Difference between revisions of "Administrator manual 0.9"
| (20 intermediate revisions by 4 users not shown) | |||
| Line 6: | Line 6: | ||
* [[Installation|Instructions for installing the latest build of Archivematica on your server]] | * [[Installation|Instructions for installing the latest build of Archivematica on your server]] | ||
| − | = | + | = Configuration = |
| − | * | + | |
| + | ==Database configuration== | ||
| + | |||
| + | Archivematica stores working data in MySQL. Archivematica, by default, creates a user named "demo" with the password "demo", but you may wish to create a new user with a stronger password. Here's how you can create a unique MySQL user for Archivematica and grant it the appropriate permissions if need be. | ||
| + | |||
| + | Enter the MySQL shell as the "root" user: | ||
| + | |||
| + | $ mysql -u root -p<root password> | ||
| + | |||
| + | Specify a MySQL user (named "archivematica" in this example with a password of "somepassword") with full access to the Archivematica's MySQL database: | ||
| + | |||
| + | mysql> GRANT ALL PRIVILEGES ON MCP.* TO 'dashboard'@'127.0.0.1' | ||
| + | IDENTIFIED BY 'somepassword'; | ||
| + | mysql> GRANT ALL PRIVILEGES ON MCP.* TO 'dashboard'@'localhost' | ||
| + | IDENTIFIED BY 'somepassword'; | ||
| + | mysql> flush privileges; | ||
| + | mysql> quit | ||
| + | |||
| + | After specifying the user, you should then set the MySQL credentials for the Archivematica server at: <code>/etc/archivematica/archivematicaCommon/dbsettings</code>. | ||
| + | |||
| + | Finaly, change to the <code>src/dashboard/src</code> directory in the Archivematica source tree and edit <code>settings.py</code>, changing the values in the <code>DATABASES</code> dictionary for <code>USER</code> and <code>PASSWORD</code>. | ||
| + | |||
| + | == Setting organization code / institution Name == | ||
| − | |||
*This is done to add the repository code and name as a PREMIS agent. A command must be issued to modify the SQL database: | *This is done to add the repository code and name as a PREMIS agent. A command must be issued to modify the SQL database: | ||
<pre> | <pre> | ||
| Line 25: | Line 46: | ||
The parameters that you'll most likely want to set are <code>url</code>, <code>email</code>, and <code>password</code>. These parameters, respectively, specify the destination AtoM website's URL, the email address used to log in to the website, and the password used to log in to the website. | The parameters that you'll most likely want to set are <code>url</code>, <code>email</code>, and <code>password</code>. These parameters, respectively, specify the destination AtoM website's URL, the email address used to log in to the website, and the password used to log in to the website. | ||
| − | AtoM DIP upload can also use [http://en.wikipedia.org/wiki/Rsync Rsync] as a transfer mechanism. Rsync is an open source utility for efficiently transferring files. The <code>rsync-target</code> parameter is used to specify an Rsync-style target host/directory pairing, "foobar.com:~/dips/" for example. The <code>rsync-command</code> parameter is used to specify rsync connection options, "ssh -p 22222 -l user" for example. | + | AtoM DIP upload can also use [http://en.wikipedia.org/wiki/Rsync Rsync] as a transfer mechanism. Rsync is an open source utility for efficiently transferring files. The <code>rsync-target</code> parameter is used to specify an Rsync-style target host/directory pairing, "foobar.com:~/dips/" for example. The <code>rsync-command</code> parameter is used to specify rsync connection options, "ssh -p 22222 -l user" for example. If you are using the rsync option, please see AtoM server configuration below. |
To set any parameters for AtoM DIP upload change the values, preserving the existing format they're specified in, in the "Command arguments" field then click "Save". | To set any parameters for AtoM DIP upload change the values, preserving the existing format they're specified in, in the "Command arguments" field then click "Save". | ||
Note that in AtoM, the sword plugin (Admin --> qtSwordPlugin) and job scheduling (Admin --> Settings --> Job scheduling) must both be enabled in order for AtoM to receive uploaded DIPs. | Note that in AtoM, the sword plugin (Admin --> qtSwordPlugin) and job scheduling (Admin --> Settings --> Job scheduling) must both be enabled in order for AtoM to receive uploaded DIPs. | ||
| + | |||
| + | === AtoM server configuration === | ||
| + | |||
| + | This server configuration step is necessary to allow Archivematica to log in to the AtoM server without passwords, and only when the user is deploying the rsync option described above in the AtoM DIP upload section. | ||
| + | |||
| + | To enable sending DIPs from Archivematica to the AtoM server: | ||
| + | |||
| + | Generate SSH keys for the Archivematica user. Leave the passphrase field blank. | ||
| + | <pre> | ||
| + | $ sudo -i -u archivematica | ||
| + | $ cd ~ | ||
| + | $ ssh-keygen | ||
| + | </pre> | ||
| + | |||
| + | Copy the contents of <code>/var/lib/archivematica/.ssh/id_rsa.pub</code> somewhere handy, you will need it later. | ||
| + | |||
| + | Now, it's time to configure the AtoM server so Archivematica can send the DIPs using SSH/rsync. For that purpose, you will create a user called <code>archivematica</code> and we are going to assign that user a restricted shell with access only to rsync: | ||
| + | |||
| + | <pre> | ||
| + | $ sudo apt-get install rssh | ||
| + | $ sudo useradd -d /home/archivematica -m -s /usr/bin/rssh archivematica | ||
| + | $ sudo passswd -l archivematica | ||
| + | $ sudo vim /etc/rssh.conf // Make sure that allowrsync is uncommented! | ||
| + | </pre> | ||
| + | |||
| + | Add the SSH key that we generated before: | ||
| + | |||
| + | <pre> | ||
| + | $ sudo mkdir /home/archivematica/.ssh | ||
| + | $ chmod 700 /home/archivematica/.ssh/ | ||
| + | $ sudo vim /home/archivematica/.ssh/authorized_keys // Paste here the contents of id_dsa.pub | ||
| + | $ chown -R archivematica:archivematica /home/archivematica | ||
| + | </pre> | ||
| + | |||
| + | In Archivematica, make sure that you update the <code>--rsync-target</code> accordingly.<br /> | ||
| + | These are the parameters that we are passing to the upload-qubit microservice.<br /> | ||
| + | Go to the Administration > Upload DIP page in the dashboard. | ||
| + | |||
| + | Generic parameters: | ||
| + | |||
| + | <pre> | ||
| + | --url="http://atom-hostname/index.php" \ | ||
| + | --email="demo@example.com" \ | ||
| + | --password="demo" \ | ||
| + | --uuid="%SIPUUID%" \ | ||
| + | --rsync-target="archivematica@atom-hostname:/tmp" \ | ||
| + | --debug | ||
| + | </pre> | ||
== CONTENTdm DIP upload == | == CONTENTdm DIP upload == | ||
| Line 66: | Line 135: | ||
== Users == | == Users == | ||
| − | The dashboard provides a simple cookie-based user authentication system using the [https://docs.djangoproject.com/en/1.4/topics/auth/ Django authentication framework]. Access to the dashboard is limited only to logged-in users and a login page will be shown when the user is not recognized. If the application can't find any user in the database, the user creation page will be shown instead | + | The dashboard provides a simple cookie-based user authentication system using the [https://docs.djangoproject.com/en/1.4/topics/auth/ Django authentication framework]. Access to the dashboard is limited only to logged-in users and a login page will be shown when the user is not recognized. If the application can't find any user in the database, the user creation page will be shown instead, allowing the creation of an administrator account. |
| + | |||
| + | Users can be also created, modified and deleted from the Administration tab. Here you can manage which users have access to Archivematica and what level of access they have. Standard users are able to access all sections of the interterface except for the administration section. | ||
| + | |||
| + | You can add a new user to the system by clicking the "Add new" button on the user administration page. These users won't have administrator capability. By adding a user you provide a way to access Archivematica using a username/password combination. Should you need to change a user's username or password, you can do so by clicking the "Edit" button, corresponding to the user, on the administration page. Should you need to revoke a user's access, you can click the corresponding "Delete" button. | ||
| + | |||
| + | === CLI creation of administrative users === | ||
| + | |||
| + | If you need an additional administrator user one can be created via the command-line after navigating to the <code>src/dashboard/src</code> directory in the source tree. | ||
| + | |||
| + | python manage.py createsuperuser | ||
| − | + | === CLI password resetting === | |
| − | + | If you've forgotten the password for your administrator user, or any other user, you can change it via the command-line. | |
| + | |||
| + | python manage.py changepassword <username> | ||
===Security=== | ===Security=== | ||
| Line 91: | Line 172: | ||
= Elasticsearch = | = Elasticsearch = | ||
| − | Archivematica has the | + | Archivematica has the capability of indexing data about files contained in AIPs and this data can be [[Elasticsearch Development|accessed programatically]] for various applications. |
| − | + | If, for whatever reason, you need to delete an ElasticSearch index please see [[ElasticSearch Administration]]. | |
| − | + | If, for whatever reason, you need to delete an Elasticsearch index programmatically, this can be done with pyes using the following code. | |
<pre> | <pre> | ||
| Line 123: | Line 204: | ||
:* ICA-AtoM | :* ICA-AtoM | ||
* Archivematica does not presently support secured sockets. See Issue 990, Issue 690 Because of this, it's highly recommended to run Archivematica on a secure, isolated network. | * Archivematica does not presently support secured sockets. See Issue 990, Issue 690 Because of this, it's highly recommended to run Archivematica on a secure, isolated network. | ||
| + | |||
| + | = Upgrading = | ||
| + | * Currently, Archivematica does not support upgrading from one version to the next. A re-install is required. | ||
= Questions = | = Questions = | ||
| Line 130: | Line 214: | ||
== Discussion group == | == Discussion group == | ||
| − | * [http://groups.google.com/group/archivematica?hl=en For questions not on the FAQ] | + | * [[http://groups.google.com/group/archivematica?hl=en Discussion group] For questions not on the FAQ] |
Latest revision as of 16:05, 19 March 2013
Main Page > Documentation > Administrator Manual
This manual covers administrator-specific instructions for Archivematica. For end-user instructions, please see the user manual.
Installation[edit]
Configuration[edit]
Database configuration[edit]
Archivematica stores working data in MySQL. Archivematica, by default, creates a user named "demo" with the password "demo", but you may wish to create a new user with a stronger password. Here's how you can create a unique MySQL user for Archivematica and grant it the appropriate permissions if need be.
Enter the MySQL shell as the "root" user:
$ mysql -u root -p<root password>
Specify a MySQL user (named "archivematica" in this example with a password of "somepassword") with full access to the Archivematica's MySQL database:
mysql> GRANT ALL PRIVILEGES ON MCP.* TO 'dashboard'@'127.0.0.1'
IDENTIFIED BY 'somepassword';
mysql> GRANT ALL PRIVILEGES ON MCP.* TO 'dashboard'@'localhost'
IDENTIFIED BY 'somepassword';
mysql> flush privileges;
mysql> quit
After specifying the user, you should then set the MySQL credentials for the Archivematica server at: /etc/archivematica/archivematicaCommon/dbsettings.
Finaly, change to the src/dashboard/src directory in the Archivematica source tree and edit settings.py, changing the values in the DATABASES dictionary for USER and PASSWORD.
Setting organization code / institution Name[edit]
- This is done to add the repository code and name as a PREMIS agent. A command must be issued to modify the SQL database:
mysql -u root --execute "UPDATE Agents SET agentIdentifierValue='CWOB', agentName='City of Wobble' WHERE PK = 2;" MCP
Dashboard administration tab[edit]
The Archivematica administration pages allow you to configure application components and manage users.
AtoM DIP upload[edit]
Archivematica can upload DIPs directly to an AtoM website so the contents can be accessed online. The AtoM DIP upload configuration page is where you specify the details of the AtoM installation you'd like the DIPs uploaded to (and, if using Rsync to transfer the DIP files, Rsync transfer details).
The parameters that you'll most likely want to set are url, email, and password. These parameters, respectively, specify the destination AtoM website's URL, the email address used to log in to the website, and the password used to log in to the website.
AtoM DIP upload can also use Rsync as a transfer mechanism. Rsync is an open source utility for efficiently transferring files. The rsync-target parameter is used to specify an Rsync-style target host/directory pairing, "foobar.com:~/dips/" for example. The rsync-command parameter is used to specify rsync connection options, "ssh -p 22222 -l user" for example. If you are using the rsync option, please see AtoM server configuration below.
To set any parameters for AtoM DIP upload change the values, preserving the existing format they're specified in, in the "Command arguments" field then click "Save".
Note that in AtoM, the sword plugin (Admin --> qtSwordPlugin) and job scheduling (Admin --> Settings --> Job scheduling) must both be enabled in order for AtoM to receive uploaded DIPs.
AtoM server configuration[edit]
This server configuration step is necessary to allow Archivematica to log in to the AtoM server without passwords, and only when the user is deploying the rsync option described above in the AtoM DIP upload section.
To enable sending DIPs from Archivematica to the AtoM server:
Generate SSH keys for the Archivematica user. Leave the passphrase field blank.
$ sudo -i -u archivematica $ cd ~ $ ssh-keygen
Copy the contents of /var/lib/archivematica/.ssh/id_rsa.pub somewhere handy, you will need it later.
Now, it's time to configure the AtoM server so Archivematica can send the DIPs using SSH/rsync. For that purpose, you will create a user called archivematica and we are going to assign that user a restricted shell with access only to rsync:
$ sudo apt-get install rssh $ sudo useradd -d /home/archivematica -m -s /usr/bin/rssh archivematica $ sudo passswd -l archivematica $ sudo vim /etc/rssh.conf // Make sure that allowrsync is uncommented!
Add the SSH key that we generated before:
$ sudo mkdir /home/archivematica/.ssh $ chmod 700 /home/archivematica/.ssh/ $ sudo vim /home/archivematica/.ssh/authorized_keys // Paste here the contents of id_dsa.pub $ chown -R archivematica:archivematica /home/archivematica
In Archivematica, make sure that you update the --rsync-target accordingly.
These are the parameters that we are passing to the upload-qubit microservice.
Go to the Administration > Upload DIP page in the dashboard.
Generic parameters:
--url="http://atom-hostname/index.php" \ --email="demo@example.com" \ --password="demo" \ --uuid="%SIPUUID%" \ --rsync-target="archivematica@atom-hostname:/tmp" \ --debug
CONTENTdm DIP upload[edit]
Archivematica can also upload DIPs to CONTENTdm websites. Multiple CONTENTdm destinations may be configured.
For each possible CONTENTdm DIP upload destination, you'll specify a brief description and configuration parameters appropriate for the destination. Possible paramters include %ContentdmServer%, %ContentdmUser%, and %ContentdmGroup%.
When changing parameters for a CONTENTdm DIP upload destination simply change the values, preserving the existing format they're specified in. To add an upload destination fill in the form at the bottom of the page with the appropriate values. When you've completed your changes click the "Save" button.
Transfer source directories[edit]
Unlike previous versions, Archivematica v0.9 allows you to start transfers using the web interface rather than the operating system's file browser. Source files for transfers, however, can't be uploaded using the web interface: they must exist on volumes accessible to the Archivematica server.
When starting a transfer you're required to select one or more directories of files to add to the transfer. To speed up the process of selecting directories, Archivematica allows you to specify "source directories". A source directory is a directory in which files and directories likely to be added to a transfer are present.
To add a source directory, while on the transfer source directories page of the Administration tab in the dashboard, simply click the folder icon to expand the starting directory and navigate the interface until you find a directory you'd like to select as a source directory. Once you've found a suitable source directory, click the "Add" button to the right of the directory and it will be added.
To remove a source directory, simply click the "Remove" button to the right of it in the source directory path list.
Processing configuration[edit]
When processing a SIP or transfer, you may want to automate some of the workflow choices. Choices can be preconfigured by putting a 'processingMCP.xml' file into the root directory of a SIP/transfer. The processing configuration administration page allows you to configure the default 'processingMCP.xml' that's added to a SIP or Transfer if it doesn't alreay contain one. If a SIP or transfer is submitted with a 'processingMCP.xml' file, however, processing decisions will be made with the included file.
Pre-configured choices made here are based off the choices that appear in the dashboard.
The format is:
<preconfiguredChoice>
<appliesTo>Workflow decision - send transfer to quarantine</appliesTo>
<goToChain>Skip quarantine</goToChain>
</preconfiguredChoice>
Where appliesTo is the name of the job presented in the dashboard, and goToChain is the desired selection. Note: these are case sensitive.
Users[edit]
The dashboard provides a simple cookie-based user authentication system using the Django authentication framework. Access to the dashboard is limited only to logged-in users and a login page will be shown when the user is not recognized. If the application can't find any user in the database, the user creation page will be shown instead, allowing the creation of an administrator account.
Users can be also created, modified and deleted from the Administration tab. Here you can manage which users have access to Archivematica and what level of access they have. Standard users are able to access all sections of the interterface except for the administration section.
You can add a new user to the system by clicking the "Add new" button on the user administration page. These users won't have administrator capability. By adding a user you provide a way to access Archivematica using a username/password combination. Should you need to change a user's username or password, you can do so by clicking the "Edit" button, corresponding to the user, on the administration page. Should you need to revoke a user's access, you can click the corresponding "Delete" button.
CLI creation of administrative users[edit]
If you need an additional administrator user one can be created via the command-line after navigating to the src/dashboard/src directory in the source tree.
python manage.py createsuperuser
CLI password resetting[edit]
If you've forgotten the password for your administrator user, or any other user, you can change it via the command-line.
python manage.py changepassword <username>
Security[edit]
Archivematica uses PBKDF2 as the default algorithm to store passwords. This should be sufficient for most users: it's quite secure, requiring massive amounts of computing time to break. However, other algorithms could be used as the following document explains: How Django stores passwords.
Our plan is to extend this functionality in the future adding groups and granular permissions support: see issue 922 to read more about it.
Customization and automation[edit]
- Workflow processing decisions can be made in the processingMCP.xml file. See here.
- Workflows are currently created at the development level.
- Some resources avialable
- Normalization commands can be viewed in the presveration planning tab.
- Normalization paths and commands are currently edited/created at the development level. See transcoder for more details.
Elasticsearch[edit]
Archivematica has the capability of indexing data about files contained in AIPs and this data can be accessed programatically for various applications.
If, for whatever reason, you need to delete an ElasticSearch index please see ElasticSearch Administration.
If, for whatever reason, you need to delete an Elasticsearch index programmatically, this can be done with pyes using the following code.
import sys
sys.path.append("/home/demo/archivematica/src/archivematicaCommon/lib/externals")
from pyes import *
conn = ES('127.0.0.1:9200')
try:
conn.delete_index('aips')
except:
print "Error deleting index or index already deleted."
Data backup[edit]
- How to protect your data from disaster.
Security[edit]
- It is recommended to change the default passwords.
- The ICA-ATOM/ContentDM passwords can be set in the administration tab in the dashboard.
- The database connection credentials can be set in the /etc/archivematica/archivematicaCommon/dbsettings. These will need to a mysql user with permissions to the MCP database.
- Database
- The database user
- /etc/archivematica/archivematicaCommon/dbsettings
- The dashboard config file?
- Content DM
- ICA-AtoM
- Archivematica does not presently support secured sockets. See Issue 990, Issue 690 Because of this, it's highly recommended to run Archivematica on a secure, isolated network.
Upgrading[edit]
- Currently, Archivematica does not support upgrading from one version to the next. A re-install is required.
Questions[edit]
Frequently asked questions[edit]
Discussion group[edit]
- [Discussion group For questions not on the FAQ]