diff --git a/CONFIGURATION.md b/CONFIGURATION.md index 61ec787..e135951 100644 --- a/CONFIGURATION.md +++ b/CONFIGURATION.md @@ -3,13 +3,14 @@ ## Certificates Both Teapot and StoRM WebDAV servers require `SSL` certificates. Teapot requires -a certificate/key pair for the machine's DNS name to be added to `/var/lib/teapot/webdav`, -the certificate should also be added to the system's trust store. To generate self-signed -certificates for StoRM WebDAV and add them to the trust store, run -`sudo self-signed-cert-gen.sh`. +a certificate/key pair for the machine's DNS name to be added to +`/var/lib/teapot/webdav`. The certificate should also be added to the system's +trust store. To generate self-signed certificates for StoRM WebDAV and add them +to the trust store, run `sudo /usr/share/teapot/self-signed-cert-gen.sh`. -In `teapot.py` line 945, uvicorn hostname needs to be replaced with the machine DNS name, -and paths to the certificate/key pair for that DNS name should be added here. +In `teapot.py` line 945, uvicorn hostname needs to be replaced with the machine +DNS name, and paths to the certificate/key pair for that DNS name should be +added here. ## Storm-webdav configuration @@ -20,24 +21,25 @@ Two main pieces of information are required to configure StoRM-WebDAV: ### Storage areas (SA) -Storage areas that are automatically assigned to each user should be defined in the -`storage-areas` file. `storage-areas` file should be manually added to `/etc/teapot/`. -It should contain a list of storage areas and their root paths. The information for -each storage area should be on a single line, separated by a single space. It is used -to automatically create configuration files for users. Here is an example of -`storage-areas` file content: -``` +Storage areas that are automatically assigned to each user should be defined in +the `storage-areas` file. `storage-areas` file should be manually added to +`/etc/teapot/`. It should contain a list of storage areas and their root paths. +The information for each storage area should be on a single line, separated by a +single space. It is used to automatically create configuration files for users. +Here is an example of `storage-areas` file content: + +```text default $HOME/interTwin extra $HOME/interTwin_extra ``` -For user-specific storage areas, configuration files must be created manually and -added to `/var/lib/teapot/user-$USER/sa/$SA_NAME.properties`. -Template for this can be found under `/templates/storage_element.properties` in -the repository or `/usr/share/teapot/storage_element.properties` upon installation, +For user-specific storage areas, configuration files must be created manually +and added to `/var/lib/teapot/user-$USER/sa/$SA_NAME.properties`. Template for +this can be found under `/templates/storage_element.properties` in the +repository or `/usr/share/teapot/storage_element.properties` upon installation, where the information defined in `storage-areas` must be added manually, or you -can follow the principles of the .properties files that are automatically generated -for SA in the `storage-areas` file. +can follow the principles of the .properties files that are automatically +generated for SA in the `storage-areas` file. For information on how to configure storage-areas, please refer to the [StoRM WebDAV Guidelines](https://github.com/italiangrid/storm-webdav/blob/master/doc/storage-area-configuration.md). @@ -51,33 +53,34 @@ details on authentication to the storage areas, refer to the To configure the OIDC provider information, make the following changes: -1. Modify the OIDC provider in `/etc/teapot/issuers` by changing the `name` - and `issuer` information. +1. Modify the OIDC provider in `/etc/teapot/issuers` by changing the `name` and + `issuer` information. 2. Modify the OIDC provider in `/usr/share/teapot/storage_authorizations` by modifying the `iss` information which stands for issuer. 3. Modify the OIDC providers that have access to the storage area by modifying the `org` information in `/usr/share/teapot/storage_element.properties`. -4. Modify the OIDC provider list in `teapot.py` under `flaat.set_trusted_OP_list`. +4. Modify the OIDC provider list in `teapot.py` under + `flaat.set_trusted_OP_list`. If no other way for mapping user's local and global identities is provided, the rudementary way is defined as explained next. The `user-mapping.csv` file is to -be manually added to `/etc/teapot`. It should contain information for mapping local -users' identities to their global identities as provided by the OIDC provider in form -of the subject (`sub`) claim. For each user, the local username and the user's sub -claim from the OIDC provider should be on a single line, separated by a single space. -E.g.: +be manually added to `/etc/teapot`. It should contain information for mapping +local users' identities to their global identities as provided by the OIDC +provider in form of the subject (`sub`) claim. For each user, the local username +and the user's sub claim from the OIDC provider should be on a single line, +separated by a single space. E.g.: -``` +```text user1 subclaim1 user2 subclaim2 ``` ## System certificates -To run Teapot, OpenSSL certificates may need to be adjusted. To do this please do the -following: In `OPENSSLDIR`, which can be found with `openssl version -d`, create a -symbolic link to the system ca-trust-source by typing -`sudo ln -s /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem cert.pem`. -The letsencrypt and geant/sectigo ca-certs may need to be added to the system +To run Teapot, OpenSSL certificates may need to be adjusted. To do this please +do the following: In `OPENSSLDIR`, which can be found with `openssl version -d`, +create a symbolic link to the system ca-trust-source by typing +`sudo ln -s /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem cert.pem`. The +letsencrypt and geant/sectigo ca-certs may need to be added to the system ca-trust-store `/etc/pki/ca-trust/source/anchors`, which is then updated using `sudo update-ca-trust`. diff --git a/README.md b/README.md index 9d281e5..5d22b23 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,7 @@ Functional tests can be found in `/robot`. To execute them, run `robot teapot-te ## Version -The current version of Teapot is 0.6.0. +The current version of Teapot is 0..0. ## Authors diff --git a/Service_Reference_Card.md b/Service_Reference_Card.md index 24d3abe..747099c 100644 --- a/Service_Reference_Card.md +++ b/Service_Reference_Card.md @@ -12,15 +12,16 @@ start another StoRM-WebDAV server for that user in the same way. ## List of configuration files -All templates for configuration files are located in `/templates`. All -configuration files for each user are automatically generated in +All templates for configuration files are located in `/templates`. Teapot +configuration file can be found in `/etc/teapot/`. All configuration files for +StoRM-WebdDAV for each user are automatically generated in `/var/lib/teapot/user-$USER/` when user sends its first request. To provide the necessary information for configuration files and for more details on configuration files, please refer to [CONFIGURATION.md](https://github.com/interTwin-eu/teapot/blob/main/CONFIGURATION.md). `teapot.py` must be run as the `teapot` user, with the Python modules listed in `requirements.txt` and the sudoers permissions defined in the `templates/teapot` file. -Teapot is started by systemd using `teapot.service` file. +Teapot is started by systemd using the `teapot.service` file. ## Log files @@ -33,6 +34,6 @@ Teapot listens on port 8081. ## List of cron jobs -If you plan to run the `self-signed-cert-gen.sh` script to generate the self-signed -certificates for StoRM-WebDAV, the script will trigger a cron job to automatically renew -the certificate once a year. +If you run the `self-signed-cert-gen.sh` script to generate the self-signed +certificates for StoRM-WebDAV, the script will trigger a cron job to automatically +renew the certificate once a year.