As explained in previous section it is possible to connect two (or more) iRODS zones to each other, enabling users from each zone to access remote resources. There is a good step-by-step federation manual prepared by Elena Erastova.
In order to be able to connect to a remote iRODS zone following must be assured:
- Remote zone name and FQDN of the remote iRDOS server must be known
- Firewall rules on both server must be open for iRODS connections (port 1247 and port range for data transfers)
Adding remote zone to iRODS can be only done by an admin users. When connecting Server1 with Zone1 to Server2 with Zone2 following steps must be taken:
iadmin mkzone Zone2 remote 'Server2:1247'
iadmin mkzone Zone1 remote 'Server1:1247'
If everything went ok, new zones should appear in the list iadmin lz and be added to most upper directory level in iRODS ils /.
irods@server2:~$ ils -l / /: C- / C- /Zone1 C- /Zone2
At this step, although the remote zone is visible in the local iRODS and you are able to browse through it, it is not possible to access the data of the remote collections. In iRODS the access to the local resources is controlled by the local admin. Therefore in order to allow a user User1 from Zone1 to access a collection in Zone2, the administrator of the Zone2 must delegate the access rights:
iadmin mkuser User1#Zone1 rodsuser ichmod -r read User1#Zone1 /Zone2/path/to/some/collection // (1) ichmod -r write User1#Zone1 /Zone2/path/to/some/other/collection // (2)
| (1) | gives permission to browse given collection |
| (2) | gives permission to write into given collection |
Similar steps should be conducted to allow access to users from Zone2 to resources in Zone1.
| It is not possible to replicate the data between zones with standard iRODS tool irepl (it only allows to replicate the data between the storage resources within one zone). For replicating the data between zones in a federation irsync must be used. Usage example: irsync -r -V i:/Zone1/home/rods/dir i:/Zone2/home/rods2/syncedDir |