Skip to content

DIRAC v7r1

Jump to bottom Edit New page
Andrii Lytovchenko edited this page Jun 15, 2020 · 24 revisions

MySQL versions supported

[TECH PREVIEW] MySQL version 8 is now in pre-supported mode: the tests that we have done didn't show any issue, but are not conclusive.

Framework

[TECH PREVIEW] ThreadPool - replaced by ThreadPoolExecutor(native python). To activate please set the DIRAC_USE_NEWTHREADPOOL=yes environment variable in bashrc.

Dynamic instantiation of the FileCatalog plugins

FileCatalog is now instantiating plugins using ObjectLoader mechanism, which allows to provide plugins in extensions. One side effect is that SecurityPolicy plugins are dropped and the only one exisiting VOMSPolicy became VOMSSecurityManager. For those installations that used PolicyBasedSecurityManager, the configuration should be changed in order to use VOMSSecurityManager instead.

Changes in the X.509 certificate proxies management

The DIRAC ProxyManager services keeps uploaded long-living proxies in order to provide them for asynchronous operations performed on the user's behalf. Proxies with different user's groups were uploaded independently. Starting from this release only one proxy is uploaded per user without an embedded DIRAC group extension. As a consequence, there will be no DIRAC group value in the output of dirac-proxy-init|upload commands and in the Web Portal Proxy Manager application. When a user proxy with a particular group will be requested by some DIRAC service, the proxy will be dressed with the DIRAC group extension on the fly and then delegated to the target component.

The already uploaded proxies with the DIRAC group extension embedded are still valid and will be used if no more recent proxy is available. If a user deletes the proxy from the ProxyManager, then proxies for all the user groups will be no more available. This differs from the current behavior where the user can delete only the proxy with a particular user group and keep other proxies uploaded.

To protect against the possibility of downloading a proxy certificate with a specific group, the group option DownloadableProxy is implemented. If no value is set, then a proxy with this group is allowed to load by default.

Changes in APIs for Resources Helpers (ConfigurationSystem)

PR https://github.com/DIRACGrid/DIRAC/pull/4491 makes order in the CS helpers for the /Resources CS section. The helpers DIRAC.Core.Utilities.SiteCEMapping and DIRAC.Core.Utilities.SitesDIRACGOCDBMapping are now deprecated in favor of DIRAC.ConfigurationSystem.Client.Helpers.Resources. While backward compatibility will be maintained, you are invited to adjust your DIRAC extension accordingly.

Replacement of PyGSI with M2Crypto

The home made wrapper of openssl (pyGSI) is deprecated in favour of the standard M2Crypto library. It was first made available in v7r0, is the default as of v7r1 and will be removed in v7r2.

M2Crypto (or any standard tool that respects TLS..) will be stricter than PyGSI. So you may need to adapt your environment a bit. Here are a few hints:

  • SAN in your certificates: if you are contacting a machine using its aliases, make sure that all the aliases are in the SubjectAlternativeName (SAN) field of the certificates
  • FQDN in the configuration: SAN normally contains only FQDN, so make sure you use the FQDN in the CS as well (e.g. mymachine.cern.ch and not mymachine)
  • ComponentInstaller screwed: like any change you do on your hosts, the ComponentInstaller will duplicate the entry. So if you change the CS to put FQDN, the machine will appear twice.

If needed, it can be temporarily disabled by setting the environment variable DIRAC_USE_M2CRYPTO to No.

Add a custom footer
Add a custom sidebar
Clone this wiki locally