... | ... | @@ -2,9 +2,7 @@ |
|
|
http://eudat.eu/services/userdoc
|
|
|
|
|
|
## Authentication
|
|
|
The B2SAFE service relies on the [authentication mechanisms supported by iRODS](https://docs.irods.org/master/manual/authentication/). However there is a preference for the GSI scheme, since it is used for the integration with other EUDAT services, like [B2ACCESS](https://eudat.eu/services/b2access) and MyProxy.
|
|
|
The integration with the B2ACCESS service allows to support the approach described [here](https://github.com/EUDAT-B2SAFE/B2SAFE-core/wiki/Authentication).
|
|
|
The configuration for the authentication scripts, which are placed in the directory _scripts/authN_and_authZ_, is described in the [readme](https://github.com/EUDAT-B2SAFE/B2SAFE-core/blob/master/scripts/authN_and_authZ/README.md).
|
|
|
The B2SAFE service relies on the [authentication mechanisms supported by iRODS](https://docs.irods.org/master/plugins/pluggable_authentication/).
|
|
|
|
|
|
## Authorization
|
|
|
B2SAFE supports unix-like ACLs on the stored data.
|
... | ... | @@ -18,9 +16,7 @@ For example: |
|
|
}
|
|
|
}
|
|
|
The above code, placed in /_etc/irods/core.re_, will enforce the permission to execute external commands according to the assertions defined in the file _authZ.map.json_ described [here](https://github.com/EUDAT-B2SAFE/B2SAFE-core/wiki/Python-script-configuration).
|
|
|
By default the B2SAFE relies on this mechanism to filter the access to the python client for the operations related to the PIDs creation, update and delete. It is possible, for performance reasons (https://github.com/EUDAT-B2SAFE/B2SAFE-core/wiki/Documentation#performance), to disable it, setting the parameter _authzEnabled_ to "false" in the [_local.re_] [1].
|
|
|
|
|
|
The aforementioned ACLs can be associated to roles, exploiting the role based approach described in the [readme](https://github.com/EUDAT-B2SAFE/B2SAFE-core/blob/master/scripts/authN_and_authZ/README.md).
|
|
|
By default the B2SAFE relies on this mechanism to filter the access to the python client for the operations related to the PIDs creation, update and delete. It is possible, for performance reasons (https://github.com/EUDAT-B2SAFE/B2SAFE-core/wiki/Documentation#performance), to disable it, setting the parameter _authzEnabled_ to "false" in the [_local.re_][1].
|
|
|
|
|
|
## [Typical workflows](https://github.com/EUDAT-B2SAFE/B2SAFE-core/wiki/Workflows)
|
|
|
|
... | ... | @@ -34,58 +30,29 @@ Therefore while it does not make sense here to provide figures for the data tran |
|
|
<td>1</td><td>default: rules' ACLs enforcement and python client</td><td>10^1</td>
|
|
|
</tr>
|
|
|
<tr>
|
|
|
<td>2</td><td>replacing the python client with the CURL plugin</td><td>10^2</td>
|
|
|
</tr>
|
|
|
<tr>
|
|
|
<td>3</td><td>without rules' ACLs enforcement</td><td>(10^2) x 2</td>
|
|
|
<td>2</td><td>without rules' ACLs enforcement</td><td>(10^2) x 2</td>
|
|
|
</tr>
|
|
|
<tr>
|
|
|
<td>4</td><td>pure PID creation via PID service REST API (B2HANDLE)</td><td>(10^2) x 4</td>
|
|
|
<td>3</td><td>pure PID creation via PID service REST API (B2HANDLE)</td><td>(10^2) x 4</td>
|
|
|
</tr>
|
|
|
</table>
|
|
|
|
|
|
1. This is the default when you deploy the B2SAFE package.
|
|
|
2. This option is enabled by the parameter _msiCurlEnabled_ in the rule set [_local.re_] [1].
|
|
|
3. This option is enabled by the parameter _authzEnabled_ (=False) in the [_local.re_] [1].
|
|
|
4. This option is just for comparison, because it implies a PID creation invoked outside the B2SAFE, relying only on the [B2HANDLE library] [2].
|
|
|
2. This option is enabled by the parameter _authzEnabled_ (=False) in the [_local.re_][1].
|
|
|
3. This option is just for comparison, because it implies a PID creation invoked outside the B2SAFE, relying only on the [B2HANDLE library][2].
|
|
|
|
|
|
## PID service (EPIC, HSv8)
|
|
|
The current PID registry system in EUDAT is based on the [EPIC implementation of the REST API](https://github.com/pidconsortium/ePIC-API-v2) and the [HANDLE system version 8](https://www.handle.net/download_hnr.html) (HSv8). But a migration to a different implementation of the REST API is planned, therefore the B2SAFE python client is provided in two versions, the default compatible with the current system and the v2, compatible with the new API, which exploits the [B2HANDLE library] [2]. When you install B2SAFE for the first time you can choose between these two versions.
|
|
|
## PID service (HSv8)
|
|
|
The current PID registry system in EUDAT is based on the [HANDLE system version 8](https://www.handle.net/download_hnr.html) (HSv8). And B2SAFE relies on the [B2HANDLE library][2] to interact with it:
|
|
|
|
|
|
If you already installed B2SAFE employing the EPIC API you can upgrade to the new B2HANDLE library:
|
|
|
- install b2handle library
|
|
|
- create private/public keys, certificates and interacts with the PID registry administrator to get the public key uploaded (see [here](https://github.com/EUDAT-B2SAFE/B2SAFE-core/wiki/B2HANDLE-library-configuration))
|
|
|
- extend the existing credentials file with the new parameters and add the certificates location like indicated here:
|
|
|
```
|
|
|
{
|
|
|
"handle_server_url": "https://epic3.storage.surfsara.nl:8001",
|
|
|
"private_key": "/opt/eudat/b2safe/conf/330_842_USER1_privkey.pem",
|
|
|
"certificate_only": "/opt/eudat/b2safe/conf/330_certificate_only.pem",
|
|
|
"prefix": "842",
|
|
|
"handleowner": "200:0.NA/842",
|
|
|
"reverselookup_username": "842",
|
|
|
"reverselookup_password": "xxxxxxxxxxx",
|
|
|
"HTTPS_verify": "/opt/eudat/b2safe/conf/TERENA-SSL-CA-2.pem"
|
|
|
}
|
|
|
```
|
|
|
- create private/public keys, certificates and interacts with the PID registry administrator to get the public key uploaded (see [here](https://github.com/EUDAT-B2SAFE/B2SAFE-core/blob/master/install.txt))
|
|
|
- see the configuration of the credentials [here](https://github.com/EUDAT-B2SAFE/B2SAFE-core/wiki/Python-script-configuration)
|
|
|
|
|
|
- test _epicclient2.py_:
|
|
|
```
|
|
|
/opt/eudat/b2safe/cmd/epicclient2.py os /opt/eudat/b2safe/conf/credentials create www.test.com
|
|
|
```
|
|
|
|
|
|
To switch to _epicclient2.py_ in B2SAFE do:
|
|
|
- change link _/var/lib/irods/iRODS/server/bin/cmd/epicclient.py_ to point to _/opt/eudat/b2safe/cmd/epicclient2.py_.
|
|
|
|
|
|
|
|
|
Please note that the _msiCurlEnabled_ option is not compatible with the HSv8, so it should not be enabled in case of interaction with the new HSv8 API. If you previously enabled iRODS with the CURL plugin and made use of it in B2SFE you need to set
|
|
|
```
|
|
|
getConfParameters(*msiFreeEnabled, *msiCurlEnabled, *authzEnabled) {
|
|
|
...
|
|
|
*msiCurlEnabled=bool("false");
|
|
|
}
|
|
|
```
|
|
|
in _/opt/eudat/b2safe/rulebase/local.re_.
|
|
|
|
|
|
---------------
|
|
|
Experimental features
|
|
|
---------------
|
... | ... | |