Versions Compared

Old Version 9

changes.mady.by.user Laurent Gougeon

Saved on

compared with

New Version 10

changes.mady.by.user Laurent Gougeon

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

listenAddress
NameDefaultType/UnitComment
sftp.usetmp"true"booleanForce using a temporary name when transmitting a file to the remote SFTP server. Once the transmission has completed successfully, the file is renamed with its final target name.
sftp.mkdirs"true"booleanAllow creating the directory named by the target pathname, including any necessary but non-existent parent directories.
sftp.prefix-stringWhen using the "usetmp" option, this option allow setting the prefix to use for the temporary file name (e.g. ".").
sftp.suffix-stringWhen using the "usetmp" option, this option allow setting the suffix to use for the temporary file name (e.g. ".tmp").
sftp.chmod-stringIf set, the file mode will be changed according to the value of this option once it has uploaded a file successfully (e.g. "640").
sftp.ignoreCheck"false"booleanIf set, the remote size of the file is not checked after an upload has been completed. If not set, the remote size of the uploaded file is checked and compared against the size of the source file.
sftp.execCode"0"integerAllow specifying the expected exit code of the command (or list of commands) started with the "execCmd" option. If the exit code is different from the one specified in this parameter then the transmission is tagged as failed.
sftp.execCmd-stringAllow specifying a command (or list of commands) to execute on the SSH server once a file has been transmitted (multiple commands can be specified using the semi columns separator). The parameter "$filename" can be introduced in the commands and it gives the name of the file transmitted (source or target depending if the transmission was a upload or a download).
sftp.kex-stringAllow specifying the key exchange algorithms to allow (e.g. "ecdh-sha2-nistp256,ecdh-sha2-nistp384"). The list of valid algorithms can be found at http://www.jcraft.com/jsch/README (multiple algorithms can be specified using the columns separator). By default all supported algorithms are allowed.
sftp.cipher-stringAllow specifying the cipher algorithms to allow (e.g. "aes128-cbc,3des-cbc,blowfish-cbc"). The list of valid algorithms can be found at http://www.jcraft.com/jsch/README (multiple algorithms can be specified using the columns separator). By default all supported algorithms are allowed.
sftp.compression-stringAllow specifying the compression algorithms to allow (e.g. "zlib,none"). The list of valid algorithms can be found at http://www.jcraft.com/jsch/README (multiple algorithms can be specified using the columns separator). By default all supported algorithms are allowed.
sftp.fingerPrint-stringAllow specifying a key's fingerprint. It is a lower-case hexadecimal representation of the MD5 of a key (e.g. "22:fb:ee:fe:18:cd:aa:9a:9c:78:89:9f:b4:78:75:b4"). If a key's fingerprint is defined then it is compared against the key's fingerprint of the remote SFTP server when connecting. If it does not match then the connection is rejected.
sftp.passPhrase-stringThe passphrase necessary to access the private key when the "privateKey" or "privateKeyFile" option is used. This option is only required if the private key is protected.
sftp.privateKeyFile-stringAdds a private key to be used for public-key authentication. The private key should be in the PEM format in a file accessible from the ECaccess Gateway (the file permissions should be set accordingly). This option contains the name of this the file (e.g. "/home/uid/.ssh/mykey.pem").
sftp.privateKey-string

Adds a private key to be used for public-key authentication. The private key should be in the PEM format.

e.g. sftp.
-stringAllow specifying the source address used by the SFTP client when connecting to the remote SFTP server. By default, the system will pick up a valid local address.
sftp.sessionTimeOut"60000"millisecondsThis value is used as the socket timeout parameter, and also as the default connection timeout. The value must be > 0. A timeout of zero is interpreted as an infinite timeout.
sftp.connectTimeOut-millisecondsThis value is used as the connection timeout. The value must be > 0. A timeout of zero is interpreted as an infinite timeout. The default value is the same as the "sessionTimeOut" value.
sftp.mksuffix"false"booleanIf set, the SFTP client will generate a random suffix for the "usetmp" option with 3 characters (e.g. ".3te").
sftp.port"22"shortAllow specifying the port number of the remote SFTP server to connect to.

The genericExec Options

The purpose of this ECtrans Module is to transmit a file on the file system of the ECaccess Gateway and start a script after the transmission has completed successfully. However, this module has several limitations as the script can only be started by the user-identifier used to run the ECaccess Gateway. If a user is required to start a script after a file has transferred successfully using its own user-identifier, then the "genericSftp" module should be used instead, with the help of the "execCmd" option. An alternative would be to perform a "su - $ecuser" in the script body (providing the "$ecuser" uid exists on the system, otherwise a mapping between ECMWF users and local users could be implemented in the script).

Most of the options can only be set in the configuration file of the ECaccess Gateway, the "ecmwf.properties" file. Indeed, anyone with an ECtrans Association could virtually start any command on the server hosting the ECaccess Gateway, which could lead to a security breach.

The only one parameter which can be customized through the ECtrans Association is the following:

NameDefaultType/UnitComment
returnCode"0"integerAllow specifying the expected exit code of the script started with the "script" option in the ECaccess Gateway configuration file. If the exit code is different from the one specified in this parameter then the transmission is tagged as failed. This option is only used in the "synchronous" mode (see the table below), otherwise the script is started in the background and ECtrans does not wait for the exit code to return.
privateKey="
-----BEGIN DSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2AEF2CF4618CA866

HFYVuVUSTdJacwFiaTcY3I5jUHaVIYdDQHIZarzox/ikWC6rN7uJbwPrZZPH+WV1
PfwX9yC7jVlUSgPu7o8fSdEhBaPZQ0NZ7Gq3cOpsRYicRa3F4GebK748m8VZLXLe
(...)
b4DxuN8evYgV/M9V76JoW5TDiizgst86w915bjM/gl+mVPPH/XitSOpaADtHSpDv
ph1kgY1fjwt5le+i66AnLmbJ4cLLAMz3
-----END DSA PRIVATE KEY-----
"

As shown in the example above, the first line should always be sftp.privateKey=" and the last line should always be " with the content of the private key in between.

sftp.listenAddress-stringAllow specifying the source address used by the SFTP client when connecting to the remote SFTP server. By default, the system will pick up a valid local address.
sftp.sessionTimeOut"60000"millisecondsThis value is used as the socket timeout parameter, and also as the default connection timeout. The value must be > 0. A timeout of zero is interpreted as an infinite timeout.
sftp.connectTimeOut-millisecondsThis value is used as the connection timeout. The value must be > 0. A timeout of zero is interpreted as an infinite timeout. The default value is the same as the "sessionTimeOut" value.
sftp.mksuffix"false"booleanIf set, the SFTP client will generate a random suffix for the "usetmp" option with 3 characters (e.g. ".3te").
sftp.port"22"shortAllow specifying the port number of the remote SFTP server to connect to.

The genericExec Options

The purpose of this ECtrans Module is to transmit a file on the file system of the ECaccess Gateway and start a script after the transmission has completed successfully. However, this module has several limitations as the script can only be started by the user-identifier used to run the ECaccess Gateway. If a user is required to start a script after a file has transferred successfully using its own user-identifier, then the "genericSftp" module should be used instead, with the help of the "execCmd" option. An alternative would be to perform a "su - $ecuser" in the script body (providing the "$ecuser" uid exists on the system, otherwise a mapping between ECMWF users and local users could be implemented in the script).

Most of the options can only be set in the configuration file of the ECaccess Gateway, the "ecmwf.properties" file. Indeed, anyone with an ECtrans Association could virtually start any command on the server hosting the ECaccess Gateway, which could lead to a security breach.

The only one parameter which can be customized through the ECtrans Association is the followingThe following options can be set in the "ecmwf.properties" file, in the "ExecModule" group of parameters:

command . This value can be overwritten in the ECtrans Association when option is set to "true"
NameDefaultType/UnitComment
returnCode"0"integerAllow specifying the expected exit code of the script started with the "script" option in the ECaccess Gateway configuration file. If the exit code is different from the one specified in this parameter then the transmission is tagged as failed. This option is only used in the "synchronous" mode (see the table below), otherwise the script is started in the background and ECtrans does not wait for the exit code to return.

The following options can be set in the "ecmwf.properties" file, in the "ExecModule" group of parameters:

NameDefaultType/UnitComment
returnCode"0"integerAllow specifying the expected exit code of the command started with the "script" option. If the exit code is different from the one specified in this parameter then the transmission is tagged as failed. This value can be overwritten in the ECtrans Association. This option is only used when the "synchronous" option is set to "true", otherwise the script is started in the background and ECtrans does not wait for the exit code to return.
script${ecmwf.dir}/gateway/bin/ectransstringAllow specifying the script to execute on the ECaccess Gateway once a file has been transmitted.
dir-stringSets the working directory for the data transmission.
synchronous"true"booleanIf set then the script is started and ECtrans wait for the exit code to return, If not set then the script is started in the background and ECtrans does not wait for the exit code to return.
usePipe"false"booleanIf set then the arguments (parameters) of the script are sent one per line to the standard input stream of the process running the script. If not set then the arguments (parameters) are passed to the script through the command-line. This option can be useful to hide the arguments passed to the script, which could be seen by a "ps" command started on the system.
args-string

This is the string which is passed to the script for execution.

e.g. args="-user $ecuser -filename $target"

The args string can take the following parameters:

 

  • $msuser[name]: name of the association.
  • $msuser[comment]: comment.
  • $msuser[dir]: target directory.
  • $msuser[host]: target host.
  • $msuser[login]: login identifier.
  • $msuser[passwd]: password.
  • $msuser[password]: alias to $msuser[passwd].
  • $ecuser[name]: ECMWF user-name.
  • $ecuser[uid]: ECMWF user-identifier.
  • $ecuser[gid]: ECMWF group-identifier.
  • $ecuser[dir]: ECMWF home directory.
  • $ecuser[shell]: ECMWF login shell.
  • $ecuser[comment]: ECMWF comment.
  • $ecuser: alias to $ecuser[name].
  • $target: target file name (absolute path).
  • $location: target
  • $dir: working directory as defined in the "dir" option.
  • $password: alias to $msuser[passwd].
script${ecmwf.dir}/gateway/bin/ectransstringAllow specifying the script to execute on the ECaccess Gateway once a file has been transmitted.
dir-stringSets the working directory for the data transmission.
synchronous"true"booleanIf set then the script is started and ECtrans wait for the exit code to return, If not set then the script is started in the background and ECtrans does not wait for the exit code to return.
usePipe"false"booleanIf set then the arguments (parameters) of the script are sent one per line to the standard input stream of the process running the script. If not set then the arguments (parameters) are passed to the script through the command-line. This option can be useful to hide the arguments passed to the script, which could be seen by a "ps" command started on the system.
args-string 
mkdirs"true"booleanAllow creating the directory named by the target pathname, including any necessary but non-existent parent directories.
usetmp"true"booleanForce using a temporary name when transmitting a file to the ECaccess Gateway. Once the transmission has completed successfully, and before the script is started, the file is renamed with its final target name.
prefix-stringWhen using the "usetmp" option, this option allow setting the prefix to use for the temporary file name (e.g. ".").
suffix-stringWhen using the "usetmp" option, this option allow setting the suffix to use for the temporary file name (e.g. ".tmp").

...