remove the user from the UVOS completely
  • disable the user
  • (assuming the default authZ policy) remove all authorization attributes and remove the user from all groups. User still will be able to get information about itself (though it will contain only its identity and label).

Network Usage

UVOS listens on configured ports (one or two). It is suggested to use only the secured HTTPS port. Outbound connections are made in few cases (if configured): to UNICORE registry, fetch CRLs from URLs, to send notification emails.

Firewall configuration

Configured ports must be accessible from the outside world.

Outbound traffic is only required if UVOS is configured to perform outbound traffic (see Network Usage).

Security recommendations

Do not run as root.

Security incompatibilities

None known.

List of externals (packages are NOT maintained by Red Hat)

n/a

Other security relevant comments

n/a

Utility scripts

Scripts are located in bin/ subdirectory of the installation package or /usr/share/unicore/uvos-server/script/ directory if server was installed using a Linux package.

  • initdb.sh (or unicore-uvos-server-initdb) - initializes (or clears) the configured database. Must be run after installation on a fresh system prior to any other operation.
  • createExampleContent.sh (or unicore-uvos-server-createExampleContent) - populates the configured database with an example contents. Useful only for testing or learning UVOS.
  • convertLDAPSchema.sh (or unicore-uvos-server-convertLDAPSchema) - converts LDAP attributes schema file into a format which can be used by UVOS to quickly populate attribute types.
  • updateDbVersion.sh (or unicore-uvos-server-updateDbVersion) - updates database contents from the older schema. It is sometimes needed to do this after upgrade, but not always as UVOS database schema is rarely changed.
Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r3 - 2011-05-16 - unknown
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EMI All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback