Skip to content

ESGF_Admin_Guide

Jump to bottom Edit New page
Stephen Pascoe edited this page May 6, 2014 · 11 revisions
Wiki Reorganisation
This page has been classified for reorganisation. It has been given the category REVISE.
This page contains useful content but needs revision. It may contain out of date or inaccurate content.

ESGF Administrator Guide

The following instructions describe the process of installing, configuring and testing an ESGF peer-to-peer Node. The following abbreviatiosn are used:

  • : the fully qualified host name of the server where the ESGF Node is installed

  • : the directory path where the ESGF Node web applications are installed (=/usr/local/tomcat/webapps)

Installation

See https://github.com/ESGF/esgf-installer/wiki for full installation instructions

There are some ports being used which will be require to be open.

Configuration

After a standard ESGF Node installation, the following services should be automatically configured:

  • Thredds Data Server . The TDS web deployment descriptor (/thredds/WEB-INF/web.xml) is configured to contact the local ESGF Security Services, specifically: 
* The AuthenticationFilter is configured to redirect to the local Openid Relying Party (ORP): openidRelyingPartyUrl= [ http://<HOSTNAME>/esg-orp/home.htm ](http://<HOSTNAME>/OpenidRelyingParty/home.htm)

* The AuthorizationFilter is configured to contact the local ESGF Authorization Service (AZS): authorizationServiceUrl= [ http://<HOSTNAME>/esg-orp/saml/soap/secure/authorizationService.htm ](http://<HOSTNAME>/esgf-security/saml/soap/secure/authorizationService.htm)
  • Identity Provider . The ESGF IdP is by default configured to connect to the ESGF Node database. The connection parameters (database url, username and password) are contained in the file /esg/config/esgf.properties .
*         During installation the esg-node script presents you with a menu of known IDPs, you should select the IDP for your organization or enter your IDP ("admin-peer's") hostname and shortname.  After installation you may decide to change the host that runs the IDP service by using the;
    
    --set-idp-peer (or --set-admin-peer) flag
    
    Example:
      %> esg-node --set-idp-peer
    
    The IDP software stack (service, database, myproxy, security) are setup when installing with the --type idp setting.  A server with the IDP software stack installed is called an "admin peer" - hence the use of the nomenclature of the flag.

  • Attribute Service . The ESGF Attribute Service is responsible for reporting the user access control attributes for the attribute types it manages (and some basic user information). By default, it is configured to lookup user attributes in the ESGF Node database, and the connection parameters are specified in the file /esg/config/esgf.properties .

  • Openid Relying Party . The ESGF ORP (now _ esgf-orp _ previously at _ OpenRelyingParty _ ) is used for redirecting the user while accessing via OpenID and is configured to use these files: ||/esg/config/esgf_idp.xml || _ white list _ of trusted identity providers that is automatically generated by the ESGF Node Manager || ||/esg/config/esgf_idp_static ||this file should contain all the gateways IdP, plus any other you really trust ||

  • Solr . Following the recommended guidelines, the master Solr running on port 8984 should only be accessible from inside your institution firewall, and the slave Solr running on port 8983 should be accessible from the outside. Access to the slave Solr web URLs is controlled by the file /usr/local/esgf-solr-3.1.0-slave/etc/webdefault.xml , which by default is configured to allow access to the _ /admin/ _ URLs only to users with the _ admin _ role, and to allow nobody access to _ /update/ _ URLs. The default credentials that are set up (in the file realm.properties in the same directory) are those of the node installer (username and password) set in the beginning of the installation script.

Additionally, the following manual configuration is currently necessary (these steps will not be required any longer as ESGF evolves):

  • Policy Service . The ESGF Policy Service determines the access control policies on local datasets. It is currently configured via XML files. This is done by associating URL regular expressions to the required access control attributes, where each attribute has a type and a value. Note that if a dataset URL matches more than one access control policy, the logical -OR- of the policies will be used in formulating an authorization decision.
* Example: all datasets matching _ /cmip5/ _ require the access control attribute _ CMIP5 Research _ with value _ user _ for reading, and value _ publisher _ for writing: 

  * <policy resource=".*\/cmip5\/.*" attribute_type="CMIP5 Research" attribute_value="user" action="Read"/>

  * <policy resource=".*\/cmip5\/.*" attribute_type="CMIP5 Research" attribute_value="publisher" action="Write"/>

* Example: all dataset matching _ /esg_dataroot/ _ are freely accessible for reading by all users without any authorization (the special attribute type _ ANY _ is used for this purpose - the attribute value doesn't matter). At this time, this is the default configuration for an ESGF Node when it is installed. 

  * <policy resource=".*\/esg_dataroot\/.*" attribute_type="ANY" attribute_value="" action="Read"/>

/esg/config/esgf_policies_common.xml

common access control statements - for example, for access to the dashboard

/esg/config/esgf_policies_local.xml

your local policy files, specific to your data

For more information on configuring the Policy Service please see ESGF Access Control .

  • Registry Service . The ESGF Registry Service maps a given attribute type to the URL of the Attribute Service that manages that attribute.
* Example: the attribute type "CMIP5 Research" is managed by the PCMDI Attribute Service: 
  * <attribute type="CMIP5 Research" service=" https://esgf-node1.llnl.gov/esgf-security/saml/soap/secure/attributeService.htm"/>

* Example: the attribute type "MY OWN" is managed by the local Attribute Service just installed: 
  * <attribute type="MY OWN" service=" https://<HOSTNAME>/esgf-security/saml/soap/secure/attributeService.htm"/>

/esg/config/esgf_ats.xml

XML file automatically produced by the ESGF Node Manager

/esg/config/esgf_ats_static.xml

used for attribute service endpoints that should always be there. None is really required, but having CMIP5 Research/Commercial is a good idea, in case there is something bad happening with the dynamically generated file

The ESGF Shell

Once your installation is complete you can administer the system using the esgf shell by running esgf-sh . The shell provides you with the ability to perform administrative and other tasks important to the maintenance of the node. To list the commands you may tab complete at the prompt or enter "?". To get the usage for each command type in the command with the "--help" argument. More details on the shell will be posted to the esgf.org website ( - coming soon)

The ESGF Web Front End Configuration

There are a variety of configuration options for the web front end.

  • Home Page .

The ESGF web front index page end is by default configured to present the _ ORNL _ look and feel. To change the logo and the content of the front page, copy the file /esgf-web-fe/WEB-INF/classes/messages.properties to $ESGF_HOME/config, then edit that file substituting the approriate values with with your institution specific name, message, and logo file (which must be located under images/ ).

The admin has an option to disable. Note: the default behavior is

Add a custom footer
Add a custom sidebar
Clone this wiki locally