forked from DIRACGrid/DIRAC
-
Notifications
You must be signed in to change notification settings - Fork 0
/
dirac.cfg
694 lines (621 loc) · 22.5 KB
/
dirac.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
### Registry section:
# Sections to register VOs, groups, users and hosts
# https://dirac.readthedocs.org/en/latest/AdministratorGuide/UserManagement.html
Registry
{
## Registry options:
# Default user group to be used:
DefaultGroup = lhcb_user
# Querantine user group is usually to be used in case you want to set
# users in groups by hand as a "punishment" for a certain period of time:
QuarantineGroup = lowPriority_user
# Default proxy time expressed in seconds:
DefaultProxyTime = 4000
##
# Trusted hosts section, subsections represents host name of the DIRAC secondary servers
Hosts
{
dirac.host.com
{
# Host distinguish name obtained from host certificate
DN = /O=MyOrg/OU=Unity/CN=dirac.host.com
# Properties associated with the host
Properties = JobAdministrator
Properties += FullDelegation
Properties += Operator
Properties += CSAdministrator
Properties += ProductionManagement
Properties += AlarmsManagement
Properties += ProxyManagement
Properties += TrustedHost
}
}
## VOs:
# DIRAC VOs section, subsections represents name of the DIRAC VO or alias name of the real VOMS VO
VO
{
# It is not mandatory for the DIRAC VO to have the same name as the corresponding VOMS VO
lhcb
{
# VO administrator user name, that also MUST be registered(/Registry/Users section)
VOAdmin = lhcbadmin
# VO administrator group used for querying VOMS server.
# If not specified, the VO "DefaultGroup" will be used
VOAdminGroup = lhcb_admin
# Real VOMS VO name, if this VO is associated with VOMS VO
VOMSName = lhcb
# Registered identity provider associated with VO
IdP = CheckIn
# Section to describe all the VOMS servers that can be used with the given VOMS VO
VOMSServers
{
# The host name of the VOMS server
cclcgvomsli01.in2p3.fr
{
# DN of the VOMS server certificate
DN = /O=GRID-FR/C=FR/O=CNRS/OU=CC-IN2P3/CN=cclcgvomsli01.in2p3.fr
# The VOMS server port
Port = 15003
# CA that issued the VOMS server certificate
CA = /C=FR/O=CNRS/CN=GRID2-FR
}
}
}
}
##
## Groups:
# DIRAC groups section, subsections represents the name of the group
Groups
{
# Group for the common user
lhcb_user
{
# DIRAC users logins than belongs to the group
Users = lhcbuser1
# Group properties(set permissions of the group users)
Properties = NormalUser # Normal user operations
# Permission to download proxy with this group, by default: True
DownloadableProxy = False
# Role of the users in the VO
VOMSRole = /lhcb
# Scope associated with a role of the user in the VO
IdPRole = some_special_scope
# Virtual organization associated with the group
VOMSVO = lhcb
# Just for normal users:
JobShare = 200
# Controls automatic Proxy upload by dirac-proxy-init:
AutoUploadProxy = True
# Controls automatic Proxy upload by dirac-proxy-init for Pilot groups:
AutoUploadPilotProxy = True
# Controls automatic addition of VOMS extension by dirac-proxy-init:
AutoAddVOMS = True
}
# Group to submit pilot jobs
lhcb_pilot
{
Properties = GenericPilot # Generic pilot
Properties += LimitedDelegation # Allow getting only limited proxies (ie. pilots)
Properties += Pilot # Private pilot
}
# Admin group
lhcb_admin
{
Properties = AlarmsManagement # Allow to set notifications and manage alarms
Properties += ServiceAdministrator # DIRAC Service Administrator
Properties += CSAdministrator # possibility to edit the Configuration Service
Properties += JobAdministrator # Job Administrator can manipulate everybody's jobs
Properties += FullDelegation # Allow getting full delegated proxies
Properties += ProxyManagement # Allow managing proxies
Properties += Operator # Operator
}
}
##
## Users:
# DIRAC users section, subsections represents the name of the user
Users
{
lhcbuser1
{
# Distinguish name obtained from user certificate (Mandatory)
DN = /O=My organisation/C=FR/OU=Unit/CN=My Name
# User e-mail (Mandatory)
Email = [email protected]
# Cellular phone number
mobile = +030621555555
# Quota assigned to the user. Expressed in MBs.
Quota = 300
# This subsection describes the properties associated with each DN attribute (optional)
DNProperties
{
# Arbitrary section name
DNSubsection
{
# Distinguish name obtained from user certificate (Mandatory)
DN = /O=My organisation/C=FR/OU=Unit/CN=My Name
# Proxy provider that can generate the proxy certificate with DN in DN attribute.
ProxyProviders = MY_DIRACCA
}
}
}
}
##
}
###
# the systems section is automatically obtained from the ConfigTemplate.cfg files and can be found at
# https://dirac.readthedocs.org/en/latest/AdministratorGuide/Configuration/ExampleConfig.html
Systems
{
DataManagementSystem
{
Agents
{
# http://dirac.readthedocs.io/en/latest/AdministratorGuide/Systems/DataManagement/fts3.html#fts3agent
FTS3Agent
{
OperationBulkSize = 20 # How many Operation we will treat in one loop
JobBulkSize = 20 # How many Job we will monitor in one loop
MaxFilesPerJob = 100 # Max number of files to go in a single job
MaxAttemptsPerFile = 256 # Max number of attempt per file
DeleteGraceDays = 180 # days before removing jobs
DeleteLimitPerCycle = 100 # Max number of deletes per cycle
KickAssignedHours = 1 # hours before kicking jobs with old assignment tag
KickLimitPerCycle = 100 # Max number of kicks per cycle
}
}
Services
{
# http://dirac.readthedocs.io/en/latest/AdministratorGuide/Systems/DataManagement/dfc.html#filecataloghandler
FileCatalogHandler
{
Port = 9197
DatasetManager = DatasetManager
DefaultUmask = 0775
DirectoryManager = DirectoryLevelTree
DirectoryMetadata = DirectoryMetadata
FileManager = FileManager
FileMetadata = FileMetadata
GlobalReadAccess = True
LFNPFNConvention = Strong
ResolvePFN = True
SecurityManager = NoSecurityManager
SEManager = SEManagerDB
UniqueGUID = False
UserGroupManager = UserAndGroupManagerDB
ValidFileStatus = [AprioriGoodTrashRemovingProbing]
ValidReplicaStatus = [AprioriGoodTrashRemovingProbing]
VisibleFileStatus = [AprioriGood]
VisibleReplicaStatus = [AprioriGood]
}
# http://dirac.readthedocs.io/en/latest/AdministratorGuide/Systems/DataManagement/fts.html#ftsmanager
FTS3ManagerHandler
{
# No specific configuration
Port = 9193
}
}
Databases
{
# http://dirac.readthedocs.io/en/latest/AdministratorGuide/Systems/DataManagement/dfc.html#filecatalogdb
FileCatalogDB
{
# No specific configuration
DBName = FileCatalogDB
}
FTS3DB
{
# No specific configuration
DBName = FTS3DB
}
}
}
RequestManagementSystem
{
Agents
{
# http://dirac.readthedocs.io/en/latest/AdministratorGuide/Systems/RequestManagement/rmsComponents.html#cleanreqdbagent
CleanReqDBAgent
{
DeleteGraceDays = 60 # Delay after which Requests are removed
DeleteLimit = 100 # Maximum number of Requests to remove per cycle
DeleteFailed = False # Whether to delete also Failed request
KickGraceHours = 1 # After how long we should kick the Requests in `Assigned`
KickLimit = 10000 # Maximum number of requests kicked by cycle
}
# http://dirac.readthedocs.io/en/latest/AdministratorGuide/Systems/RequestManagement/rmsComponents.html#requestexecutingagent
RequestExecutingAgent
{
BulkRequest = 0
MinProcess = 1
MaxProcess = 8
ProcessPoolQueueSize = 25
ProcessPoolTimeout = 900
ProcessTaskTimeout = 900
ProcessPoolSleep = 4
RequestsPerCycle = 50
# Define the different Operation types
# see http://dirac.readthedocs.io/en/latest/AdministratorGuide/Systems/RequestManagement/rmsObjects.html#operation-types
OperationHandlers
{
DummyOperation
{
# These parameters can be defined for all handlers
# The location of the python file, without .py, is mandatory
Location = DIRAC/DataManagementSystem/Agent/RequestOperations/DummyHandler # Mandatory
LogLevel = DEBUG # self explanatory
MaxAttemts = 256 # Maximum attempts per file
TimeOut = 300 # Timeout in seconds of the operation
TimeOutPerFile = 40 # Additional delay per file
}
ForwardDISET{
Location = DIRAC/RequestManagementSystem/Agent/RequestOperations/ForwardDISET
}
MoveReplica
{
Location = DIRAC/DataManagementSystem/Agent/RequestOperations/MoveReplica
}
PutAndRegister
{
Location = DIRAC/DataManagementSystem/Agent/RequestOperations/PutAndRegister
}
RegisterFile
{
Location = DIRAC/DataManagementSystem/Agent/RequestOperations/RegisterFile
}
RegisterReplica
{
Location = DIRAC/DataManagementSystem/Agent/RequestOperations/RegisterReplica
}
RemoveFile
{
Location = DIRAC/DataManagementSystem/Agent/RequestOperations/RemoveFile
}
RemoveReplica
{
Location = DIRAC/DataManagementSystem/Agent/RequestOperations/RemoveReplica
}
ReplicateAndRegister
{
Location = DIRAC/DataManagementSystem/Agent/RequestOperations/ReplicateAndRegister
FTSMode = True # If True, will use FTS to transfer files
FTSBannedGroups = lhcb_user # list of groups for which not to use FTS
}
SetFileStatus
{
Location = DIRAC/TransformationSystem/Agent/RequestOperations/SetFileStatus
}
}
}
}
Databases
{
# http://dirac.readthedocs.io/en/latest/AdministratorGuide/Systems/RequestManagement/rmsComponents.html#requestdb
RequestDB
{
# No specific configuration
DBName = RequestDB
}
}
Services
{
# http://dirac.readthedocs.io/en/latest/AdministratorGuide/Systems/RequestManagement/rmsComponents.html#reqmanager
ReqManager
{
Port = 9140
constantRequestDelay = 0 # Constant delay when retrying a request
}
# http://dirac.readthedocs.io/en/latest/AdministratorGuide/Systems/RequestManagement/rmsComponents.html#reqproxy
ReqProxy
{
Port = 9161
}
}
URLs
{
# Yes.... it is ReqProxyURLs, and not ReqProxy...
# http://dirac.readthedocs.io/en/latest/AdministratorGuide/Systems/RequestManagement/rmsComponents.html#reqproxy
ReqProxyURLs = dips://server1:9161/RequestManagement/ReqProxy, dips://server2:9161/RequestManagement/ReqProxy
}
}
TransformationSystem
{
Agents
{
##BEGIN TransformationCleaningAgent
TransformationCleaningAgent
{
# MetaData key to use to identify output data
TransfIDMeta=TransformationID
# Location of the OutputData, if the OutputDirectories parameter is not set for
# transformations only 'MetadataCatalog has to be used
DirectoryLocations=TransformationDB,MetadataCatalog
# Enable or disable, default enabled
EnableFlag=True
# How many days to wait before archiving transformations
ArchiveAfter=7
# Shifter to use for removal operations, default is empty and
# using the transformation owner for cleanup
shifterProxy=
# Which transformation types to clean
# If not filled, transformation types are taken from
# Operations/Transformations/DataManipulation
# and Operations/Transformations/DataProcessing
TransformationTypes=
# Time between cycles in seconds
PollingTime = 3600
}
##END
}
}
Framework
{
Services
{
ComponentMonitoring
{
Port = 9190
# This enables ES monitoring only for this particular service.
EnableActivityMonitoring = yes
Authorization
{
Default = ServiceAdministrator
componentExists = authenticated
getComponents = authenticated
hostExists = authenticated
getHosts = authenticated
installationExists = authenticated
getInstallations = authenticated
updateLog = Operator
}
}
}
}
}
Resources
{
IdProviders
{
CheckIn
{
# What supported type of provider does it belong to
ProviderType = OAuth2
# Description of the client parameters registered on the identity provider side.
# Look here for information about client parameters description https://tools.ietf.org/html/rfc8414#section-2
issuer = https://aai-dev.egi.eu/oidc
client_id = type_client_id_here_receved_after_client_registration
client_secret = type_client_secret_here_receved_after_client_registration
scope = openid, profile, offline_access, eduperson_entitlement, cert_entitlement
}
}
# Section for proxy providers, subsections is the names of the proxy providers
# https://dirac.readthedocs.org/en/latest/AdministratorGuide/Resources/proxyprovider.html
ProxyProviders
{
## DIRACCA type:
MY_DIRACCA
{
# Main option, to show which proxy provider type you want to register.
ProviderType = DIRACCA
# The path to the CA certificate. This option is required.
CertFile = /opt/dirac/etc/grid-security/DIRACCA-EOSH/cert.pem
# The path to the CA key. This option is required.
KeyFile = /opt/dirac/etc/grid-security/DIRACCA-EOSH/key.pem
# The distinguished name fields that must contain the exact same contents as that field in the CA's
# DN. If this parameter is not specified, the default value will be a empty list.
Match = O, OU
# The distinguished name fields list that must be present. If this parameter is not specified, the
# default value will be a "CN".
Supplied = C, CN
# The distinguished name fields list that are allowed, but not required. If this parameter is not
# specified, the default value will be a "C, O, OU, emailAddress"
Optional = emailAddress
# Order of the distinguished name fields in a created user certificate. If this parameter is not
# specified, the default value will be a "C, O, OU, CN, emailAddress"
DNOrder = C, O, OU, emailAddress, CN
# To set default value for distinguished name field.
C = FR
O = DIRAC
OU = DIRAC TEST
# The path to the openssl configuration file. This is optional and not recomended to use.
# But if you choose to use this option, it is recommended to use a relatively simple configuration.
# All required parameters will be taken from the configuration file, except "DNOrder".
CAConfigFile = /opt/dirac/pro/etc/openssl_config_ca.cnf
}
##
## PUSP type:
MY_PUSP
{
ProviderType = DIRACCA
# PUSP service URL
ServiceURL = https://mypuspserver.com/
}
##
## OAuth2 type:
MY_OAuth2
{
ProviderType = OAuth2
# Authorization server's issuer identifier URL
issuer = https://masterportal-pilot.aai.egi.eu/mp-oa2-server
# Identifier of OAuth client
client_id = myproxy:oa4mp,2012:/client_id/aca7c8dfh439fewjb298fdb
# Secret key of OAuth client
client_secret = ISh-Q32bkXRf-HD2hdh93d-hd20DH2-wqedwiU@S22
# OAuth2 parameter specified in https://tools.ietf.org/html/rfc6749
prompt = consent
# Some specific parameter for specific proxy provider
max_proxylifetime = 864000
proxy_endpoint = https://masterportal-pilot.aai.egi.eu/mp-oa2-server/getproxy
}
##
}
# Where all your Catalogs are defined
FileCatalogs
{
# There is one section per catalog
# See http://dirac.readthedocs.io/en/latest/AdministratorGuide/Resources/Catalog/index.html
<MyCatalog>
{
CatalogType = <myCatalogType> # used for plugin selection
CatalogURL = <myCatalogURL> # used for DISET URL
}
}
# FTS endpoint definition http://dirac.readthedocs.io/en/latest/AdministratorGuide/Systems/DataManagement/fts.htmlfts-servers-definition
<anyOptions> # Passed to the constructor of the pluginFTSEndpoints
{
FTS3
{
CERN-FTS3 = https://fts3.cern.ch:8446
}
}
# Abstract definition of storage elements, used to be inherited.
# see http://dirac.readthedocs.io/en/latest/AdministratorGuide/Resources/Storages/index.html#storageelementbases
StorageElementBases
{
# The base SE definition can contain all the options of a normal SE
# http://dirac.readthedocs.io/en/latest/AdministratorGuide/Resources/Storages/index.html#storageelements
CERN-EOS
{
BackendType = eos # backend type of storage element
SEType = T0D1 # Tape or Disk SE
UseCatalogURL = True # used the stored url or generate it (default False)
ReadAccess = True # Allowed for Read if no RSS enabled
WriteAccess = True # Allowed for Write if no RSS enabled
CheckAccess = True # Allowed for Check if no RSS enabled
RemoveAccess = True # Allowed for Remove if no RSS enabled
OccupancyLFN = /lhcb/storageDetails.json # Json containing occupancy details
SpaceReservation = LHCb-EOS # Space reservation name if any. Concept like SpaceToken
# Protocol section, see http://dirac.readthedocs.io/en/latest/AdministratorGuide/Resources/Storages/index.html#available-protocol-plugins
GFAL2_SRM2
{
Host = srm-eoslhcb.cern.ch
Port = 8443
PluginName = GFAL2_SRM2 # If different from the section name
Protocol = srm # primary protocol
Path = /eos/lhcb/grid/prod # base path
Access = remote
SpaceToken = LHCb-EOS
WSUrl = /srm/v2/server?SFN=
}
}
}
# http://dirac.readthedocs.io/en/latest/AdministratorGuide/Resources/Storages/index.html#storageelements
StorageElements
{
# Just inherit everything from CERN-EOS, without change
CERN-DST-EOS
{
BaseSE = CERN-EOS
}
# inherit from CERN-EOS
CERN-USER
{
BaseSE = CERN-EOS
# Modify the options for Gfal2
GFAL2_SRM2
{
Path = /eos/lhcb/grid/user
SpaceToken = LHCb_USER
}
# Add an extra protocol
GFAL2_XROOT
{
Host = eoslhcb.cern.ch
Port = 8443
Protocol = root
Path = /eos/lhcb/grid/user
Access = remote
SpaceToken = LHCb-EOS
WSUrl = /srm/v2/server?SFN=
}
}
CERN-ALIAS
{
Alias = CERN-USER # Use CERN-USER when instanciating CERN-ALIAS
}
}
# See http://dirac.readthedocs.io/en/latest/AdministratorGuide/Resources/Storages/index.html#storageelementgroups
StorageElementGroups
{
CERN-Storages = CERN-DST-EOS, CERN-USER
}
}
Operations
{
# This is the default section of operations.
# Any value here can be overwriten in the setup specific section
Defaults
{
# This will globally enable ES based monitoring for Service and AgentModule.
EnableActivityMonitoring = yes
DataManagement
{
# see http://dirac.readthedocs.io/en/latest/AdministratorGuide/Resources/Catalog/index.html#multi-protocol
# for the next 4 options
AccessProtocols = srm
AccessProtocols += dips
RegistrationProtocols = srm
RegistrationProtocols += dips
#
StageProtocols = srm
ThirdPartyProtocols = srm
WriteProtocols = srm
WriteProtocols += dips
# FTS related options. See http://dirac.readthedocs.io/en/latest/AdministratorGuide/Systems/DataManagement/fts.html
FTSVersion = FTS3 # should only be that...
FTSPlacement
{
FTS3
{
ServerPolicy = Random # http://dirac.readthedocs.io/en/latest/AdministratorGuide/Systems/DataManagement/fts.html#ftsserver-policy
# Plugin to alter default TPC selection list
FTS3Plugin = Default # http://dirac.readthedocs.io/en/latest/AdministratorGuide/Systems/DataManagement/fts.html#fts3-plugins
}
}
}
# Options for the pilot3
# See https://dirac.readthedocs.io/en/latest/AdministratorGuide/Systems/WorkloadManagement/Pilots/Pilots3.html
Pilot
{
pilotRepo = https://github.com/DIRACGrid/Pilot.git # git repository of the pilot
pilotScriptsPath = Pilot # Path to the code, inside the Git repository |
pilotRepoBranch = master # Branch to use
pilotVORepo = https://github.com/MyDIRAC/VOPilot.git # git repository of the pilot extension
pilotVOScriptsPath = VOPilot # Path to the code, inside the Git repository
pilotVORepoBranch = master # Branch to use
uploadToWebApp = True # Try to upload the files from the CS to the list of servers
workDir = /tmp/pilot3Files # Local work directory on the masterCS for synchronisation
}
Services
{
# See http://dirac.readthedocs.io/en/latest/AdministratorGuide/Resources/Catalog/index.html
Catalogs
{
CatalogList = Catalog1
CatalogList += Catalog2
CatalogList += etc # List of catalogs defined in Resources to use
# Each catalog defined in Resources should also contain some runtime options here
<MyCatalog>
{
Status = Active # enable the catalog or not (default Active)
AccessType = Read-Write # No default
AccessType += must be set
Master = True # See http://dirac.readthedocs.io/en/latest/AdministratorGuide/Resources/Catalog/index.html#master-catalog
# Dynamic conditions to enable or not the catalog
# See http://dirac.readthedocs.io/en/latest/AdministratorGuide/Resources/Catalog/index.htmlconditional-filecatalogs
Conditions
{
WRITE = <myWriteCondition>
READ = <myReadCondition>
ALL = <valid for all conditions>
<myMethod> = <myCondition valid only for myMethod>
}
}
}
}
}
# Options in this section will only be used when running with the
# <MySetup> setup
<MySetup>
{
}
}