| | 261 | |
| | 262 | A copy is [attachnemnt:access.conf attached]. |
| | 263 | |
| | 264 | An X.509 identity and ssh identity are required, and should be protected using proper file system protections. |
| | 265 | |
| | 266 | Again, we configure the ABAC credentials in 2 steps from the existing DETER database. The system will map from an ABAC attribute to a user and project in which to create the federated experiment. The access controller makes allocations as a user through two mechanisms |
| | 267 | |
| | 268 | * The XMLRPC actions to manipulate DETER experiments are taken with a copy of the DETER user's SSL certificate issued by DETER |
| | 269 | * Copies of these certificates are placed under the access controller's home directory, protected by the file system |
| | 270 | * Additional software and data is moved into federated experiments using the access controller's ssh identity to log in as the user in question. |
| | 271 | |
| | 272 | The analogue {{{to exp_access.db.py}}} for DETER access controllers is {{{deter_exp_access_db.py}}}. It takes the same selection praameters as {{{to exp_access.db.py}}} and two others: |
| | 273 | |
| | 274 | * --testbed takes the X.509 certificate of this access controller. This is used to get the fedid of the access controller. |
| | 275 | * --cert-dir is the pathname under the access controller's home in which copies of users' X.509 identities will be stored. |
| | 276 | |
| | 277 | This script is run on boss, so copy the access controller's certificate to boss and run something like: |
| | 278 | |
| | 279 | {{{ |
| | 280 | deter_exp_access_db.py --testbed cert.pem --cert-dir deter_certs |
| | 281 | }}} |
| | 282 | |
| | 283 | and capture it to a file named {{{deter_access}}}. |
| | 284 | |
| | 285 | Now we need to gather the users' X.509 identities. The following is puts them all in deter_certs in the current directory: |
| | 286 | |
| | 287 | {{{ |
| | 288 | db_to_certs.py --cert-dir deter_certs |
| | 289 | }}} |
| | 290 | |
| | 291 | Make a tar archive of that directory and copy it back to users. The certificate copies are all read-only and only accessible to the user who ran the script. If the access controller will be running as another user, you will have to change their owners when you install them on users. |
| | 292 | |
| | 293 | Untar the certificates into {{{/usr/local/etc/fedd/access/deter_certs}}} and set permissions appropriately. |
| | 294 | |
| | 295 | Now to convert all this to ABAC, run the following in {{{/usr/local/etc/fedd/access}}}: |
| | 296 | |
| | 297 | {{{ |
| | 298 | access_to_abac.py --cert=fedd.pem --dir=/usr/local/etc/fedd/access/abac --type=emulab --mapfile=deter_abac_map deter_access |
| | 299 | }}} |
| | 300 | |
| | 301 | Note that the parameter to {{{--mapfile}}} must be the filename given as {{{access_db:}}} in the {{{access.conf}}} file. |
| | 302 | |
| | 303 | At this point the access controller can be run as: |
| | 304 | |
| | 305 | {{{fedd.py --config=/usr/local/etc/fedd/access/access.conf --debug}}} |
| | 306 | |
| | 307 | It will also take the {{{--logfile}}} parameter. |
