What Perun can control

Directly controlled functions

User's accounts

They are controlled by perun services - group, fs_scratch and passwd. Files created by services are propagated to computational nodes and more processed. Mailaliases service belongs to these services too. It controls the creation of mail aliases at the target node.

Home directories

Home directories control service fs_home to nodes where they have to be created. Related with this service is k5login service which maintains ".k5login" files in home directories. Home directories are created on storages and several frontends.

Project directories

They are created by service fs_project at Data storages current in Jihlava. Groups that can access to project directory need to be assigned to the resource target to project directory.


Replications are created by fs_replicas service. Currently is run at nodes "store1.du1/2/3.cesnet.cz" facilities "fe.du1/2/3.cesnet.cz".

NFS4 access

It is controlled by passwd_nfs4, group_nfs4 on storages.

Root access

It is realized by k5login_root service which is usually assigned to the special resource created for this purpose. This is concerned with computational nodes, storages and operational machines too. In a similar way is realized service sshkeys_root which kept ssh keys with root access at selected machines.

SSH keys

Service sshkeys is a target to maintain files of the user's ssh keys. Similarly, service sshkeys_root control file with ssh keys for root access.

AFS groups and their members

These functions are controlled by services afs and afs_group. Currently, are used on facility AFS-ICS.


Service eduroam_radius creates a list of eduroam identities. Currently it is located on facilities "eduroam" and "radius.ics.muni.cz".

PBS monitor and other information for PBS

PBS and PBS monitor is supported by services pbsmon_json, pbs_phys_cluster, pbsmon_users, pbs_pre, and pbs_publication_fairshare.

Service pbs_pre marked computational nodes as controlled by PBS or torque, real propagation of information about users is executed on "arien.ics.muni.cz", "wagap.cerit-sc.cz" and "zkusebni_planovac". Similarly goes service pbs_phys_cluster too, which works on "arien.ics.muni.cz" and "wagap.cerit-sc.cz".

Service pbsmon_json transfers information about accessible machines and clusters and it is executed on "segin.ics.muni.cz".

Services pbsmon_users and pbs_publication_fairshare provide to PBS information about users, second one with regard to publications; pbsmon_users is executed on "segin.ics.muni.cz", pbs_publication_fairshare is propagated to "arien.ics.muni.cz" and "wagap.cerit-sc.cz".

Information system of CESNET

Service users_export selects information about users from DB and propagates them to IS. As a target of propagation is created facility "Informacni system CESNET".


Service voms controlled VOMS server for South African Grid - Catch All VO, for EGI, VOCE, Auger VOs by facilities "voms1.egee.cesnet.cz" and "voms2.grid.cesnet.cz".


Service openvpn generates a list of IGTF certificates of users who are permitted to use OpenVPN system. Currently, service is not realized.

For fedcloud

Service fedcloud_export ensures updating of user's data in fedcloud infrastructure. Service is propagated to facilities whose names are started with "egi-fedcloud-".

Access to licence server Flexlm

Access is realized by flexlm_iptables service based on IP address. Service is placed at "skirit.ics.muni.cz", "skiritf.ics.muni.cz" and "lm.zcu.cz", but currently is not used.

Postal services

Service mailman upkeeps members of mailing lists in software Mailman. Special version of service for MetaCenter is named mailman_meta. Service mailman_owners control list of managers of mailing lists in software Mailman. Service sympa has a similar function as mailman but it doesn't cooperate with Mailman software.


Files for Apache controls service apache_basic_auth which adds or deletes data in file Apache basic auth. The service is realized at the facility "projekty.ics.muni.cz". Next service apache_ssl creates a list of DN of certificates of users, who are permitted for access to a specific directory and propagates it to Apache configuration. Service is placed at facilities "naiglos.ics.muni.cz", "aiglos.zcu.cz" and "pakiti.ics.muni.cz".


For clouds are created following services:

fedcloud_export - service updates users in fedcloud infrastructure. It is realized at facilities "egi-fedcloud-infn-ct","egi-fedcloud-sztaki","egi-fedcloud-cesnet","egi-fedcloud-gwdg" and "egi-fedcloud-i3m-upv".

metacloud_export - a special version of the previous service for MetaCenter. It is placed at "carach.ics.muni.cz" facility.

owncloud_vo_mapping - special service for OwnCloud instance of MetaCenter, where mapping of users to virtual organizations is needed. It is assigned to the same facilities as fedcloud_export service.


Special functionality is realized beyond Perun services. It pushes the flat structure of Perun to Perun LDAP, where it is usable for other different cooperating systems. Services ldap_ad_ceitec and ldap_vsb_vi. The first one is prepared at MU instance of Perun but it has not been used yet. The second one is ready to use for the arrangement of access to VŠB tools but it has not been used yet too.


Service gridmap creates GRIDMAPFILEs for MetaCenter and KYPO. It is placed at facility facility "metalb.ics.muni.cz".

Data repositories

Service du_users_export is a special export of users for CESNETs purposes. Service is realized at "fe.du1.cesnet.cz","fe.du2.cesnet.cz" a "fe.du3.cesnet.cz" facilities. Service samba_du is a special version of service samba for Data repositories of CESNET. It is placed at facility "ldap.du2.cesnet.cz".

Documents, libraries etc.

Service docdb controls access to DocDB document server. It is a document database for CERIT-SC. Service is realized at facility "DocDB-CERIT" with destination at "marach.ics.muni.cz". Service redmine-MU controls access to the Redmine of MU. It is placed at "Redmine-UVT", updates https://projekty2.ics.muni.cz/.


Service samba_du controls access to shared filesystem SAMBA. It is placed at facility "ldap.du2.cesnet.cz".


Service pkinit passes user logins including realms on Kerberos. All DNs of user certificates including X509 external identities passes on Kerberos too. Service is realized at "naiglos.ics.muni.cz".


Services hadoop_base and hadoop_hdfs controls access to the Hadoop server, which allows fast working with extremely big data. Services are placed at node "hador-c1.ics.muni.cz" at facility "hador-cluster.ics.muni.cz".


Service appDB updates "appDB" database of users for EGI. It is realized at facility "appDB.egi.eu" on host "perun.metacentrum.cz".

Indirectly controlled functions


Access to "meetings.cesnet.cz" (system for booking and controlling of videoconference resources) - it is realized by Perun's API. Service user especially created for CESNET directly asks Perun by RPC. If needed LDAP can be asked too.

Example: user from ÚVT MU has to be a member of "uvt" VO and a member in group "projects:shongo:users:uvt" in VO "einfra" simultaneously.

Accesses to RT - they are realized by LDAP which is created by Perun. Currently, are in Perun created groups for each queue which name starts with "RT" and these are selected by RT system from LDAP. The more systemic solution is preparing.

Perun works as IdP and attribute authority

Attribute authority is used for:

  • consolidation of user identities
  • membership in groups through different organizations
  • authorization in Apache
  • authorization in DokuWiki
  • configuration of Shibboleth SP
  • authentication at Mailman for MetaCenter
  • authentication at Mailman for CERIT-SC
  • authentication at DocDb for CERIT-SC