This repository has been archived by the owner on Jan 11, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathxrd_checkkeys
executable file
·55 lines (39 loc) · 1.9 KB
/
xrd_checkkeys
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#!/bin/bash
######################################
## create TkAuthz.Authorization file; take as argument the place where are the public keys
create_tkauthz() {
local PRIV_KEY_DIR; PRIV_KEY_DIR=$1
local TK_FILE="${PRIV_KEY_DIR}/TkAuthz.Authorization"
(
#########################################
# the root of the exported namespace you allow to export on your disk servers
# just add all directories you want to allow this is only taken into account if you use the TokenAuthzOfs OFS
# Of course, the localroot prefix here should be omitted
# If the cluster is (correctly!) configured with the right
# localroot option, allowing / is just fine and 100% secure. That should be considered normal.
echo 'EXPORT PATH:/ VO:* ACCESS:ALLOW CERT:*'
# rules, which define which paths need authorization; leave it like that, that is safe
echo 'RULE PATH:/ AUTHZ:delete|read|write|write-once| NOAUTHZ:| VO:*| CERT:IGNORE'
echo "KEY VO:* PRIVKEY:${PRIV_KEY_DIR}/privkey.pem PUBKEY:${PRIV_KEY_DIR}/pubkey.pem"
) > ${TK_FILE}
/bin/chmod 600 ${TK_FILE}
}
######################################
checkkeys() {
KEYS_REPO="http://alitorrent.cern.ch/src/xrd3/keys/"
authz_dir1="/etc/grid-security/xrootd"
authz_dir2="${HOME}/.globus/xrootd"
authz_dir3="${HOME}/.authz/xrootd"
authz_dir=${authz_dir3} # default dir
for dir in ${authz_dir1} ${authz_dir2} ${authz_dir3}; do ## unless keys are found in locations searched by xrootd
[[ -e ${dir}/privkey.pem && -e ${dir}/pubkey.pem ]] && return 0
done
[[ $(/usr/bin/id -u) == "0" ]] && authz_dir=${authz_dir1}
/bin/mkdir -p ${authz_dir}
echo "Getting Keys and bootstrapping ${authz_dir}/TkAuthz.Authorization ..."
cd ${authz_dir}
/usr/bin/curl -fskSL -O ${KEYS_REPO}/pubkey.pem -O ${KEYS_REPO}/privkey.pem
/bin/chmod 400 ${authz_dir}/privkey.pem ${authz_dir}/pubkey.pem
create_tkauthz ${authz_dir}
}
checkkeys