Configuration
Prerequisites
You need to have a Rucio server up and running with the root account created. Please refer to installation documentation for further information
Creating new users
The first step is to create new accounts:
$ rucio-admin account add --type USER --email jdoe@blahblih.com jdoe
You can choose from different types in the list USER, GROUP, SERVICE. Different policies/permissions can be set depending on the account type. Once the account is created, you need to create and attach an identity to this account:
$ rucio-admin identity add --type X509 \
--id "CN=jdoe,OU=Users,OU=Organic Units,DC=blih,DC=blah" \
--email jdoe@blahblih.com --account jdoe
The list of possible identity types is X509, GSS, USERPASS, SSH, OIDC:
$ rucio-admin account list-identities jdoe
Identity: CN=jdoe,OU=Users,OU=Organic Units,DC=blih,DC=blah, type: X509
You can set attributes to the users:
$ rucio-admin account add-attribute --key country --value xyz jdoe
And list these attributes:
$ rucio-admin account list-attributes jdoe
+---------+-------+
| Key | Value |
|---------+-------|
| country | xyz |
+---------+-------+
You can also list all the accounts matching a certain attribute using the filter option:
$ rucio-admin account list --filters "country=xyz"
jdoe
X509 identity format
By default, X509 identities must be formatted according to the relevant RFCs: a
comma-separated list of the DN components, ordered last-to-first (e.g.
CN=jdoe,OU=Users,OU=Organic Units,DC=blih,DC=blah
). However, operators might
prefer to store them in the legacy format: a slash-separated list of the DN
components, starting with a slash, ordered first-to-last (e.g.
/DC=blah/DC=blih/OU=Organic Units/OU=Users/CN=jdoe
).
To do so, it is necessary to enable the LegacyDNStringFormat
configuration
option of mod_ssl. When using the official Rucio container images, one must set
the RUCIO_HTTPD_LEGACY_DN
environmental variable to True
. For custom
installations, one must edit the appropriate Apache configuration file so that
the SSLOptions
directive looks like this:
SSLOptions +StdEnvVars +LegacyDNStringFormat
Creating scope
One needs then to create some scopes associated with the accounts:
$ rucio-admin scope add --account jdoe --scope user.jdoe
Only the owner of the scope or privileged users can write into the scope.
To list all the scopes:
$ rucio-admin scope list
user.janedoe
user.jdoe
Creating new RSEs
To create a new RSE:
$ rucio-admin rse add SITE3_DISK
Added new RSE: SITE3_DISK
Then you can attach protocols to this RSE. In the following example, a file protocol is added to the site created previously:
$ rucio-admin rse add-protocol --hostname blahblah --scheme file \
--impl rucio.rse.protocols.posix.Default --domain-json \
'{"wan": {"read": 1, "write": 1, "third_party_copy": 0, "delete": 1}, \
"lan": {"read": 1, "write": 1, "third_party_copy": 0, "delete": 1}}' \
--prefix /tmp/SITE3_DISK/ SITE3_DISK
The different parameters are explained in more details if you use the --help option.
Last step is to create RSE attributes that can be used to build RSE expressions:
$ rucio-admin rse set-attribute --rse SITE3_DISK --key tier --value 1
Added new RSE attribute for SITE3_DISK: tier-1
$ rucio-admin rse set-attribute --rse SITE3_DISK --key disk --value 1
Added new RSE attribute for SITE3_DISK: disk-1
$ rucio list-rses --rses "disk=1&tier=1"
SITE3_DISK
Let's check that everything is properly defined:
$ rucio-admin rse info SITE3_DISK
Settings:
=========
third_party_copy_protocol: 1
rse_type: DISK
domain: [u'lan', u'wan']
availability_delete: True
delete_protocol: 1
rse: SITE3_DISK
deterministic: True
write_protocol: 1
read_protocol: 1
staging_area: False
credentials: None
availability_write: True
lfn2pfn_algorithm: default
availability_read: True
volatile: False
id: 4079d6873603462b8867e4a49674cc11
Attributes:
===========
tier: True
disk: True
istape: False
SITE3_DISK: True
Protocols:
==========
file
extended_attributes: None
hostname: blahblih
prefix: /tmp/SITE3_DISK/
domains: {u'wan': {u'read': 1, u'write': 1, u'third_party_copy': 0, \
u'delete': 1}, u'lan': {u'read': 1, u'write': 1, u'delete': 1}}
scheme: file
port: 0
impl: rucio.rse.protocols.posix.Default
Usage:
======
rucio
used: 0
rse: SITE3_DISK
updated_at: 2018-02-22 13:05:45
free: None
source: rucio
total: 0
Setting quota and permissions
The root account has all the privileges. You can define other admin accounts by setting the account attribute admin:
$ rucio-admin account add-attribute --key admin --value 1 jdoe
$ rucio-admin account list --filter "admin=1"
jdoe
The permissions are easily tunable by overloading the generic permission file.
This is an advanced feature that is not explained there, for more details get in touch with the developers.
To set the quota for one account on a given RSE:
$ rucio-admin account set-limits jdoe SITE3_DISK 10000000000000
Set account limit for account jdoe on SITE3_DISK: 10.000 TB
$ rucio-admin account get-limits jdoe SITE3_DISK
Quota on SITE3_DISK for jdoe : 10 TB