/usr/share/arc/examples/a-rex/arex_secure.xml.example is in nordugrid-arc-arex 1.1.1-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 | <?xml version="1.0"?>
<ArcConfig
xmlns="http://www.nordugrid.org/schemas/arcconfig/2009/08"
xmlns:loader="http://www.nordugrid.org/schemas/loader/2009/08"
xmlns:tcp="http://www.nordugrid.org/schemas/tcp/2009/08"
xmlns:tls="http://www.nordugrid.org/schemas/tls/2009/08"
xmlns:authz="http://www.nordugrid.org/schemas/arcauthz/2009/08"
xmlns:idmap="http://www.nordugrid.org/schemas/identitymap/2009/10"
xmlns:spdp="http://www.nordugrid.org/schemas/simplelistpdp/2009/08"
xmlns:arex="http://www.nordugrid.org/schemas/a-rex/2009/08"
>
<!-- Common configuration of the daemon -->
<Server>
<PidFile>/var/run/arched.pid</PidFile>
<Logger>
<Level>DEBUG</Level>
<File>/var/log/arc/arched.log</File>
</Logger>
</Server>
<!-- Where to find plugins -->
<loader:ModuleManager>
<loader:Path>/usr/lib/arc/</loader:Path>
</loader:ModuleManager>
<!-- Simply load all needed plugins -->
<loader:Plugins>
<loader:Name>mcctcp</loader:Name>
<loader:Name>mcctls</loader:Name>
<loader:Name>mcchttp</loader:Name>
<loader:Name>mccsoap</loader:Name>
<loader:Name>arcshc</loader:Name>
<loader:Name>identitymap</loader:Name>
<loader:Name>arex</loader:Name>
</loader:Plugins>
<!-- Create a chain -->
<loader:Chain>
<!-- TCP listening socket -->
<loader:Component name="tcp.service" id="tcp">
<loader:next id="tls"/>
<tcp:Listen><tcp:Port>60000</tcp:Port></tcp:Listen>
</loader:Component>
<!-- Transport-level security -->
<loader:Component name="tls.service" id="tls">
<loader:next id="http"/>
<!-- Location of server's security keys -->
<tls:KeyPath>/etc/grid-security/hostkey.pem</tls:KeyPath>
<tls:CertificatePath>/etc/grid-security/hostcert.pem</tls:CertificatePath>
<tls:CACertificatesDir>/etc/grid-security/certificates</tls:CACertificatesDir>
<tls:VOMSCertTrustDNChain>
<tls:VOMSCertTrustRegex>.*</tls:VOMSCertTrustRegex>
</tls:VOMSCertTrustDNChain>
<!-- SecHandler below calls specified Policy Decision Point components.
In this example only one PDP is defined - simplelist.pdp. This
PDP compares Distinguished Name of connecting client against
list of allowed DNs. DNs are stored in external file one per line.
They may be enclosed in '"'. -->
<loader:SecHandler name="arc.authz" id="pdps" event="incoming">
<authz:PDP name="simplelist.pdp" spdp:location="/etc/grid-security/grid-mapfile"/>
</loader:SecHandler>
<!-- Evaluate requestor's identity into local identity.
Comment it if no user mapping is needed. -->
<loader:SecHandler name="identity.map" id="map" event="incoming">
<!-- Safe choice if all other rules failed -->
<idmap:PDP name="allow.pdp"><idmap:LocalName>nobody</idmap:LocalName></idmap:PDP>
</loader:SecHandler>
</loader:Component>
<!-- HTTP processing is done here -->
<loader:Component name="http.service" id="http">
<loader:next id="soap">POST</loader:next>
<loader:next id="plexer">GET</loader:next>
<loader:next id="plexer">PUT</loader:next>
<loader:next id="plexer">HEAD</loader:next>
</loader:Component>
<!-- This one parses content into XML tree -->
<loader:Component name="soap.service" id="soap">
<loader:next id="plexer"/>
</loader:Component>
<!-- Directing messages to proper service -->
<loader:Plexer name="plexer.service" id="plexer">
<loader:next id="a-rex">^/arex</loader:next>
</loader:Plexer>
<!-- A-Rex service -->
<loader:Service name="a-rex" id="a-rex">
<!-- Optional endpoint element is advised in case of multiple IP adresses -->
<arex:endpoint>https://localhost:60000/arex</arex:endpoint>
<!-- Use information generated by identity.map plugin or default provided below -->
<arex:usermap><arex:defaultLocalName>nobody</arex:defaultLocalName></arex:usermap>
<!-- grid-manager part of a-rex requires legacy configuration file.
Use arc_arex.conf example or write own. -->
<arex:gmconfig>/etc/arc_arex.conf</arex:gmconfig>
</loader:Service>
</loader:Chain>
</ArcConfig>
|