GridSafeDocumentation/Prerequisites/

Prerequisites

Grid-SAFE, is a Java application which normally runs in Tomcat and uses a MySQL database to store data. There is also a command line tool that allows most operations to be performed without Tomcat running, though this still requires MySQL.

MySQL

Grid-SAFE requires a MySQL database which can be downloaded from the MySQL website, we recommend using mysql-5.0 or above.

Set up the database

A database, <gridsafe-database>, needs to be created.

        mysql> create database <gridsafe-database>;

e.g.

        mysql> create database gridsafe;

A user should be created with read and write access to the database.

        mysql> GRANT ALL PRIVILEGES ON <gridsafe-database>.* TO '<gridsafe-username>'@'localhost' IDENTIFIED BY '<gridsafe-password>';
        Query OK, 0 rows affected (0.00 sec)

e.g.

        mysql> GRANT ALL PRIVILEGES ON gridsafe.* TO 'gridsafe'@'localhost' IDENTIFIED BY 'gridsafe';
        Query OK, 0 rows affected (0.00 sec)

It is not necessary to create any tables in the database as Grid-SAFE will automatically create any required tables as needed.

Java

Grid-SAFE uses some features of Java 5, so it or a higher version must be downloaded and installed from the Java website. You need to install a JDK version of Java as this is required by tomcat.

The remaining pre-requisits only apply to the web-portal not to the command-line tools.

Tomcat

Apache Tomcat is also required for the web-portal. Tomcat can be downloaded from the Tomcat website. This site also provides documentation for setting up and installing tomcat. We develop against recent versions of tomcat 5.5, though the software should also work with tomcat 6.

Apache Web server

The web-portal expects authentication to be handled by the tomcat container or by a separate web-server (such as apache) acting as a front-end to tomcat. Tomcat supports a number of different authentication mechanisms and if these meet your requirements then you can run tomcat as a stand-alone application container. A much wider selection of authentication mechanisms are available if you use a web-server front-end. Use whatever mechanism best suites your needs, but it will be easier to configure the reports if the username somebody uses to authenticate with the web-server/tomcat matches their username on the HPC service.

To use apache as a front-end to tomcat you need to install an AJP connector module into the web server. The ajp_proxy that comes as part of the apache-2.2 distribution is suitable for this. When building from souce make sure you specify the --enable-proxy --enable-proxy-ajp flags to configure to make sure this module is built.

In the apache configuration restrict access to the application URL using a Location statement.

<Location /gridsafe>
AuthType Basic
AuthName "Grid-SAFE login"
AuthUserFile /etc/apache/conf/password
AuthGroupFile /etc/apache/conf/group
Require valid-user
</Location>

Note that if you wish to upload new accounting data through http rather than using the command line tools then this will be posted to the UploadServlet? URL so you may wish to configure additional constraints on this URL.

You then need to tell apache to pass on all requests below this URL to tomcat.

<Location /gridsafe/>
   ProxyPass ajp://localhost:8009/gridsafe/
</Location>

Set up the Tomcat

For a production server it is important to run Tomcat daemon in headless mode. To do this run

        export CATALINA_OPTS="-Djava.awt.headless=true"

on the command line or in the Tomcat startup script.

Tomcat Authentication configuration

By default Tomcat ignores any authentication information passed from apache. If you wish to use apache to perform authentication you need to edit the AJP connector entry in the server.xml file (in tomcats configuration directory) to use the username as generated by the web-server.

   <Connector port="8009" tomcatAuthentication="false"
               enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />

If your preferred authentication mechanism is available directly in tomcat you can omit the apache webserver entirely. However this means you will need to unpack the war file in order to modify the web.xml to define security constraints for the application. e.g.

<security-constraint>
    <web-resource-collection>
      <web-resource-name>Upload servlet </web-resource-name>
			<url-pattern>/UploadServlet/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
			<role-name>upload</role-name>
    </auth-constraint>
  </security-constraint>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Application </web-resource-name>
			<url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
			<role-name>*</role-name>
    </auth-constraint>
  </security-constraint>
  <!-- Define the Login Configuration for this Application -->
  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>WEBAPP</realm-name>
  </login-config>
<security-role><description>Data upload role</description><role-name>upload</role-name></security-role>
<security-role><description>Any user of the system</description><role-name>user</role-name></security-role>

Unfortunately it is not possible to have a single web.xml file that works with both apache and tomcat authentication or to override these settings at the container level.

Database configuration

Next the database connection needs to be configured so that gridsafe can connect to the database. This requires a number of Configuration Properties to be set e.g.

db_driver=com.mysql.jdbc.Driver
db_username=demo
db_password=demo
db_name=jdbc:mysql://localhost/demo

There are several places you can set these:

  • On the java command line
  • In the deploy-config.properties file inside the application jar/war file
  • in the warfile configuration XML file

If you are using the tomcat XML configuration file you also have the option to configure a Database Connection Pool (DBCP) (see the tomcat documentations). For example add a gridsafe.xml containing a description of the resource to the /opt/apache-tomcat-5.5.27/conf/Catalina/localhost directory and add the jdbc driver (mysql-connector-java-5.1.6-bin) in the in /opt/apache-tomcat-5.5.27/common/lib directory (NOTE: This file, which we have name gridsafe.xml must be the same name as the service you are running, i.e. the same name as the war file or the directory in ${catalina.home}/webapps/ that the service is deployed in).

        <?xml version="1.0" encoding="UTF-8"?>
        <Context 
             privileged="true" 
             antiResourceLocking="false" 
             antiJARLocking="false">    
                     <Resource 
                        name="jdbc/gridsafeDB" 
                        auth="Container"
                        type="javax.sql.DataSource" 
                        removeAbandoned="true"
                        removeAbandonedTimeout="30" 
                        maxActive="100"
                        maxIdle="30" 
                        maxWait="10000" 
                        username="<your-username>"
                        password="<your-password>"
                        driverClassName="com.mysql.jdbc.Driver"
                        url="jdbc:mysql://localhost/gridsafe"/>  
                   <Parameter name="connection.pool" value="jdbc/gridsafeDB"  override="true" />

             </Context>

You can also override gridsafe configuration properties in this xml file. In the above example we are changing the name of the connection pool but other parameters can also be overridden in this way.

 

Grid-SAFE was funded by JISC and is maintained, developed, and managed by EPCC at the University of Edinburgh