Difference: CREAMConfigurationFile (6 vs. 7)

Revision 72012-12-07 - LisaZangrando

Line: 1 to 1
META TOPICPARENT name="SystemAdministratorDocumentation"

The CREAM configuration file for the EMI-2 release

Line: 8 to 8

The CREAM configuration file structure

The default location of the CREAM configuration file is /opt/glite/etc/glite-ce-cream/cream-config.xml. It is a XML file composed of a set of elements basically of three different types:
  • commandexecutor which defines the specific capabilities (e.g. delegation, job management, activity management) provided by CREAM
  • dataSource used for setting up the access to CREAM DB (MySQL)
  • authzchain which defines the security authorization layer based on ARGUS service or gJAF
  • JDBC dataSource used for setting up the access to CREAM DB (MySQL)
  • argus-pep or authzchain which define the security authorization layer based on ARGUS service or gJAF
  The configuration file looks like the following schema:
Line: 47 to 47

The Command Executor


The Command Executor configuration

 The commandexecuctor represents the implementation of specific functionality provided by CREAM (e.g. delegation, job management, activity management). At the current time CREAM provides three different commandexecuctors (BLAHExecutor, ActivityExecutor and DelegationExecutor) but new ones can be implemented and configured. The configuration of a commandexecutor is based on a well defined structure composed of a set of mandatory attributes and parameters which are specific for each executor:
Line: 72 to 72
  • category: the name of the category to which the commandexecutor belongs (e.g. DELEGATION_MANAGEMENT, JOB_MANAGEMENT, ACTIVITY_MANAGEMENT) (*)
  • commandqueuesize: the size of the in memory prefetched command queue (default: 500) (*)
  • commandqueueshared: must be set to false (default) if the command queue is used by a single CREAM; must be set to true if there are multiple CREAM services using a single command queue (i.e. multiple CREAM services managing a single farm) (*)
  • commandworkerpoolsize: the number of threads getting and satisfying user requests stored in the CREAM command queue (default: 50) (*)
  • commandworkerpoolsize: defines the internal parallelism degree in terms of the number of commands (e.g. the user requests) processed simultaneously by a pool of threads (i.e. the command workers). Those commands are fetched from the the CREAM's command queue. Please note that the parameter value can influence the overall CREAM performance (default: 50) (*)
  • filename: the path of the jar implementing the commandexecutor (*)

* please DO NOT change the default value which comes from the YAIM configuration.

Line: 204 to 204
  * please DO NOT change the default value which comes from the YAIM configuration.

The JDBC datasource configuration

CREAM relies on an external relational database to store its internal state (e.g. jobs, activities, delegations, commands queue, etc). This improves fault tolerance as it guarantees that this information is preserved across restarts of CREAM. Moreover, the use of a SQL database improves responsiveness of the service while performing queries which are needed by the usual CREAM operations, such as getting the list of jobs associated with a specific user. The CREAM deployment provides MySQL as preferred database, but any SQL database accessible through JDBC should be well supported although we don't have yet experience on it. Note that the database server can be installed on a dedicated host, or can share the same machine hosting CREAM. The JDBC connection is configured by the following template:

<dataSource name="datasource_name"
    username="the user" password="the password"
    validationQuery="SELECT 1"

We suggest not to change the default values coming from the YAIM configuration. Moreover please check the section 1.5.5 of the System Administrator Guide (i.e. https://wiki.italiangrid.it/twiki/bin/view/CREAM/SystemAdministratorGuideForEMI2) if you want to configure the CREAM databases on a host different than the CREAM service (by using YAIM).

The security authorization layer configuration

CREAM supports two different authorization systems based on the ARGUS authorization framework or the gJAF (grid Java Authorization Framework) system. The configuration depends on the authZ system selected. In case of ARGUS the XML section looks like this:

<adminlist filename="/etc/grid-security/admin-list"/>
<argus-pep name="pep-client1"
    <endpoint url="ARGUS_PEPD_ENDPOINTS" />

while the configuration of the gJAF system is:

<authzchain name="chain-1">
    <plugin name="localuserpip" classname="org.glite.ce.commonj.authz.gjaf.LocalUserPIP">
        <parameter name="glexec_bin_path" value="/usr/sbin/glexec" />
        <parameter name="glexec_probe_cmd" value="/usr/bin/id" />
        <parameter name="methods" value="JobRegister, putProxy, getProxyReq, renewProxyReq, getTerminationTime, destroy" />

    <plugin name="bannerpdp" classname="org.glite.ce.commonj.authz.gjaf.BlackListServicePDP">
        <parameter name="blackListFile" value="/etc/lcas/ban_users.db" />

    <plugin name="admincheckpip" classname="org.glite.ce.commonj.authz.gjaf.AdminCheckerPIP">
        <parameter name="adminList" value="/etc/grid-security/admin-list" />

    <plugin name="gridmappdp" classname="org.glite.ce.commonj.authz.gjaf.GridMapServicePDP">
      <parameter name="gridMapFile" value="/etc/grid-security/grid-mapfile" />

    <plugin name="vomspdp" classname="org.glite.ce.commonj.authz.gjaf.VomsServicePDP">
        <parameter name="gridMapFile" value="/etc/grid-security/grid-mapfile" />
  -- LisaZangrando - 2012-12-04
This site is powered by the TWiki collaboration platformCopyright © 2008-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback