eric shook, anand padmanabhan grid research & education group @ iowa (grow) its academic...
TRANSCRIPT
![Page 1: Eric Shook, Anand Padmanabhan Grid Research & educatiOn group @ IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,](https://reader031.vdocuments.us/reader031/viewer/2022032806/56649f005503460f94c165ce/html5/thumbnails/1.jpg)
Eric Shook, Anand PadmanabhanEric Shook, Anand Padmanabhan
Grid Research & educatiOn group @ IoWa Grid Research & educatiOn group @ IoWa (GROW)(GROW)
ITS Academic Technologies – Research ITS Academic Technologies – Research Services Services
The University of IowaThe University of IowaIowa City, IA 52242, USAIowa City, IA 52242, USA
May 16, 2006May 16, 2006
GUMSGUMS
![Page 2: Eric Shook, Anand Padmanabhan Grid Research & educatiOn group @ IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,](https://reader031.vdocuments.us/reader031/viewer/2022032806/56649f005503460f94c165ce/html5/thumbnails/2.jpg)
22
What is GUMS?What is GUMS?
““The GUMS service performs one The GUMS service performs one and only one function: it maps and only one function: it maps user’s grid certificates/credentials to user’s grid certificates/credentials to site-specific identities/credentials site-specific identities/credentials (e.g., UNIX accounts or Kerberos (e.g., UNIX accounts or Kerberos principals) in accordance with the principals) in accordance with the site’s grid resource usage policy.”site’s grid resource usage policy.”
http://grid.racf.bnl.gov/GUMS/guide_introduction.htmlhttp://grid.racf.bnl.gov/GUMS/guide_introduction.html
![Page 3: Eric Shook, Anand Padmanabhan Grid Research & educatiOn group @ IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,](https://reader031.vdocuments.us/reader031/viewer/2022032806/56649f005503460f94c165ce/html5/thumbnails/3.jpg)
33
Why GUMS?Why GUMS?
GUMS allows the implementation GUMS allows the implementation of a single site-wide usage policyof a single site-wide usage policy
Better control the security for Better control the security for accessing site’s grid resourcesaccessing site’s grid resources
Integrate grid information services Integrate grid information services with local information serviceswith local information services
![Page 4: Eric Shook, Anand Padmanabhan Grid Research & educatiOn group @ IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,](https://reader031.vdocuments.us/reader031/viewer/2022032806/56649f005503460f94c165ce/html5/thumbnails/4.jpg)
44
How-to install GUMS? How-to install GUMS?
pacman –get iVDGL:gumspacman –get iVDGL:gums Answer “y” to enable GUMS server to run Answer “y” to enable GUMS server to run
automaticallyautomatically (as root) (as root)
– cd $VDT_LOCATION/gums-service/sbincd $VDT_LOCATION/gums-service/sbin– ./addAdmin “your DN”./addAdmin “your DN”
/etc/init.d/apache restart/etc/init.d/apache restart /etc/init.d/tomcat-5 restart/etc/init.d/tomcat-5 restart Test install: Test install:
https://gums-server:8443/gumshttps://gums-server:8443/gums
![Page 5: Eric Shook, Anand Padmanabhan Grid Research & educatiOn group @ IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,](https://reader031.vdocuments.us/reader031/viewer/2022032806/56649f005503460f94c165ce/html5/thumbnails/5.jpg)
55
gums.config gums.config
Located at:Located at:$VDT_LOCATION/gums-service/var/war/WEB-INF/$VDT_LOCATION/gums-service/var/war/WEB-INF/
classesclasses
The parts within gums.configThe parts within gums.config– persistenceFactoriespersistenceFactories– groupMappingsgroupMappings
userGroupuserGroup accountMappingaccountMapping
– hostGrouphostGroup
![Page 6: Eric Shook, Anand Padmanabhan Grid Research & educatiOn group @ IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,](https://reader031.vdocuments.us/reader031/viewer/2022032806/56649f005503460f94c165ce/html5/thumbnails/6.jpg)
66
persistenceFactories persistenceFactories
Define where local data will be storedDefine where local data will be stored Locations includeLocations include
– mysqlmysql– filesfiles– ldapldap
Information that can be storedInformation that can be stored– Local copy of VO listingsLocal copy of VO listings
![Page 7: Eric Shook, Anand Padmanabhan Grid Research & educatiOn group @ IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,](https://reader031.vdocuments.us/reader031/viewer/2022032806/56649f005503460f94c165ce/html5/thumbnails/7.jpg)
77
persistenceFactories persistenceFactories (…)(…)
Example:Example:<persistenceFactory <persistenceFactory
name="mysql“ name="mysql“ className="gov.bnl.gums.hibernate.HibernatePersistenceFaclassName="gov.bnl.gums.hibernate.HibernatePersistenceFactory“ctory“hibernate.connection.driver_class="com.mysql.jdbc.Driver“hibernate.connection.driver_class="com.mysql.jdbc.Driver“hibernate.dialect="net.sf.hibernate.dialect.MySQLDialect“hibernate.dialect="net.sf.hibernate.dialect.MySQLDialect“hibernate.connection.url="jdbc:mysql://server:49151/hibernate.connection.url="jdbc:mysql://server:49151/GUMS_1_1"GUMS_1_1"
hibernate.connection.username="gums-user"hibernate.connection.username="gums-user" hibernate.connection.password=“243FKD56KDI"hibernate.connection.password=“243FKD56KDI" hibernate.connection.autoReconnect="true"hibernate.connection.autoReconnect="true" hibernate.c3p0.min_size="3"hibernate.c3p0.min_size="3" hibernate.c3p0.max_size="20“hibernate.c3p0.max_size="20“ hibernate.c3p0.timeout="180" />hibernate.c3p0.timeout="180" />
![Page 8: Eric Shook, Anand Padmanabhan Grid Research & educatiOn group @ IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,](https://reader031.vdocuments.us/reader031/viewer/2022032806/56649f005503460f94c165ce/html5/thumbnails/8.jpg)
88
groupMappingsgroupMappings
Define groups of usersDefine groups of users Determine user group mappingDetermine user group mapping Groups are defined by groupMappingGroups are defined by groupMapping
– groupMapping uses three definitionsgroupMapping uses three definitions userGroupuserGroup accountMappingaccountMapping compositeAccountMapping (not covered)compositeAccountMapping (not covered)
![Page 9: Eric Shook, Anand Padmanabhan Grid Research & educatiOn group @ IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,](https://reader031.vdocuments.us/reader031/viewer/2022032806/56649f005503460f94c165ce/html5/thumbnails/9.jpg)
99
groupMappinggroupMapping
Defines a group of usersDefines a group of users Example:Example:
<groupMapping <groupMapping name='atlasProd‘ name='atlasProd‘ accountingVo='usatlas' accountingVo='usatlas' accountingDesc='ATLAS'> accountingDesc='ATLAS'> <userGroup …> <userGroup …> <accountMapping …> <accountMapping …></groupMapping></groupMapping>
![Page 10: Eric Shook, Anand Padmanabhan Grid Research & educatiOn group @ IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,](https://reader031.vdocuments.us/reader031/viewer/2022032806/56649f005503460f94c165ce/html5/thumbnails/10.jpg)
1010
userGroupuserGroup
Defines list of people who are Defines list of people who are apart of a groupapart of a group
Information can be provided (by)Information can be provided (by)– VOMS serverVOMS server– LDAP groupLDAP group– ManuallyManually
![Page 11: Eric Shook, Anand Padmanabhan Grid Research & educatiOn group @ IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,](https://reader031.vdocuments.us/reader031/viewer/2022032806/56649f005503460f94c165ce/html5/thumbnails/11.jpg)
1111
userGroup (…)userGroup (…)
Example (VOMS)Example (VOMS)<userGroup <userGroup className='gov.bnl.gums.VOMSGroup‘ className='gov.bnl.gums.VOMSGroup‘ url='https://voms:8443/voms/cdf/services/VOMSAdmin‘url='https://voms:8443/voms/cdf/services/VOMSAdmin‘ persistenceFactory='mysql' persistenceFactory='mysql' name='cdf' name='cdf'
voGroup="/cdf"voGroup="/cdf" sslCertfile='/etc/grid-security/hostcert.pem' sslCertfile='/etc/grid-security/hostcert.pem'
sslKey='/etc/grid-security/hostkey.pem‘sslKey='/etc/grid-security/hostkey.pem‘ matchFQAN="vo" matchFQAN="vo" acceptProxyWithoutFQAN='true' /> acceptProxyWithoutFQAN='true' />
![Page 12: Eric Shook, Anand Padmanabhan Grid Research & educatiOn group @ IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,](https://reader031.vdocuments.us/reader031/viewer/2022032806/56649f005503460f94c165ce/html5/thumbnails/12.jpg)
1212
accountMappingaccountMapping
Mapping policy for groups of usersMapping policy for groups of users Mapping options includeMapping options include
– AccountPoolMapperAccountPoolMapper– GroupAccountMapperGroupAccountMapper– ManualAccountMapperManualAccountMapper– GecosLdapAccountMapperGecosLdapAccountMapper– GecosNisAccountMapperGecosNisAccountMapper
![Page 13: Eric Shook, Anand Padmanabhan Grid Research & educatiOn group @ IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,](https://reader031.vdocuments.us/reader031/viewer/2022032806/56649f005503460f94c165ce/html5/thumbnails/13.jpg)
1313
accountMapping (…)accountMapping (…)
Example (group accounts)Example (group accounts)<accountMapping<accountMapping className='gov.bnl.gums.GroupAccountMapper' className='gov.bnl.gums.GroupAccountMapper' groupName='atlas' /> groupName='atlas' />
Example (pool accounts)Example (pool accounts)<accountMapping<accountMapping className='gov.bnl.gums.AccountPoolMapper‘ className='gov.bnl.gums.AccountPoolMapper‘ persistenceFactory='mysql' persistenceFactory='mysql' name='bnlPool' /> name='bnlPool' />
![Page 14: Eric Shook, Anand Padmanabhan Grid Research & educatiOn group @ IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,](https://reader031.vdocuments.us/reader031/viewer/2022032806/56649f005503460f94c165ce/html5/thumbnails/14.jpg)
1414
hostGrouphostGroup
Defines a group of hosts and which Defines a group of hosts and which groupMappings will be usedgroupMappings will be used
Two groups are definedTwo groups are defined– CertificateHostGroupCertificateHostGroup– WildcardHostGroup (deprecated)WildcardHostGroup (deprecated)
![Page 15: Eric Shook, Anand Padmanabhan Grid Research & educatiOn group @ IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,](https://reader031.vdocuments.us/reader031/viewer/2022032806/56649f005503460f94c165ce/html5/thumbnails/15.jpg)
1515
hostGroup (…)hostGroup (…)
WildcardHostGroupWildcardHostGroup– Use of this group is discouragedUse of this group is discouraged– Does not properly handle certificate identitiesDoes not properly handle certificate identities
CertificateHostGroupCertificateHostGroup– Example:Example:
<hostGroup<hostGroup className="gov.bnl.gums.CertificateHostGroclassName="gov.bnl.gums.CertificateHostGroup" up" cn='*.usatlas.bnl.gov' cn='*.usatlas.bnl.gov' groups=‘atlas,cms,grow' /> groups=‘atlas,cms,grow' />
![Page 16: Eric Shook, Anand Padmanabhan Grid Research & educatiOn group @ IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,](https://reader031.vdocuments.us/reader031/viewer/2022032806/56649f005503460f94c165ce/html5/thumbnails/16.jpg)
1616
What You Need to What You Need to KnowKnow
Names that need to matchNames that need to match– CertificateHostGroup.groups == CertificateHostGroup.groups ==
groupMapping.namegroupMapping.name– persistenceFactory.name == persistenceFactory.name ==
*.persistanceFactory*.persistanceFactory– userGroup.name == table or column within userGroup.name == table or column within
mysql in relation to persistanceFactory usedmysql in relation to persistanceFactory used– accountMapping.groupName == UNIX useraccountMapping.groupName == UNIX user– accountMapping.name == pool reference accountMapping.name == pool reference
name created by ‘gums’ utility programname created by ‘gums’ utility program
![Page 17: Eric Shook, Anand Padmanabhan Grid Research & educatiOn group @ IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,](https://reader031.vdocuments.us/reader031/viewer/2022032806/56649f005503460f94c165ce/html5/thumbnails/17.jpg)
1717
Wildcard WarningsWildcard Warnings
hostGroup CN and DN mappings hostGroup CN and DN mappings utilize wildcards to cover a wide utilize wildcards to cover a wide variety of hosts, variety of hosts, – But they can cause problemsBut they can cause problems
Look *closely* at your host Look *closely* at your host certificatescertificates– Make certain they will match a wildcardMake certain they will match a wildcard
Order matters in gums.configOrder matters in gums.config
![Page 18: Eric Shook, Anand Padmanabhan Grid Research & educatiOn group @ IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,](https://reader031.vdocuments.us/reader031/viewer/2022032806/56649f005503460f94c165ce/html5/thumbnails/18.jpg)
1818
Wildcard Warnings (…)Wildcard Warnings (…)
Wildcards do not match beyond Wildcards do not match beyond – ‘‘.’, ‘/’, or ‘=‘.’, ‘/’, or ‘=‘
What does this mean?What does this mean?– If CN of certificate = “host/grow.uiowa.edu”If CN of certificate = “host/grow.uiowa.edu”
Successful matches exampleSuccessful matches example– host/*.uiowa.edu, */*.uiowa.edu, host/grow.*.eduhost/*.uiowa.edu, */*.uiowa.edu, host/grow.*.edu
Unsuccessful matches exampleUnsuccessful matches example– *.uiowa.edu, host/*.edu, host/grow.*, host/*uiowa**.uiowa.edu, host/*.edu, host/grow.*, host/*uiowa*
![Page 19: Eric Shook, Anand Padmanabhan Grid Research & educatiOn group @ IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,](https://reader031.vdocuments.us/reader031/viewer/2022032806/56649f005503460f94c165ce/html5/thumbnails/19.jpg)
1919
GUMS Utility ProgramGUMS Utility Program
Provides administrative functions Provides administrative functions ‘‘gums’ uses user not host credentialsgums’ uses user not host credentials
– User must be a gums adminUser must be a gums admin Commands available (commonly used)Commands available (commonly used)
– generateGrid3UserVoMapgenerateGrid3UserVoMap– generateGridMapfile generateGridMapfile – pool-addRangepool-addRange
Also availableAlso available– Manual mapping administrative capabilitiesManual mapping administrative capabilities– Update groups and cachesUpdate groups and caches
![Page 20: Eric Shook, Anand Padmanabhan Grid Research & educatiOn group @ IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,](https://reader031.vdocuments.us/reader031/viewer/2022032806/56649f005503460f94c165ce/html5/thumbnails/20.jpg)
2020
GUMS Utility Program GUMS Utility Program (…)(…)
Example – add pool account user Example – add pool account user rangerange– ./gums pool-addRange mysql grow grow10-./gums pool-addRange mysql grow grow10-
9999 Example – generate grid-map file Example – generate grid-map file
– ./gums generateGridMapFile “host cert DN ./gums generateGridMapFile “host cert DN here”here”
![Page 21: Eric Shook, Anand Padmanabhan Grid Research & educatiOn group @ IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,](https://reader031.vdocuments.us/reader031/viewer/2022032806/56649f005503460f94c165ce/html5/thumbnails/21.jpg)
2121
Useful Log FilesUseful Log Files
For troubleshooting errorsFor troubleshooting errors $VDT_LOCATION/$VDT_LOCATION/
– tomcat/v5/logs/gums-service-admin.logtomcat/v5/logs/gums-service-admin.log– tomcat/v5/logs/gums-service-tomcat/v5/logs/gums-service-
cybersecurity.logcybersecurity.log– tomcat/v5/logs/gums-service-tomcat/v5/logs/gums-service-
developer.logdeveloper.log– gums/var/log/gums-developer.$USER.loggums/var/log/gums-developer.$USER.log– gums/var/log/edg-security.$USER.loggums/var/log/edg-security.$USER.log
![Page 22: Eric Shook, Anand Padmanabhan Grid Research & educatiOn group @ IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,](https://reader031.vdocuments.us/reader031/viewer/2022032806/56649f005503460f94c165ce/html5/thumbnails/22.jpg)
2222
GROW’s gums.configGROW’s gums.config
http://grow.its.uiowa.edu/infrastructure/http://grow.its.uiowa.edu/infrastructure/gums/gums/
![Page 23: Eric Shook, Anand Padmanabhan Grid Research & educatiOn group @ IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,](https://reader031.vdocuments.us/reader031/viewer/2022032806/56649f005503460f94c165ce/html5/thumbnails/23.jpg)
2323
Useful ResourcesUseful Resources
http://grow.its.uiowa.edu/infrastructure/gumshttp://grow.its.uiowa.edu/infrastructure/gums http://grid.racf.bnl.gov/GUMS/guide_config_gums.htmlhttp://grid.racf.bnl.gov/GUMS/guide_config_gums.html http://osg.ivdgl.org/twiki/bin/view/Integration/http://osg.ivdgl.org/twiki/bin/view/Integration/
GumsConfigExamplesGumsConfigExamples http://osg.ivdgl.org/twiki/bin/view/Integration/GumsAdminshttp://osg.ivdgl.org/twiki/bin/view/Integration/GumsAdmins http://osg.ivdgl.org/twiki/bin/view/Integration/http://osg.ivdgl.org/twiki/bin/view/Integration/
GUMSTroubleshootingGuideGUMSTroubleshootingGuide http://grid.racf.bnl.gov/GUMS/guide_howto_configuration.htmlhttp://grid.racf.bnl.gov/GUMS/guide_howto_configuration.html http://www-hep.nhn.ou.edu/atlas/grid/gums-installation-notes.txthttp://www-hep.nhn.ou.edu/atlas/grid/gums-installation-notes.txt http://pgl.uchicago.edu/twiki/bin/view/Laboratory/GUMS1dot1Uphttp://pgl.uchicago.edu/twiki/bin/view/Laboratory/GUMS1dot1Up
gradegrade
Information from these pages were used to create this Information from these pages were used to create this presentationpresentation
Note:Note:– Most of these links are available from the GROW website (1Most of these links are available from the GROW website (1stst listed) listed)