search

INCF / ids-tools

INCF Dataspace utilities
Other
9 stars 2 forks source link

Create a ids-federate-zone script #4

Open brainstorm opened 11 years ago

brainstorm commented 11 years ago

Create a script that automates setting up a federation between two iRODS hosts:

https://www.irods.org/index.php/Federation_Administration

The script should be launched either as client (default) or server (by passing a --listen flag).

The idea would be to bundle a Flask daemon (or even just a SimpleHTTPServer instance) that runs on the DataSpace nodes and exposes a REST interface which allows both ends to federate with minimum human interaction.

Given iRODS servers A and B, A is a new institution willing to join the DataSpace federation. B is an existing node within DataSpace. A new federation would proceed as follows:

  1. `A` sends a `POST` request to `B`, requesting a federation for a given user#fqdn.
  2. `B` checks whether the user is registered within the system.
    1. If it is not there, 404 is returned with an accompanying JSON document describing the error.
    2. If it is there, `B` would check common iRODS ports on `A` (1247 and the RBUDP/TCP ranges).
      1. If some port is not open, 404 is returned with instructions on how to fix it.
      2. If the necessary ports are reachable and replying to iRODS, setup the federation with restrictive ACLs.
  3. Notify the adminstrator. A single authenticated command via REST should suffice to give full default ACL privileges on the new zone.

I might have omitted security and operational details, but I hope the idea is clear.

cansmith commented 10 years ago

Here is the flow for how a particular user will be checked to see if they have the rights to create a zone:

  1. Person has to be authenticated to INCF LDAP
  2. Person must be in ids-user group
  3. Examine person's email address and match domain against desired zone name.
  4. Do some quick checking of accessibility of irods server endpoint a) use something like an iquest directed at them b) fall back to port probing to figure out connection issues if possible

After the zone is created, put the creator's user name in the zone comment field and only allow modifications/deletions in future from this user.

cansmith commented 10 years ago

I've committed and pushed the first implementation of the zone services api. This one allows for adding and removing a new remote zone (and listing all zones). There is also a script (ids-federate-zone) that allows an iRODS admin to add their local zone to the incf zone, and will also add the incf zone locally if it doesn't already exist there.