Configuration
Prerequisites
You need to have a Rucio server up and running with the root account created. Please refer to installation documentation for further information
Creating new users
The first step is to create new accounts:
$ rucio-admin account add --type USER --email jdoe@blahblih.com jdoe
You can choose from different types in the list USER, GROUP, SERVICE. Different policies/permissions can be set depending on the account type. Once the account is created, you need to create and attach an identity to this account:
$ rucio-admin identity add --type X509 \
--id "CN=jdoe,OU=Users,OU=Organic Units,DC=blih,DC=blah" \
--email jdoe@blahblih.com --account jdoe
The list of possible identity types is X509, GSS, USERPASS, SSH, OIDC:
$ rucio-admin account list-identities jdoe
Identity: CN=jdoe,OU=Users,OU=Organic Units,DC=blih,DC=blah, type: X509
You can set attributes to the users:
$ rucio-admin account add-attribute --key country --value xyz jdoe
And list these attributes:
$ rucio-admin account list-attributes jdoe
+---------+-------+
| Key | Value |
|---------+-------|
| country | xyz |
+---------+-------+
You can also list all the accounts matching a certain attribute using the filter option:
$ rucio-admin account list --filters "country=xyz"
jdoe
X509 identity format
By default, X509 identities must be formatted according to the relevant RFCs: a
comma-separated list of the DN components, ordered last-to-first (e.g.
CN=jdoe,OU=Users,OU=Organic Units,DC=blih,DC=blah). However, operators might
prefer to store them in the legacy format: a slash-separated list of the DN
components, starting with a slash, ordered first-to-last (e.g.
/DC=blah/DC=blih/OU=Organic Units/OU=Users/CN=jdoe).
To do so, it is necessary to enable the LegacyDNStringFormat configuration
option of mod_ssl. When using the official Rucio container images, one must set
the RUCIO_HTTPD_LEGACY_DN environmental variable to True. For custom
installations, one must edit the appropriate Apache configuration file so that
the SSLOptions directive looks like this:
SSLOptions +StdEnvVars +LegacyDNStringFormat
Creating scope
One needs then to create some scopes associated with the accounts:
$ rucio-admin scope add --account jdoe --scope user.jdoe
Only the owner of the scope or privileged users can write into the scope.
To list all the scopes:
$ rucio-admin scope list
user.janedoe
user.jdoe
Creating new RSEs
A complete configuration guide for RSEs can be found here, including CLI and Python API instructions. Below is a check-list of things to do when creating a new RSE.
- Create a new RSE:
$ rucio rse add $RSE_NAME
- Attach a transfer protocol
Below is the protocol for a posix RSE (suitable for testing and single-node deployments). Other configurations can be found here.
$ rucio rse protocol add \
--hostname $HOSTNAME \
--scheme $SCHEME \
--impl rucio.rse.protocols.posix.Default \
--domain-json \
'{"wan": {"read": 1, "write": 1, "third_party_copy": 0, "delete": 1}, \
"lan": {"read": 1, "write": 1, "third_party_copy": 0, "delete": 1}}' \
--prefix /tmp/$RSE_NAME/ $RSE_NAME
- Set RSE Attributes
Different RSE attributes and their uses are listed here. Other RSE attributes can be added and used for plugins, policies, and organization via RSE Expressions.
$ rucio rse attribute add $RSE_NAME --key tier --value 1
- Verify main settings
List the protocols, settings, and attributes for the RSE.
$ rucio rse show $RSE_NAME
- Set user limits Sets how much an account can write to an RSE. If no limit has been set for an account, it cannot be used to write to the given RSE.
$ rucio account limit add $USER --rse $RSE_NAME --bytes 10GB