GridSite Config Guide
This Guide is intended for webmasters setting up GridSite with an Apache 2.0 webserver. We assume you have root access to the server machine to do this. There is a separate Admin Guide for people administrating areas of GridSite websites or fileservers, or managing GridSite's DN List groups. That is, for people managing files on the server rather than the server itself.
We assume you have installed Apache 2.0 and GridSite, using the Building and Installation Guide where necessary. This Config Guide assumes installation has been done under /usr. For an alternative tree like /opt/edg, the relative paths should be the same.
Installation should have given you an Apache 2.0 httpd binary at /usr/sbin/httpd and a set of standard Apache 2.0 modules in /usr/lib/httpd/modules/, which also includes the mod_gridsite.so module and either the standard mod_ssl or the modified "mod_ssl-gridsite" (either way, the file name is mod_ssl.so)
You must also install the CA root certificates of the CA's used by the users you wish to talk to. These should be installed in /etc/grid-security/certificates as files like 01621954.0, and RPMs and tar files for many common European and North American CAs are available from https://datagrid.in2p3.fr/distribution/datagrid/security/
/etc/httpd/conf/httpd.conf is the key to configuring the Apache 2.0 webserver. The directives in this file determine which files the server will publish, how they are handled, which areas are writeable and who can access them. Through mod_gridsite.so, the GridSite system itself is configured by directives in this file.
httpd-fileserver.conf is an example configuration file to use Apache/GridSite as a read/write HTTP(S) fileserver, including comments on how to get the server up and running.
The mod_gridsite reference lists all the GridSite httpd.conf directives.
To start serving files, make a directory /var/www/htdocs owned by nobody.nobody, including the file .gacl containing:
and add the following directive to the HTTPS <Directory> section:
GridSiteMethods GET PUT DELETE
If you wish to accept Globus GSI Proxies as well as full X.509 user certificates, set GridSiteGSIProxyLimit to the depth of proxy you wish to accept.
(As a _rough_ guide: 0=No Proxies; 1=Proxy on user's machine; 2=Proxy owned by running Globus job; 3=Proxy delegated by a Globus job.)
GACL access control
The GACL reference explains the XML access control files used by GridSite. These allow flexible policies to be written, in terms of X.509 user certificates, GSI proxies, VOMS attribute certificates, DN List groups and DNS hostnames.
For example, to give all clients read and list permission:
<gacl> <entry> <any-user/> <allow><read/><list/></allow> </entry> </gacl>
To enable writing, add DN List, Person or VOMS entries to the file. For example:
<gacl> <entry> <any-user/> <allow><read/><list/></allow> </entry> <entry> <person> <dn>/C=UK/O=eScience/OU=Manchester/L=HEP/CN=Andrew McNab</dn> </person> <allow><write/></allow> </entry> </gacl>
The GACL file that governs a directory is stored as .gacl in that directory. If no .gacl is present, then GridSite will search the parent directories in ascending order until one is found.
Last modified Fri 28 November 2003 . View page history
Switch to HTTP . Website Help . Print View . Built with GridSite 2.3.4