Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "rOCCI:EC2 Backend"

From EGIWiki
Jump to navigation Jump to search
(Replaced content with "This page is no longer maintained.")
 
Line 1: Line 1:
{{rOCCI:rOCCI logo}}-server's EC2 backend has been primarily developed with Amazon Web Services. It is expected to work with other CMFs implementing the EC2 interface, but this guide considers AWS.
This page is no longer maintained.
 
Please note that for an overview of operations that each method in the backend performs within the AWS cloud, you may consult the [http://rubydoc.info/github/EGI-FCTF/rOCCI-server/Backends/Ec2Backend RubyDoc documentation for the EC2 backend]. It lists '''Server-side Effects''' for each public method that has any.
 
==== Installation ====
 
The EC2 backend is bundled with the rOCCI-server since version 1.1.3. Just install the server or upgrade from your existing installation.
 
==== Configuration ====
 
<OL>
<LI>Edit Virtual Host configuration file <code>/etc/apache2/sites-available/occi-ssl.conf</code> or <code>/etc/httpd/conf.d/occi-ssl.conf</code>, respectively, and change the following:
<OL>
<LI>attribute <code>ROCCI_SERVER_BACKEND</code> must be set to <code>ec2</code> as shown:
{| border="0" style="border-collapse:collapse" cellpadding="0" width="100%"
|
SetEnv ROCCI_SERVER_BACKEND          ec2
|}
''Note: Do not confuse with attribute <code>ROCCI_SERVER_HOOKS</code>; that has another purpose.''
</LI>
<LI>'''If necessary''', modify your ''region'' and ''availability zone'' settings. The default configuration is for western Europe:
{| border="0" style="border-collapse:collapse" cellpadding="0" width="100%"
|
SetEnv ROCCI_SERVER_EC2_AWS_REGION              eu-west-1
SetEnv ROCCI_SERVER_EC2_AWS_AVAILABILITY_ZONE  eu-west-1a
|}
For a list of applicable regions see the [http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region Amazon EC2 Regions list].
</LI>
<LI>'''To speed up interaction with AWS''', consider also setting filters for images. This speeds up the composition and transfer of the OCCI model. There are two configuration variables to consider:
<OL>
<LI><code>SetEnv ROCCI_SERVER_EC2_IMAGE_FILTERING_POLICY</code> &ndash; permissible values are:
{|
|<code>all</code>
|List all images contrary to recommendation
|-
|<code>only_owned</code>
|List only images you own
|-
|<code>only_listed</code>
|List only images specified in <code>ROCCI_SERVER_EC2_IMAGE_FILTERING_IMAGE_LIST</code>
|-
|<code>owned_and_listed</code>
|List images you own plus additional images specified in <code>ROCCI_SERVER_EC2_IMAGE_FILTERING_IMAGE_LIST</code>
|}
</LI>
<LI><code>SetEnv ROCCI_SERVER_EC2_IMAGE_FILTERING_IMAGE_LIST</code> &ndash; A list of images to include in responses. Separate multiple images by whitespaces and enclose the whole list in double quotes. The use of this list is governed by option <code>ROCCI_SERVER_EC2_IMAGE_FILTERING_POLICY</code>.</LI>
</OL>
''Note: Image filtering is implemented in the EC2 backend because there are thousands of images available from Amazon. Since constructing a list of available images is a very common operation, you get this option to limit the list.''
</LI>
<LI>'''If necessary,''' adjust permissions to create/destroy network components.
 
There are special options to specify permissions for handling AWS networks. If you already have virtual private clusters, gateways, elastic IPs and other network infrastructure components configured for your AWS account, you won't need to create new ones and neither will you wish to destroy them programmatically. Keep the following options set to <code>no</code> for the backend to behave most conservatively. Allow actions you really require, though (set those to <code>yes</code>). Applicable options are:
<UL>
<LI><code>ROCCI_SERVER_EC2_NETWORK_CREATE_ALLOWED</code></LI>
<LI><code>ROCCI_SERVER_EC2_NETWORK_DESTROY_ALLOWED</code></LI>
<LI><code>ROCCI_SERVER_EC2_NETWORK_DESTROY_VPN_GWS</code></LI>
</UL>
</LI>
<LI>'''If required,''' change the endpoint for the cloud management framework. ''This option should only be used if you plan to access another cloud management framework implementing the EC2 interface!'' If you still want to do this, set option <code>ROCCI_SERVER_EC2_AWS_ENDPOINT</code> accordingly.<BR>
 
''Disclaimer: {{rOCCI:rOCCI logo}} was developed testing against genuine Amazon Web Services. Using it with other CMFs implementing EC2 should be possible, but the {{rOCCI:rOCCI logo}} team cannot make any promises.''
</LI>
</OL>
<LI>'''Choose and configure your authentication strategy'''. Regardless of which you choose, you need an ASW Access Key, and an accompanying Secret Access Key, for a valid ASW account. Obviously, obtaining those is beyond the scope of this document. The following strategies are supported:
<UL>
<LI>'''Basic''' &ndash; requires no special settings. Basic authentication is completely pass-through. You just need to use your access key ID and the secret key in your client.</LI>
<LI>'''X.509''' &ndash; Adjust the following options in your Virtual Host configuration file <code>/etc/apache2/sites-available/occi-ssl</code> or <code>/etc/httpd/conf.d/occi-ssl.conf</code>:
{| border="0" style="border-collapse:collapse" cellpadding="0" width="100%"
|
SetEnv ROCCI_SERVER_EC2_AWS_ACCESS_KEY_ID      <actual_id_edited_out>
SetEnv ROCCI_SERVER_EC2_AWS_SECRET_ACCESS_KEY  <actual_key_edited_out>
|}
 
Note that this gives access to all users who can authenticate to the rOCCI-server with a valid certificate. The rOCCI-server is, however, supplied with a blacklisting hook, which allows you to control access to certain extent. Virtual Host configuration attribute <code>ROCCI_SERVER_USER_BLACKLIST_HOOK_USER_BLACKLIST</code> controls the location of the blacklist file.
</LI>
<LI>'''VOMS''' &ndash; In essence, each VO can be mapped to a (single) different AWS account. This is done through a ''map file''. In case the accessing user is not a member of any configured VO, authentication can fall back to other strategies. The following configuration option can be used to refer to the map file:
{| border="0" style="border-collapse:collapse" cellpadding="0" width="100%"
|
SetEnv ROCCI_SERVER_EC2_VO_AWS_MAPFILE          /opt/occi-server/embedded/app/rOCCI-server/etc/backends/ec2/files/mapfile.yml
|}
The map file, then, has consecutive records for individual VOs in the following format:
{| border="0" style="border-collapse:collapse" cellpadding="0" width="100%"
|
vo_name:
  access_key_id:    awskeyid
  secret_access_key: secretaccesskey
|}
</LI>
</UL>
Find out more one configuration strategies in [[rOCCI:ROCCI-server Admin Guide#Configuring Access|The rOCCI-server Admin Guide: Configuring Access]].
</LI>
</LI>
<LI>Restart the WebServer. You may skip this step if you are going to configure GridSite next.
{| border="2" style="border-collapse:collapse" cellpadding="5" width="100%"
! width="50%" | APT-based distributions (Debian, Ubuntu, &hellip;)
! RPM-based distributions (Scientific Linux, CentOS, &hellip;)
|-
|
service apache2 restart
|
service httpd restart
|-
|''Tested in Debian 7 Wheezy''
|''Tested in SL 6.5 Carbon''
|}
</LI>
</OL>

Latest revision as of 13:47, 11 October 2017

This page is no longer maintained.