search

Service Reference Card

The Accounting service is made up of three containers

hashtag
Daemons running

hashtag
APEL REST Interface

  • httpd

  • crond

  • atd

hashtag
APEL Server

  • apeldbloader-cloud

  • crond

hashtag
Init commands (services started on container creation)

hashtag
APEL REST Interface

  • service httpd start

  • service crond start

  • service atd start

hashtag
APEL Server

  • service apeldbloader-cloud start

  • service crond start

hashtag
Configuration file locations

hashtag
APEL REST Interface

  • /etc/httpd/conf.d/apel_rest_api.conf - forces SSL.

  • /etc/httpd/conf.d/ssl.conf - configures SSL.

hashtag
APEL Server

  • /etc/apel/cloudloader.cfg - configuration for the loader.

  • /etc/apel/cloudsummariser.cfg - configuration for the summariser.

hashtag
Logfile locations

hashtag
APEL REST Interface

  • /var/log/httpd/error_log - the log file for the Django interface. All such messages get captured by the Apache server and are treated as errors

hashtag
APEL Server

  • /var/log/cloud/loader.log - log file for the loader.

  • /var/log/cloud/summariser.log - log file for the summariser.

hashtag
Open ports

  • 80 - all traffic to this port is forwarded to port 443 by the Apache server.

  • 443 - the Apache server forwards (HTTPS) traffic to the APEL server, which returns a Django view for recognised URL patterns.

  • 3306 - used by the APEL server service and the MySQL service to communicate with each other.

hashtag
Possible unit test of the service

  • Continuous integration tests conducted during development via TravisCIarrow-up-right.

  • For end to end testing, data could be POSTED to the endpoint, summarised and then retrieved from the GET endpoint.

hashtag
Where is service state held (and can it be rebuilt)

  • Service is deployed in a docker container, do not rebuild released docker containers without incrementing package information in version, i.e 1.1.0-1 => 1.1.0-2

hashtag
Cron jobs

hashtag
APEL REST Interface

  • /etc/cron.d/cloudsummariser - runs the summariser.

hashtag
APEL Server

  • /etc/cron.d/IGTF-bundle-update - updates the IGTF bundle on the first day of the month.

  • /etc/cron.d/fetch-crl - updates the Certificate Revocation Lists every 6 hours

hashtag
Security information

The APEL REST Interface container is the only container with a public endpoint, as such it deals with authentication & authorization.

hashtag
Access control Mechanism description (authentication & authorization)

  • X.509 certificates for POST requests

  • IAM tokens for GET requests

hashtag
How to block/ban a user

  • To ban users accessing summaries, remove them from ALLOWED_FOR_GET in /var/www/html/yaml/apel_rest_interface.env.

  • To ban users sending job records, perhaps because a provider in the Indigo provider list is negatively effecting the quality of the service for users by bulk reppublishing, add their HostDN to BANNED_FROM_POST in /var/www/html/yaml/apel_rest_interface.env.

  • Additional users, not on the providers list, can also be granted POST rights, by adding their HostDN to ALLOWED_TO_POST in /var/www/html/yaml/apel_rest_interface.env.

  • Any changes to /var/www/html/yaml/apel_rest_interface.env require a container restart to take effect.

hashtag
Network Usage

  • Managed by the Kubernetes cluster.

hashtag
Firewall configuration

  • Managed by the Kubernetes cluster.

hashtag
Security recommendations

  • Do not use a self signed certifcate in production.

PreviousDeployment and Administration guideNextUser guide

Last updated