UNICORE/X Service Reference Card
Functional description
The UNICORE/X server is the central component in UNICORE, hosting the web services, and interfacing to the target resource (batch system, file system)
through the XNJS/TSI components. In a typical execution site, the services provided are
- job submission and management
- file system access (on the target resource, e.g. cluster)
- file transfer services
Daemons running
The UNICORE/X server is a single process.
Init scripts and options (start|stop|restart|...)
The service can be started with /etc/init.d/unicore-unicorex {start|stop|restart}
Configuration files location with example or template
The config files are located in /etc/unicore/unicorex
Example files are provided.
- wsrflite.xml : keystore/truststore locations and passwords, gateway location, host/port, deployed web services, service persistence configuration
- uas.properties : some service container configuration (registries, startup code, etc). AuthZ attribute source configuration
- xnjs_legacy.xml : target system access configuration, TSI host/port, config options
- simpleidb : installed applications, target system configuration (resources)
- xacml2Policies/*.xml : XACML security policy files
- logging.properties : log4j logging configuration
Logfile locations (and management) and other useful audit information
Log files will be written to /var/log/unicore/unicorex/
By default the log files are rolled over daily. Details can be controlled in the logging.properties file
Open ports
- the web server port, configured in the wsrflite.xml file (default: 7777).
- the TSI listener port, configured in the xnjs_legacy.xml file (default: 7654).
Possible unit test of the service
Unit tests are part of the build procedure and executed automatically. To test the installed server,
the UNICORE command line client can be used.
Where is service state held (and can it be rebuilt)
Service state is held in a configurable database. By default, the data is kept on the file system (using an embedded database engine)
in /var/lib/unicore/unicorex
Other options can be configured, for example a
MySQL database.
Cron jobs
N/A
Security information
Access control Mechanism description (authentication & authorization)
Users are authenticated by the UNICORE gateway. Authorization is performed by UNICORE/X in the following way
- based in the user's identity, authz attributes are fetched from the configured sources
- based on these attributes, an XACML callout is made to check that the current operation (web service call) is allowed
- if not allowed, an "Access denied" fault is thrown
How to block/ban a user
Revoke the certificate. Also it is possible to ban a user by removing his/her attributes from
the configured attribute sources (e.g. XUUDB).
Network Usage
UNICORE/X will connect to
- UNICORE gateway(s)
- AuthZ attribute services (UVOS, XUUDB, SAML-VOMS) depending on configuration
- the Perl TSI daemon (depending on configuration)
- For file transfers, the UNICORE/X will need to connect to gateways at other sites, thus needs to be able to do outbound connections
Firewall configuration
- see above for outbound connections
Security recommendations
Do not run as root.
Security incompatibilities
None known.
Other security relevant comments
n/a
Utility scripts
n/a