grid user management system v.1.1 · grid user management system v.1.1.0 project documentation........
TRANSCRIPT
Grid User Management Systemv110
Project Documentation
Brookhaven National Laboratory 21 July 2005 0132 EDT
Table of Contents
1 Manual11 Learning about GUMS
111 What is GUMS 1
112 GUMS and Privilege 4
113 Understanding GUMS installation 11
12 Installation
121 HOW TO VDT installation 17
122 HOW TO Manual installation 18
123 HOW TO Upgrade from 10 23
13 Using GUMS
131 Configuration 26
1311 gumsconfig 27
1312 Examples 39
132 GUMS commands 43
1321 bingums 44
1322 bingums-host 49
133 GUMS logs 52
1331 Logging implementation details 54
14 Site integration 56
15 FAQ 59
16 Troubleshooting FAQ 62
17 Changes 64
T A B L E O F C O N T E N T S i
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
TABLE OF CONTENTS ii
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
11 Learning about GUMS
1 1 L E A R N I N G A B O U T G U M S 1
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
11 LEARNING ABOUT GUMS 2
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
111 What is GUMS
What is GUMS
What does GUMS do
Implementing Site Policies
1 1 1 W H A T I S G U M S 1
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
The GUMS callout interface
GUMS and other tools
The development of GUMS
1 1 1 W H A T I S G U M S 2
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS in the future
1 1 1 W H A T I S G U M S 3
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
112 GUMS and Privilege
GUMS and the Privilege architecture
What does GUMS do
Specifying the mapping
1 1 2 G U M S A N D P R I V I L E G E 4
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS client tools
Workflow
1 1 2 G U M S A N D P R I V I L E G E 5
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS in the grid architecture
1 1 2 G U M S A N D P R I V I L E G E 6
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 7
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 8
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 9
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
112 GUMS AND PRIVILEGE 10
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
113 Understanding GUMS installation
Understanding GUMS installation
Please refer to the quick installation guide if you prefer to get up and running and need thecommand line
The pieces
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 11
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Root vs non-root
Firewall and security considerations
Prepare the database
[rootwww gums-service] cat varsqlsetupDatabasemysqlCREATE DATABASE GUMS_1_1
GRANT ALLON GUMS_1_1TO USERSERVER IDENTIFIED BY PASSWORD
USE GUMS_1_1
CREATE TABLE `USER` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`GROUP_NAME` VARCHAR(255) NOT NULL`DN` varchar(255) NOT NULL`FQAN` varchar(255) default NULL
) TYPE=InnoDB
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 12
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
CREATE INDEX complete ON USER (GROUP_NAME(10) DN(70) FQAN(30))
CREATE TABLE `MAPPING` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`MAP` VARCHAR(255) NOT NULL`DN` varchar(255) default NULL`ACCOUNT` varchar(255) default NULL
) TYPE=InnoDB
CREATE INDEX complete ON MAPPING (MAP(10) DN(70))
[rootwww sbin] cat varsqladdAdminmysqlUSE GUMS_1_1
INSERT INTO USER SET DN=ADMINDN GROUP_NAME=admins
Installing the service
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 13
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etctomcathostkeypem
log4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 14
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Installing the client tools
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 15
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
12 Installation
1 2 I N S T A L L A T I O N 16
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
121 HOW TO VDT installation
HOW TO GUMS VDT installation
What is VDT and why you should use it to install GUMS
Installing through VDT
1 2 1 H O W T O V D T I N S T A L L A T I O N 17
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
122 HOW TO Manual installation
HOW TO GUMS Service quick-start installation
Preparing java
[rootgums root] java -versionjava version 142_04Java(TM) 2 Runtime Environment Standard Edition (build 142_04-b05)Java HotSpot(TM) Client VM (build 142_04-b05 mixed mode)
Preparing the certificate directory
Prepare the database
Preparing Tomcat + EGEE security
[rootgums root] cd opt[rootgums opt] wget
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 18
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
httpgridracfbnlgovmavengumstargzstomcat-5028-egeesectargz
[rootgums opt] tar -xzvf tomcat-5028-egeesectargz
[rootgums opt] vi tomcat-5028-egeesecconfserverxml
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemlog4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
[rootgums opt] tomcat-5028-egeesecbincatalinash start
Install the service
[rootgums root] cd opt
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 19
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootgums opt] wgethttpgridracfbnlgovmavengumstargzsgums-service-SNAPSHOTtargz [rootgums opt] tar -xzvf gums-service-SNAPSHOTtargz
[rootgums opt] cd gums-servicesbin[rootgums sbin] setupDatabaseUsage setupDatabase [mysql user for GUMS] [GUMS server host] [GUMS mysqlpassword]
ExamplessetupDatabase gums gumsmysitecom secret
This will make mysql authenticate as root with a password (-p) create a gumsuser with password secret authorized to connect from gumsmysitecom
[rootgums sbin] setupDatabase gums gumsmysitecom secret
[rootgums sbin] cat setupDatabasebinshMYSQLPARAM=-p
[rootgums sbin] addAdminAdds an admin in the GUMS database on localhostUsage addAdmin [DN for administrator]
ExampleaddAdmin DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345[rootgums sbin] addAdmin DC=orgDC=doegridsOU=PeopleCN=Your Self 83753
[rootgums sbin] cd [rootgums opt] ln -s gums-servicevarwartomcat-5028-egeesecwebappsgums
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 20
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltenv-entrygtltenv-entry-namegtupdateGroupsMinutesltenv-entry-namegtltenv-entry-typegtjavalangIntegerltenv-entry-typegtltenv-entry-valuegt720ltenv-entry-valuegt
ltenv-entrygt
Installing the client
[rootgums root] wgethttpgridracfbnlgovmavengumsnoarchrpmsgums-client-SNAPSHOTnoarchrpm [rootgums root] rpm -Uvh gums-client-SNAPSHOTnoarchrpm
[rootgums root] cd optgumsbin[rootgums bin] gumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given hostgenerateGridMapfile - Generate grid-mapfile for a given hostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular user
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 21
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Table of Contents
1 Manual11 Learning about GUMS
111 What is GUMS 1
112 GUMS and Privilege 4
113 Understanding GUMS installation 11
12 Installation
121 HOW TO VDT installation 17
122 HOW TO Manual installation 18
123 HOW TO Upgrade from 10 23
13 Using GUMS
131 Configuration 26
1311 gumsconfig 27
1312 Examples 39
132 GUMS commands 43
1321 bingums 44
1322 bingums-host 49
133 GUMS logs 52
1331 Logging implementation details 54
14 Site integration 56
15 FAQ 59
16 Troubleshooting FAQ 62
17 Changes 64
T A B L E O F C O N T E N T S i
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
TABLE OF CONTENTS ii
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
11 Learning about GUMS
1 1 L E A R N I N G A B O U T G U M S 1
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
11 LEARNING ABOUT GUMS 2
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
111 What is GUMS
What is GUMS
What does GUMS do
Implementing Site Policies
1 1 1 W H A T I S G U M S 1
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
The GUMS callout interface
GUMS and other tools
The development of GUMS
1 1 1 W H A T I S G U M S 2
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS in the future
1 1 1 W H A T I S G U M S 3
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
112 GUMS and Privilege
GUMS and the Privilege architecture
What does GUMS do
Specifying the mapping
1 1 2 G U M S A N D P R I V I L E G E 4
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS client tools
Workflow
1 1 2 G U M S A N D P R I V I L E G E 5
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS in the grid architecture
1 1 2 G U M S A N D P R I V I L E G E 6
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 7
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 8
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 9
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
112 GUMS AND PRIVILEGE 10
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
113 Understanding GUMS installation
Understanding GUMS installation
Please refer to the quick installation guide if you prefer to get up and running and need thecommand line
The pieces
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 11
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Root vs non-root
Firewall and security considerations
Prepare the database
[rootwww gums-service] cat varsqlsetupDatabasemysqlCREATE DATABASE GUMS_1_1
GRANT ALLON GUMS_1_1TO USERSERVER IDENTIFIED BY PASSWORD
USE GUMS_1_1
CREATE TABLE `USER` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`GROUP_NAME` VARCHAR(255) NOT NULL`DN` varchar(255) NOT NULL`FQAN` varchar(255) default NULL
) TYPE=InnoDB
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 12
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
CREATE INDEX complete ON USER (GROUP_NAME(10) DN(70) FQAN(30))
CREATE TABLE `MAPPING` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`MAP` VARCHAR(255) NOT NULL`DN` varchar(255) default NULL`ACCOUNT` varchar(255) default NULL
) TYPE=InnoDB
CREATE INDEX complete ON MAPPING (MAP(10) DN(70))
[rootwww sbin] cat varsqladdAdminmysqlUSE GUMS_1_1
INSERT INTO USER SET DN=ADMINDN GROUP_NAME=admins
Installing the service
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 13
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etctomcathostkeypem
log4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 14
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Installing the client tools
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 15
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
12 Installation
1 2 I N S T A L L A T I O N 16
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
121 HOW TO VDT installation
HOW TO GUMS VDT installation
What is VDT and why you should use it to install GUMS
Installing through VDT
1 2 1 H O W T O V D T I N S T A L L A T I O N 17
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
122 HOW TO Manual installation
HOW TO GUMS Service quick-start installation
Preparing java
[rootgums root] java -versionjava version 142_04Java(TM) 2 Runtime Environment Standard Edition (build 142_04-b05)Java HotSpot(TM) Client VM (build 142_04-b05 mixed mode)
Preparing the certificate directory
Prepare the database
Preparing Tomcat + EGEE security
[rootgums root] cd opt[rootgums opt] wget
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 18
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
httpgridracfbnlgovmavengumstargzstomcat-5028-egeesectargz
[rootgums opt] tar -xzvf tomcat-5028-egeesectargz
[rootgums opt] vi tomcat-5028-egeesecconfserverxml
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemlog4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
[rootgums opt] tomcat-5028-egeesecbincatalinash start
Install the service
[rootgums root] cd opt
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 19
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootgums opt] wgethttpgridracfbnlgovmavengumstargzsgums-service-SNAPSHOTtargz [rootgums opt] tar -xzvf gums-service-SNAPSHOTtargz
[rootgums opt] cd gums-servicesbin[rootgums sbin] setupDatabaseUsage setupDatabase [mysql user for GUMS] [GUMS server host] [GUMS mysqlpassword]
ExamplessetupDatabase gums gumsmysitecom secret
This will make mysql authenticate as root with a password (-p) create a gumsuser with password secret authorized to connect from gumsmysitecom
[rootgums sbin] setupDatabase gums gumsmysitecom secret
[rootgums sbin] cat setupDatabasebinshMYSQLPARAM=-p
[rootgums sbin] addAdminAdds an admin in the GUMS database on localhostUsage addAdmin [DN for administrator]
ExampleaddAdmin DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345[rootgums sbin] addAdmin DC=orgDC=doegridsOU=PeopleCN=Your Self 83753
[rootgums sbin] cd [rootgums opt] ln -s gums-servicevarwartomcat-5028-egeesecwebappsgums
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 20
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltenv-entrygtltenv-entry-namegtupdateGroupsMinutesltenv-entry-namegtltenv-entry-typegtjavalangIntegerltenv-entry-typegtltenv-entry-valuegt720ltenv-entry-valuegt
ltenv-entrygt
Installing the client
[rootgums root] wgethttpgridracfbnlgovmavengumsnoarchrpmsgums-client-SNAPSHOTnoarchrpm [rootgums root] rpm -Uvh gums-client-SNAPSHOTnoarchrpm
[rootgums root] cd optgumsbin[rootgums bin] gumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given hostgenerateGridMapfile - Generate grid-mapfile for a given hostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular user
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 21
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
TABLE OF CONTENTS ii
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
11 Learning about GUMS
1 1 L E A R N I N G A B O U T G U M S 1
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
11 LEARNING ABOUT GUMS 2
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
111 What is GUMS
What is GUMS
What does GUMS do
Implementing Site Policies
1 1 1 W H A T I S G U M S 1
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
The GUMS callout interface
GUMS and other tools
The development of GUMS
1 1 1 W H A T I S G U M S 2
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS in the future
1 1 1 W H A T I S G U M S 3
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
112 GUMS and Privilege
GUMS and the Privilege architecture
What does GUMS do
Specifying the mapping
1 1 2 G U M S A N D P R I V I L E G E 4
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS client tools
Workflow
1 1 2 G U M S A N D P R I V I L E G E 5
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS in the grid architecture
1 1 2 G U M S A N D P R I V I L E G E 6
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 7
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 8
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 9
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
112 GUMS AND PRIVILEGE 10
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
113 Understanding GUMS installation
Understanding GUMS installation
Please refer to the quick installation guide if you prefer to get up and running and need thecommand line
The pieces
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 11
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Root vs non-root
Firewall and security considerations
Prepare the database
[rootwww gums-service] cat varsqlsetupDatabasemysqlCREATE DATABASE GUMS_1_1
GRANT ALLON GUMS_1_1TO USERSERVER IDENTIFIED BY PASSWORD
USE GUMS_1_1
CREATE TABLE `USER` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`GROUP_NAME` VARCHAR(255) NOT NULL`DN` varchar(255) NOT NULL`FQAN` varchar(255) default NULL
) TYPE=InnoDB
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 12
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
CREATE INDEX complete ON USER (GROUP_NAME(10) DN(70) FQAN(30))
CREATE TABLE `MAPPING` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`MAP` VARCHAR(255) NOT NULL`DN` varchar(255) default NULL`ACCOUNT` varchar(255) default NULL
) TYPE=InnoDB
CREATE INDEX complete ON MAPPING (MAP(10) DN(70))
[rootwww sbin] cat varsqladdAdminmysqlUSE GUMS_1_1
INSERT INTO USER SET DN=ADMINDN GROUP_NAME=admins
Installing the service
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 13
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etctomcathostkeypem
log4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 14
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Installing the client tools
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 15
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
12 Installation
1 2 I N S T A L L A T I O N 16
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
121 HOW TO VDT installation
HOW TO GUMS VDT installation
What is VDT and why you should use it to install GUMS
Installing through VDT
1 2 1 H O W T O V D T I N S T A L L A T I O N 17
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
122 HOW TO Manual installation
HOW TO GUMS Service quick-start installation
Preparing java
[rootgums root] java -versionjava version 142_04Java(TM) 2 Runtime Environment Standard Edition (build 142_04-b05)Java HotSpot(TM) Client VM (build 142_04-b05 mixed mode)
Preparing the certificate directory
Prepare the database
Preparing Tomcat + EGEE security
[rootgums root] cd opt[rootgums opt] wget
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 18
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
httpgridracfbnlgovmavengumstargzstomcat-5028-egeesectargz
[rootgums opt] tar -xzvf tomcat-5028-egeesectargz
[rootgums opt] vi tomcat-5028-egeesecconfserverxml
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemlog4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
[rootgums opt] tomcat-5028-egeesecbincatalinash start
Install the service
[rootgums root] cd opt
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 19
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootgums opt] wgethttpgridracfbnlgovmavengumstargzsgums-service-SNAPSHOTtargz [rootgums opt] tar -xzvf gums-service-SNAPSHOTtargz
[rootgums opt] cd gums-servicesbin[rootgums sbin] setupDatabaseUsage setupDatabase [mysql user for GUMS] [GUMS server host] [GUMS mysqlpassword]
ExamplessetupDatabase gums gumsmysitecom secret
This will make mysql authenticate as root with a password (-p) create a gumsuser with password secret authorized to connect from gumsmysitecom
[rootgums sbin] setupDatabase gums gumsmysitecom secret
[rootgums sbin] cat setupDatabasebinshMYSQLPARAM=-p
[rootgums sbin] addAdminAdds an admin in the GUMS database on localhostUsage addAdmin [DN for administrator]
ExampleaddAdmin DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345[rootgums sbin] addAdmin DC=orgDC=doegridsOU=PeopleCN=Your Self 83753
[rootgums sbin] cd [rootgums opt] ln -s gums-servicevarwartomcat-5028-egeesecwebappsgums
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 20
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltenv-entrygtltenv-entry-namegtupdateGroupsMinutesltenv-entry-namegtltenv-entry-typegtjavalangIntegerltenv-entry-typegtltenv-entry-valuegt720ltenv-entry-valuegt
ltenv-entrygt
Installing the client
[rootgums root] wgethttpgridracfbnlgovmavengumsnoarchrpmsgums-client-SNAPSHOTnoarchrpm [rootgums root] rpm -Uvh gums-client-SNAPSHOTnoarchrpm
[rootgums root] cd optgumsbin[rootgums bin] gumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given hostgenerateGridMapfile - Generate grid-mapfile for a given hostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular user
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 21
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
11 Learning about GUMS
1 1 L E A R N I N G A B O U T G U M S 1
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
11 LEARNING ABOUT GUMS 2
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
111 What is GUMS
What is GUMS
What does GUMS do
Implementing Site Policies
1 1 1 W H A T I S G U M S 1
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
The GUMS callout interface
GUMS and other tools
The development of GUMS
1 1 1 W H A T I S G U M S 2
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS in the future
1 1 1 W H A T I S G U M S 3
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
112 GUMS and Privilege
GUMS and the Privilege architecture
What does GUMS do
Specifying the mapping
1 1 2 G U M S A N D P R I V I L E G E 4
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS client tools
Workflow
1 1 2 G U M S A N D P R I V I L E G E 5
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS in the grid architecture
1 1 2 G U M S A N D P R I V I L E G E 6
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 7
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 8
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 9
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
112 GUMS AND PRIVILEGE 10
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
113 Understanding GUMS installation
Understanding GUMS installation
Please refer to the quick installation guide if you prefer to get up and running and need thecommand line
The pieces
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 11
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Root vs non-root
Firewall and security considerations
Prepare the database
[rootwww gums-service] cat varsqlsetupDatabasemysqlCREATE DATABASE GUMS_1_1
GRANT ALLON GUMS_1_1TO USERSERVER IDENTIFIED BY PASSWORD
USE GUMS_1_1
CREATE TABLE `USER` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`GROUP_NAME` VARCHAR(255) NOT NULL`DN` varchar(255) NOT NULL`FQAN` varchar(255) default NULL
) TYPE=InnoDB
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 12
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
CREATE INDEX complete ON USER (GROUP_NAME(10) DN(70) FQAN(30))
CREATE TABLE `MAPPING` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`MAP` VARCHAR(255) NOT NULL`DN` varchar(255) default NULL`ACCOUNT` varchar(255) default NULL
) TYPE=InnoDB
CREATE INDEX complete ON MAPPING (MAP(10) DN(70))
[rootwww sbin] cat varsqladdAdminmysqlUSE GUMS_1_1
INSERT INTO USER SET DN=ADMINDN GROUP_NAME=admins
Installing the service
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 13
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etctomcathostkeypem
log4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 14
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Installing the client tools
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 15
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
12 Installation
1 2 I N S T A L L A T I O N 16
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
121 HOW TO VDT installation
HOW TO GUMS VDT installation
What is VDT and why you should use it to install GUMS
Installing through VDT
1 2 1 H O W T O V D T I N S T A L L A T I O N 17
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
122 HOW TO Manual installation
HOW TO GUMS Service quick-start installation
Preparing java
[rootgums root] java -versionjava version 142_04Java(TM) 2 Runtime Environment Standard Edition (build 142_04-b05)Java HotSpot(TM) Client VM (build 142_04-b05 mixed mode)
Preparing the certificate directory
Prepare the database
Preparing Tomcat + EGEE security
[rootgums root] cd opt[rootgums opt] wget
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 18
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
httpgridracfbnlgovmavengumstargzstomcat-5028-egeesectargz
[rootgums opt] tar -xzvf tomcat-5028-egeesectargz
[rootgums opt] vi tomcat-5028-egeesecconfserverxml
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemlog4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
[rootgums opt] tomcat-5028-egeesecbincatalinash start
Install the service
[rootgums root] cd opt
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 19
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootgums opt] wgethttpgridracfbnlgovmavengumstargzsgums-service-SNAPSHOTtargz [rootgums opt] tar -xzvf gums-service-SNAPSHOTtargz
[rootgums opt] cd gums-servicesbin[rootgums sbin] setupDatabaseUsage setupDatabase [mysql user for GUMS] [GUMS server host] [GUMS mysqlpassword]
ExamplessetupDatabase gums gumsmysitecom secret
This will make mysql authenticate as root with a password (-p) create a gumsuser with password secret authorized to connect from gumsmysitecom
[rootgums sbin] setupDatabase gums gumsmysitecom secret
[rootgums sbin] cat setupDatabasebinshMYSQLPARAM=-p
[rootgums sbin] addAdminAdds an admin in the GUMS database on localhostUsage addAdmin [DN for administrator]
ExampleaddAdmin DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345[rootgums sbin] addAdmin DC=orgDC=doegridsOU=PeopleCN=Your Self 83753
[rootgums sbin] cd [rootgums opt] ln -s gums-servicevarwartomcat-5028-egeesecwebappsgums
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 20
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltenv-entrygtltenv-entry-namegtupdateGroupsMinutesltenv-entry-namegtltenv-entry-typegtjavalangIntegerltenv-entry-typegtltenv-entry-valuegt720ltenv-entry-valuegt
ltenv-entrygt
Installing the client
[rootgums root] wgethttpgridracfbnlgovmavengumsnoarchrpmsgums-client-SNAPSHOTnoarchrpm [rootgums root] rpm -Uvh gums-client-SNAPSHOTnoarchrpm
[rootgums root] cd optgumsbin[rootgums bin] gumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given hostgenerateGridMapfile - Generate grid-mapfile for a given hostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular user
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 21
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
11 LEARNING ABOUT GUMS 2
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
111 What is GUMS
What is GUMS
What does GUMS do
Implementing Site Policies
1 1 1 W H A T I S G U M S 1
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
The GUMS callout interface
GUMS and other tools
The development of GUMS
1 1 1 W H A T I S G U M S 2
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS in the future
1 1 1 W H A T I S G U M S 3
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
112 GUMS and Privilege
GUMS and the Privilege architecture
What does GUMS do
Specifying the mapping
1 1 2 G U M S A N D P R I V I L E G E 4
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS client tools
Workflow
1 1 2 G U M S A N D P R I V I L E G E 5
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS in the grid architecture
1 1 2 G U M S A N D P R I V I L E G E 6
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 7
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 8
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 9
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
112 GUMS AND PRIVILEGE 10
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
113 Understanding GUMS installation
Understanding GUMS installation
Please refer to the quick installation guide if you prefer to get up and running and need thecommand line
The pieces
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 11
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Root vs non-root
Firewall and security considerations
Prepare the database
[rootwww gums-service] cat varsqlsetupDatabasemysqlCREATE DATABASE GUMS_1_1
GRANT ALLON GUMS_1_1TO USERSERVER IDENTIFIED BY PASSWORD
USE GUMS_1_1
CREATE TABLE `USER` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`GROUP_NAME` VARCHAR(255) NOT NULL`DN` varchar(255) NOT NULL`FQAN` varchar(255) default NULL
) TYPE=InnoDB
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 12
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
CREATE INDEX complete ON USER (GROUP_NAME(10) DN(70) FQAN(30))
CREATE TABLE `MAPPING` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`MAP` VARCHAR(255) NOT NULL`DN` varchar(255) default NULL`ACCOUNT` varchar(255) default NULL
) TYPE=InnoDB
CREATE INDEX complete ON MAPPING (MAP(10) DN(70))
[rootwww sbin] cat varsqladdAdminmysqlUSE GUMS_1_1
INSERT INTO USER SET DN=ADMINDN GROUP_NAME=admins
Installing the service
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 13
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etctomcathostkeypem
log4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 14
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Installing the client tools
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 15
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
12 Installation
1 2 I N S T A L L A T I O N 16
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
121 HOW TO VDT installation
HOW TO GUMS VDT installation
What is VDT and why you should use it to install GUMS
Installing through VDT
1 2 1 H O W T O V D T I N S T A L L A T I O N 17
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
122 HOW TO Manual installation
HOW TO GUMS Service quick-start installation
Preparing java
[rootgums root] java -versionjava version 142_04Java(TM) 2 Runtime Environment Standard Edition (build 142_04-b05)Java HotSpot(TM) Client VM (build 142_04-b05 mixed mode)
Preparing the certificate directory
Prepare the database
Preparing Tomcat + EGEE security
[rootgums root] cd opt[rootgums opt] wget
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 18
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
httpgridracfbnlgovmavengumstargzstomcat-5028-egeesectargz
[rootgums opt] tar -xzvf tomcat-5028-egeesectargz
[rootgums opt] vi tomcat-5028-egeesecconfserverxml
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemlog4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
[rootgums opt] tomcat-5028-egeesecbincatalinash start
Install the service
[rootgums root] cd opt
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 19
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootgums opt] wgethttpgridracfbnlgovmavengumstargzsgums-service-SNAPSHOTtargz [rootgums opt] tar -xzvf gums-service-SNAPSHOTtargz
[rootgums opt] cd gums-servicesbin[rootgums sbin] setupDatabaseUsage setupDatabase [mysql user for GUMS] [GUMS server host] [GUMS mysqlpassword]
ExamplessetupDatabase gums gumsmysitecom secret
This will make mysql authenticate as root with a password (-p) create a gumsuser with password secret authorized to connect from gumsmysitecom
[rootgums sbin] setupDatabase gums gumsmysitecom secret
[rootgums sbin] cat setupDatabasebinshMYSQLPARAM=-p
[rootgums sbin] addAdminAdds an admin in the GUMS database on localhostUsage addAdmin [DN for administrator]
ExampleaddAdmin DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345[rootgums sbin] addAdmin DC=orgDC=doegridsOU=PeopleCN=Your Self 83753
[rootgums sbin] cd [rootgums opt] ln -s gums-servicevarwartomcat-5028-egeesecwebappsgums
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 20
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltenv-entrygtltenv-entry-namegtupdateGroupsMinutesltenv-entry-namegtltenv-entry-typegtjavalangIntegerltenv-entry-typegtltenv-entry-valuegt720ltenv-entry-valuegt
ltenv-entrygt
Installing the client
[rootgums root] wgethttpgridracfbnlgovmavengumsnoarchrpmsgums-client-SNAPSHOTnoarchrpm [rootgums root] rpm -Uvh gums-client-SNAPSHOTnoarchrpm
[rootgums root] cd optgumsbin[rootgums bin] gumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given hostgenerateGridMapfile - Generate grid-mapfile for a given hostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular user
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 21
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
111 What is GUMS
What is GUMS
What does GUMS do
Implementing Site Policies
1 1 1 W H A T I S G U M S 1
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
The GUMS callout interface
GUMS and other tools
The development of GUMS
1 1 1 W H A T I S G U M S 2
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS in the future
1 1 1 W H A T I S G U M S 3
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
112 GUMS and Privilege
GUMS and the Privilege architecture
What does GUMS do
Specifying the mapping
1 1 2 G U M S A N D P R I V I L E G E 4
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS client tools
Workflow
1 1 2 G U M S A N D P R I V I L E G E 5
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS in the grid architecture
1 1 2 G U M S A N D P R I V I L E G E 6
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 7
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 8
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 9
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
112 GUMS AND PRIVILEGE 10
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
113 Understanding GUMS installation
Understanding GUMS installation
Please refer to the quick installation guide if you prefer to get up and running and need thecommand line
The pieces
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 11
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Root vs non-root
Firewall and security considerations
Prepare the database
[rootwww gums-service] cat varsqlsetupDatabasemysqlCREATE DATABASE GUMS_1_1
GRANT ALLON GUMS_1_1TO USERSERVER IDENTIFIED BY PASSWORD
USE GUMS_1_1
CREATE TABLE `USER` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`GROUP_NAME` VARCHAR(255) NOT NULL`DN` varchar(255) NOT NULL`FQAN` varchar(255) default NULL
) TYPE=InnoDB
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 12
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
CREATE INDEX complete ON USER (GROUP_NAME(10) DN(70) FQAN(30))
CREATE TABLE `MAPPING` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`MAP` VARCHAR(255) NOT NULL`DN` varchar(255) default NULL`ACCOUNT` varchar(255) default NULL
) TYPE=InnoDB
CREATE INDEX complete ON MAPPING (MAP(10) DN(70))
[rootwww sbin] cat varsqladdAdminmysqlUSE GUMS_1_1
INSERT INTO USER SET DN=ADMINDN GROUP_NAME=admins
Installing the service
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 13
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etctomcathostkeypem
log4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 14
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Installing the client tools
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 15
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
12 Installation
1 2 I N S T A L L A T I O N 16
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
121 HOW TO VDT installation
HOW TO GUMS VDT installation
What is VDT and why you should use it to install GUMS
Installing through VDT
1 2 1 H O W T O V D T I N S T A L L A T I O N 17
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
122 HOW TO Manual installation
HOW TO GUMS Service quick-start installation
Preparing java
[rootgums root] java -versionjava version 142_04Java(TM) 2 Runtime Environment Standard Edition (build 142_04-b05)Java HotSpot(TM) Client VM (build 142_04-b05 mixed mode)
Preparing the certificate directory
Prepare the database
Preparing Tomcat + EGEE security
[rootgums root] cd opt[rootgums opt] wget
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 18
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
httpgridracfbnlgovmavengumstargzstomcat-5028-egeesectargz
[rootgums opt] tar -xzvf tomcat-5028-egeesectargz
[rootgums opt] vi tomcat-5028-egeesecconfserverxml
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemlog4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
[rootgums opt] tomcat-5028-egeesecbincatalinash start
Install the service
[rootgums root] cd opt
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 19
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootgums opt] wgethttpgridracfbnlgovmavengumstargzsgums-service-SNAPSHOTtargz [rootgums opt] tar -xzvf gums-service-SNAPSHOTtargz
[rootgums opt] cd gums-servicesbin[rootgums sbin] setupDatabaseUsage setupDatabase [mysql user for GUMS] [GUMS server host] [GUMS mysqlpassword]
ExamplessetupDatabase gums gumsmysitecom secret
This will make mysql authenticate as root with a password (-p) create a gumsuser with password secret authorized to connect from gumsmysitecom
[rootgums sbin] setupDatabase gums gumsmysitecom secret
[rootgums sbin] cat setupDatabasebinshMYSQLPARAM=-p
[rootgums sbin] addAdminAdds an admin in the GUMS database on localhostUsage addAdmin [DN for administrator]
ExampleaddAdmin DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345[rootgums sbin] addAdmin DC=orgDC=doegridsOU=PeopleCN=Your Self 83753
[rootgums sbin] cd [rootgums opt] ln -s gums-servicevarwartomcat-5028-egeesecwebappsgums
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 20
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltenv-entrygtltenv-entry-namegtupdateGroupsMinutesltenv-entry-namegtltenv-entry-typegtjavalangIntegerltenv-entry-typegtltenv-entry-valuegt720ltenv-entry-valuegt
ltenv-entrygt
Installing the client
[rootgums root] wgethttpgridracfbnlgovmavengumsnoarchrpmsgums-client-SNAPSHOTnoarchrpm [rootgums root] rpm -Uvh gums-client-SNAPSHOTnoarchrpm
[rootgums root] cd optgumsbin[rootgums bin] gumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given hostgenerateGridMapfile - Generate grid-mapfile for a given hostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular user
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 21
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
The GUMS callout interface
GUMS and other tools
The development of GUMS
1 1 1 W H A T I S G U M S 2
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS in the future
1 1 1 W H A T I S G U M S 3
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
112 GUMS and Privilege
GUMS and the Privilege architecture
What does GUMS do
Specifying the mapping
1 1 2 G U M S A N D P R I V I L E G E 4
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS client tools
Workflow
1 1 2 G U M S A N D P R I V I L E G E 5
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS in the grid architecture
1 1 2 G U M S A N D P R I V I L E G E 6
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 7
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 8
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 9
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
112 GUMS AND PRIVILEGE 10
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
113 Understanding GUMS installation
Understanding GUMS installation
Please refer to the quick installation guide if you prefer to get up and running and need thecommand line
The pieces
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 11
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Root vs non-root
Firewall and security considerations
Prepare the database
[rootwww gums-service] cat varsqlsetupDatabasemysqlCREATE DATABASE GUMS_1_1
GRANT ALLON GUMS_1_1TO USERSERVER IDENTIFIED BY PASSWORD
USE GUMS_1_1
CREATE TABLE `USER` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`GROUP_NAME` VARCHAR(255) NOT NULL`DN` varchar(255) NOT NULL`FQAN` varchar(255) default NULL
) TYPE=InnoDB
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 12
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
CREATE INDEX complete ON USER (GROUP_NAME(10) DN(70) FQAN(30))
CREATE TABLE `MAPPING` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`MAP` VARCHAR(255) NOT NULL`DN` varchar(255) default NULL`ACCOUNT` varchar(255) default NULL
) TYPE=InnoDB
CREATE INDEX complete ON MAPPING (MAP(10) DN(70))
[rootwww sbin] cat varsqladdAdminmysqlUSE GUMS_1_1
INSERT INTO USER SET DN=ADMINDN GROUP_NAME=admins
Installing the service
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 13
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etctomcathostkeypem
log4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 14
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Installing the client tools
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 15
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
12 Installation
1 2 I N S T A L L A T I O N 16
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
121 HOW TO VDT installation
HOW TO GUMS VDT installation
What is VDT and why you should use it to install GUMS
Installing through VDT
1 2 1 H O W T O V D T I N S T A L L A T I O N 17
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
122 HOW TO Manual installation
HOW TO GUMS Service quick-start installation
Preparing java
[rootgums root] java -versionjava version 142_04Java(TM) 2 Runtime Environment Standard Edition (build 142_04-b05)Java HotSpot(TM) Client VM (build 142_04-b05 mixed mode)
Preparing the certificate directory
Prepare the database
Preparing Tomcat + EGEE security
[rootgums root] cd opt[rootgums opt] wget
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 18
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
httpgridracfbnlgovmavengumstargzstomcat-5028-egeesectargz
[rootgums opt] tar -xzvf tomcat-5028-egeesectargz
[rootgums opt] vi tomcat-5028-egeesecconfserverxml
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemlog4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
[rootgums opt] tomcat-5028-egeesecbincatalinash start
Install the service
[rootgums root] cd opt
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 19
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootgums opt] wgethttpgridracfbnlgovmavengumstargzsgums-service-SNAPSHOTtargz [rootgums opt] tar -xzvf gums-service-SNAPSHOTtargz
[rootgums opt] cd gums-servicesbin[rootgums sbin] setupDatabaseUsage setupDatabase [mysql user for GUMS] [GUMS server host] [GUMS mysqlpassword]
ExamplessetupDatabase gums gumsmysitecom secret
This will make mysql authenticate as root with a password (-p) create a gumsuser with password secret authorized to connect from gumsmysitecom
[rootgums sbin] setupDatabase gums gumsmysitecom secret
[rootgums sbin] cat setupDatabasebinshMYSQLPARAM=-p
[rootgums sbin] addAdminAdds an admin in the GUMS database on localhostUsage addAdmin [DN for administrator]
ExampleaddAdmin DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345[rootgums sbin] addAdmin DC=orgDC=doegridsOU=PeopleCN=Your Self 83753
[rootgums sbin] cd [rootgums opt] ln -s gums-servicevarwartomcat-5028-egeesecwebappsgums
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 20
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltenv-entrygtltenv-entry-namegtupdateGroupsMinutesltenv-entry-namegtltenv-entry-typegtjavalangIntegerltenv-entry-typegtltenv-entry-valuegt720ltenv-entry-valuegt
ltenv-entrygt
Installing the client
[rootgums root] wgethttpgridracfbnlgovmavengumsnoarchrpmsgums-client-SNAPSHOTnoarchrpm [rootgums root] rpm -Uvh gums-client-SNAPSHOTnoarchrpm
[rootgums root] cd optgumsbin[rootgums bin] gumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given hostgenerateGridMapfile - Generate grid-mapfile for a given hostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular user
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 21
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS in the future
1 1 1 W H A T I S G U M S 3
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
112 GUMS and Privilege
GUMS and the Privilege architecture
What does GUMS do
Specifying the mapping
1 1 2 G U M S A N D P R I V I L E G E 4
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS client tools
Workflow
1 1 2 G U M S A N D P R I V I L E G E 5
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS in the grid architecture
1 1 2 G U M S A N D P R I V I L E G E 6
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 7
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 8
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 9
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
112 GUMS AND PRIVILEGE 10
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
113 Understanding GUMS installation
Understanding GUMS installation
Please refer to the quick installation guide if you prefer to get up and running and need thecommand line
The pieces
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 11
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Root vs non-root
Firewall and security considerations
Prepare the database
[rootwww gums-service] cat varsqlsetupDatabasemysqlCREATE DATABASE GUMS_1_1
GRANT ALLON GUMS_1_1TO USERSERVER IDENTIFIED BY PASSWORD
USE GUMS_1_1
CREATE TABLE `USER` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`GROUP_NAME` VARCHAR(255) NOT NULL`DN` varchar(255) NOT NULL`FQAN` varchar(255) default NULL
) TYPE=InnoDB
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 12
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
CREATE INDEX complete ON USER (GROUP_NAME(10) DN(70) FQAN(30))
CREATE TABLE `MAPPING` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`MAP` VARCHAR(255) NOT NULL`DN` varchar(255) default NULL`ACCOUNT` varchar(255) default NULL
) TYPE=InnoDB
CREATE INDEX complete ON MAPPING (MAP(10) DN(70))
[rootwww sbin] cat varsqladdAdminmysqlUSE GUMS_1_1
INSERT INTO USER SET DN=ADMINDN GROUP_NAME=admins
Installing the service
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 13
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etctomcathostkeypem
log4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 14
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Installing the client tools
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 15
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
12 Installation
1 2 I N S T A L L A T I O N 16
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
121 HOW TO VDT installation
HOW TO GUMS VDT installation
What is VDT and why you should use it to install GUMS
Installing through VDT
1 2 1 H O W T O V D T I N S T A L L A T I O N 17
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
122 HOW TO Manual installation
HOW TO GUMS Service quick-start installation
Preparing java
[rootgums root] java -versionjava version 142_04Java(TM) 2 Runtime Environment Standard Edition (build 142_04-b05)Java HotSpot(TM) Client VM (build 142_04-b05 mixed mode)
Preparing the certificate directory
Prepare the database
Preparing Tomcat + EGEE security
[rootgums root] cd opt[rootgums opt] wget
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 18
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
httpgridracfbnlgovmavengumstargzstomcat-5028-egeesectargz
[rootgums opt] tar -xzvf tomcat-5028-egeesectargz
[rootgums opt] vi tomcat-5028-egeesecconfserverxml
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemlog4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
[rootgums opt] tomcat-5028-egeesecbincatalinash start
Install the service
[rootgums root] cd opt
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 19
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootgums opt] wgethttpgridracfbnlgovmavengumstargzsgums-service-SNAPSHOTtargz [rootgums opt] tar -xzvf gums-service-SNAPSHOTtargz
[rootgums opt] cd gums-servicesbin[rootgums sbin] setupDatabaseUsage setupDatabase [mysql user for GUMS] [GUMS server host] [GUMS mysqlpassword]
ExamplessetupDatabase gums gumsmysitecom secret
This will make mysql authenticate as root with a password (-p) create a gumsuser with password secret authorized to connect from gumsmysitecom
[rootgums sbin] setupDatabase gums gumsmysitecom secret
[rootgums sbin] cat setupDatabasebinshMYSQLPARAM=-p
[rootgums sbin] addAdminAdds an admin in the GUMS database on localhostUsage addAdmin [DN for administrator]
ExampleaddAdmin DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345[rootgums sbin] addAdmin DC=orgDC=doegridsOU=PeopleCN=Your Self 83753
[rootgums sbin] cd [rootgums opt] ln -s gums-servicevarwartomcat-5028-egeesecwebappsgums
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 20
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltenv-entrygtltenv-entry-namegtupdateGroupsMinutesltenv-entry-namegtltenv-entry-typegtjavalangIntegerltenv-entry-typegtltenv-entry-valuegt720ltenv-entry-valuegt
ltenv-entrygt
Installing the client
[rootgums root] wgethttpgridracfbnlgovmavengumsnoarchrpmsgums-client-SNAPSHOTnoarchrpm [rootgums root] rpm -Uvh gums-client-SNAPSHOTnoarchrpm
[rootgums root] cd optgumsbin[rootgums bin] gumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given hostgenerateGridMapfile - Generate grid-mapfile for a given hostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular user
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 21
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
112 GUMS and Privilege
GUMS and the Privilege architecture
What does GUMS do
Specifying the mapping
1 1 2 G U M S A N D P R I V I L E G E 4
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS client tools
Workflow
1 1 2 G U M S A N D P R I V I L E G E 5
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS in the grid architecture
1 1 2 G U M S A N D P R I V I L E G E 6
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 7
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 8
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 9
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
112 GUMS AND PRIVILEGE 10
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
113 Understanding GUMS installation
Understanding GUMS installation
Please refer to the quick installation guide if you prefer to get up and running and need thecommand line
The pieces
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 11
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Root vs non-root
Firewall and security considerations
Prepare the database
[rootwww gums-service] cat varsqlsetupDatabasemysqlCREATE DATABASE GUMS_1_1
GRANT ALLON GUMS_1_1TO USERSERVER IDENTIFIED BY PASSWORD
USE GUMS_1_1
CREATE TABLE `USER` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`GROUP_NAME` VARCHAR(255) NOT NULL`DN` varchar(255) NOT NULL`FQAN` varchar(255) default NULL
) TYPE=InnoDB
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 12
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
CREATE INDEX complete ON USER (GROUP_NAME(10) DN(70) FQAN(30))
CREATE TABLE `MAPPING` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`MAP` VARCHAR(255) NOT NULL`DN` varchar(255) default NULL`ACCOUNT` varchar(255) default NULL
) TYPE=InnoDB
CREATE INDEX complete ON MAPPING (MAP(10) DN(70))
[rootwww sbin] cat varsqladdAdminmysqlUSE GUMS_1_1
INSERT INTO USER SET DN=ADMINDN GROUP_NAME=admins
Installing the service
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 13
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etctomcathostkeypem
log4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 14
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Installing the client tools
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 15
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
12 Installation
1 2 I N S T A L L A T I O N 16
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
121 HOW TO VDT installation
HOW TO GUMS VDT installation
What is VDT and why you should use it to install GUMS
Installing through VDT
1 2 1 H O W T O V D T I N S T A L L A T I O N 17
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
122 HOW TO Manual installation
HOW TO GUMS Service quick-start installation
Preparing java
[rootgums root] java -versionjava version 142_04Java(TM) 2 Runtime Environment Standard Edition (build 142_04-b05)Java HotSpot(TM) Client VM (build 142_04-b05 mixed mode)
Preparing the certificate directory
Prepare the database
Preparing Tomcat + EGEE security
[rootgums root] cd opt[rootgums opt] wget
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 18
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
httpgridracfbnlgovmavengumstargzstomcat-5028-egeesectargz
[rootgums opt] tar -xzvf tomcat-5028-egeesectargz
[rootgums opt] vi tomcat-5028-egeesecconfserverxml
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemlog4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
[rootgums opt] tomcat-5028-egeesecbincatalinash start
Install the service
[rootgums root] cd opt
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 19
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootgums opt] wgethttpgridracfbnlgovmavengumstargzsgums-service-SNAPSHOTtargz [rootgums opt] tar -xzvf gums-service-SNAPSHOTtargz
[rootgums opt] cd gums-servicesbin[rootgums sbin] setupDatabaseUsage setupDatabase [mysql user for GUMS] [GUMS server host] [GUMS mysqlpassword]
ExamplessetupDatabase gums gumsmysitecom secret
This will make mysql authenticate as root with a password (-p) create a gumsuser with password secret authorized to connect from gumsmysitecom
[rootgums sbin] setupDatabase gums gumsmysitecom secret
[rootgums sbin] cat setupDatabasebinshMYSQLPARAM=-p
[rootgums sbin] addAdminAdds an admin in the GUMS database on localhostUsage addAdmin [DN for administrator]
ExampleaddAdmin DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345[rootgums sbin] addAdmin DC=orgDC=doegridsOU=PeopleCN=Your Self 83753
[rootgums sbin] cd [rootgums opt] ln -s gums-servicevarwartomcat-5028-egeesecwebappsgums
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 20
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltenv-entrygtltenv-entry-namegtupdateGroupsMinutesltenv-entry-namegtltenv-entry-typegtjavalangIntegerltenv-entry-typegtltenv-entry-valuegt720ltenv-entry-valuegt
ltenv-entrygt
Installing the client
[rootgums root] wgethttpgridracfbnlgovmavengumsnoarchrpmsgums-client-SNAPSHOTnoarchrpm [rootgums root] rpm -Uvh gums-client-SNAPSHOTnoarchrpm
[rootgums root] cd optgumsbin[rootgums bin] gumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given hostgenerateGridMapfile - Generate grid-mapfile for a given hostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular user
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 21
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS client tools
Workflow
1 1 2 G U M S A N D P R I V I L E G E 5
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS in the grid architecture
1 1 2 G U M S A N D P R I V I L E G E 6
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 7
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 8
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 9
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
112 GUMS AND PRIVILEGE 10
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
113 Understanding GUMS installation
Understanding GUMS installation
Please refer to the quick installation guide if you prefer to get up and running and need thecommand line
The pieces
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 11
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Root vs non-root
Firewall and security considerations
Prepare the database
[rootwww gums-service] cat varsqlsetupDatabasemysqlCREATE DATABASE GUMS_1_1
GRANT ALLON GUMS_1_1TO USERSERVER IDENTIFIED BY PASSWORD
USE GUMS_1_1
CREATE TABLE `USER` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`GROUP_NAME` VARCHAR(255) NOT NULL`DN` varchar(255) NOT NULL`FQAN` varchar(255) default NULL
) TYPE=InnoDB
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 12
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
CREATE INDEX complete ON USER (GROUP_NAME(10) DN(70) FQAN(30))
CREATE TABLE `MAPPING` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`MAP` VARCHAR(255) NOT NULL`DN` varchar(255) default NULL`ACCOUNT` varchar(255) default NULL
) TYPE=InnoDB
CREATE INDEX complete ON MAPPING (MAP(10) DN(70))
[rootwww sbin] cat varsqladdAdminmysqlUSE GUMS_1_1
INSERT INTO USER SET DN=ADMINDN GROUP_NAME=admins
Installing the service
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 13
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etctomcathostkeypem
log4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 14
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Installing the client tools
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 15
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
12 Installation
1 2 I N S T A L L A T I O N 16
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
121 HOW TO VDT installation
HOW TO GUMS VDT installation
What is VDT and why you should use it to install GUMS
Installing through VDT
1 2 1 H O W T O V D T I N S T A L L A T I O N 17
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
122 HOW TO Manual installation
HOW TO GUMS Service quick-start installation
Preparing java
[rootgums root] java -versionjava version 142_04Java(TM) 2 Runtime Environment Standard Edition (build 142_04-b05)Java HotSpot(TM) Client VM (build 142_04-b05 mixed mode)
Preparing the certificate directory
Prepare the database
Preparing Tomcat + EGEE security
[rootgums root] cd opt[rootgums opt] wget
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 18
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
httpgridracfbnlgovmavengumstargzstomcat-5028-egeesectargz
[rootgums opt] tar -xzvf tomcat-5028-egeesectargz
[rootgums opt] vi tomcat-5028-egeesecconfserverxml
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemlog4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
[rootgums opt] tomcat-5028-egeesecbincatalinash start
Install the service
[rootgums root] cd opt
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 19
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootgums opt] wgethttpgridracfbnlgovmavengumstargzsgums-service-SNAPSHOTtargz [rootgums opt] tar -xzvf gums-service-SNAPSHOTtargz
[rootgums opt] cd gums-servicesbin[rootgums sbin] setupDatabaseUsage setupDatabase [mysql user for GUMS] [GUMS server host] [GUMS mysqlpassword]
ExamplessetupDatabase gums gumsmysitecom secret
This will make mysql authenticate as root with a password (-p) create a gumsuser with password secret authorized to connect from gumsmysitecom
[rootgums sbin] setupDatabase gums gumsmysitecom secret
[rootgums sbin] cat setupDatabasebinshMYSQLPARAM=-p
[rootgums sbin] addAdminAdds an admin in the GUMS database on localhostUsage addAdmin [DN for administrator]
ExampleaddAdmin DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345[rootgums sbin] addAdmin DC=orgDC=doegridsOU=PeopleCN=Your Self 83753
[rootgums sbin] cd [rootgums opt] ln -s gums-servicevarwartomcat-5028-egeesecwebappsgums
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 20
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltenv-entrygtltenv-entry-namegtupdateGroupsMinutesltenv-entry-namegtltenv-entry-typegtjavalangIntegerltenv-entry-typegtltenv-entry-valuegt720ltenv-entry-valuegt
ltenv-entrygt
Installing the client
[rootgums root] wgethttpgridracfbnlgovmavengumsnoarchrpmsgums-client-SNAPSHOTnoarchrpm [rootgums root] rpm -Uvh gums-client-SNAPSHOTnoarchrpm
[rootgums root] cd optgumsbin[rootgums bin] gumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given hostgenerateGridMapfile - Generate grid-mapfile for a given hostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular user
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 21
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
GUMS in the grid architecture
1 1 2 G U M S A N D P R I V I L E G E 6
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 7
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 8
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 9
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
112 GUMS AND PRIVILEGE 10
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
113 Understanding GUMS installation
Understanding GUMS installation
Please refer to the quick installation guide if you prefer to get up and running and need thecommand line
The pieces
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 11
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Root vs non-root
Firewall and security considerations
Prepare the database
[rootwww gums-service] cat varsqlsetupDatabasemysqlCREATE DATABASE GUMS_1_1
GRANT ALLON GUMS_1_1TO USERSERVER IDENTIFIED BY PASSWORD
USE GUMS_1_1
CREATE TABLE `USER` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`GROUP_NAME` VARCHAR(255) NOT NULL`DN` varchar(255) NOT NULL`FQAN` varchar(255) default NULL
) TYPE=InnoDB
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 12
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
CREATE INDEX complete ON USER (GROUP_NAME(10) DN(70) FQAN(30))
CREATE TABLE `MAPPING` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`MAP` VARCHAR(255) NOT NULL`DN` varchar(255) default NULL`ACCOUNT` varchar(255) default NULL
) TYPE=InnoDB
CREATE INDEX complete ON MAPPING (MAP(10) DN(70))
[rootwww sbin] cat varsqladdAdminmysqlUSE GUMS_1_1
INSERT INTO USER SET DN=ADMINDN GROUP_NAME=admins
Installing the service
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 13
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etctomcathostkeypem
log4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 14
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Installing the client tools
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 15
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
12 Installation
1 2 I N S T A L L A T I O N 16
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
121 HOW TO VDT installation
HOW TO GUMS VDT installation
What is VDT and why you should use it to install GUMS
Installing through VDT
1 2 1 H O W T O V D T I N S T A L L A T I O N 17
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
122 HOW TO Manual installation
HOW TO GUMS Service quick-start installation
Preparing java
[rootgums root] java -versionjava version 142_04Java(TM) 2 Runtime Environment Standard Edition (build 142_04-b05)Java HotSpot(TM) Client VM (build 142_04-b05 mixed mode)
Preparing the certificate directory
Prepare the database
Preparing Tomcat + EGEE security
[rootgums root] cd opt[rootgums opt] wget
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 18
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
httpgridracfbnlgovmavengumstargzstomcat-5028-egeesectargz
[rootgums opt] tar -xzvf tomcat-5028-egeesectargz
[rootgums opt] vi tomcat-5028-egeesecconfserverxml
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemlog4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
[rootgums opt] tomcat-5028-egeesecbincatalinash start
Install the service
[rootgums root] cd opt
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 19
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootgums opt] wgethttpgridracfbnlgovmavengumstargzsgums-service-SNAPSHOTtargz [rootgums opt] tar -xzvf gums-service-SNAPSHOTtargz
[rootgums opt] cd gums-servicesbin[rootgums sbin] setupDatabaseUsage setupDatabase [mysql user for GUMS] [GUMS server host] [GUMS mysqlpassword]
ExamplessetupDatabase gums gumsmysitecom secret
This will make mysql authenticate as root with a password (-p) create a gumsuser with password secret authorized to connect from gumsmysitecom
[rootgums sbin] setupDatabase gums gumsmysitecom secret
[rootgums sbin] cat setupDatabasebinshMYSQLPARAM=-p
[rootgums sbin] addAdminAdds an admin in the GUMS database on localhostUsage addAdmin [DN for administrator]
ExampleaddAdmin DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345[rootgums sbin] addAdmin DC=orgDC=doegridsOU=PeopleCN=Your Self 83753
[rootgums sbin] cd [rootgums opt] ln -s gums-servicevarwartomcat-5028-egeesecwebappsgums
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 20
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltenv-entrygtltenv-entry-namegtupdateGroupsMinutesltenv-entry-namegtltenv-entry-typegtjavalangIntegerltenv-entry-typegtltenv-entry-valuegt720ltenv-entry-valuegt
ltenv-entrygt
Installing the client
[rootgums root] wgethttpgridracfbnlgovmavengumsnoarchrpmsgums-client-SNAPSHOTnoarchrpm [rootgums root] rpm -Uvh gums-client-SNAPSHOTnoarchrpm
[rootgums root] cd optgumsbin[rootgums bin] gumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given hostgenerateGridMapfile - Generate grid-mapfile for a given hostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular user
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 21
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 7
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 8
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 9
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
112 GUMS AND PRIVILEGE 10
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
113 Understanding GUMS installation
Understanding GUMS installation
Please refer to the quick installation guide if you prefer to get up and running and need thecommand line
The pieces
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 11
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Root vs non-root
Firewall and security considerations
Prepare the database
[rootwww gums-service] cat varsqlsetupDatabasemysqlCREATE DATABASE GUMS_1_1
GRANT ALLON GUMS_1_1TO USERSERVER IDENTIFIED BY PASSWORD
USE GUMS_1_1
CREATE TABLE `USER` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`GROUP_NAME` VARCHAR(255) NOT NULL`DN` varchar(255) NOT NULL`FQAN` varchar(255) default NULL
) TYPE=InnoDB
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 12
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
CREATE INDEX complete ON USER (GROUP_NAME(10) DN(70) FQAN(30))
CREATE TABLE `MAPPING` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`MAP` VARCHAR(255) NOT NULL`DN` varchar(255) default NULL`ACCOUNT` varchar(255) default NULL
) TYPE=InnoDB
CREATE INDEX complete ON MAPPING (MAP(10) DN(70))
[rootwww sbin] cat varsqladdAdminmysqlUSE GUMS_1_1
INSERT INTO USER SET DN=ADMINDN GROUP_NAME=admins
Installing the service
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 13
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etctomcathostkeypem
log4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 14
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Installing the client tools
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 15
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
12 Installation
1 2 I N S T A L L A T I O N 16
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
121 HOW TO VDT installation
HOW TO GUMS VDT installation
What is VDT and why you should use it to install GUMS
Installing through VDT
1 2 1 H O W T O V D T I N S T A L L A T I O N 17
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
122 HOW TO Manual installation
HOW TO GUMS Service quick-start installation
Preparing java
[rootgums root] java -versionjava version 142_04Java(TM) 2 Runtime Environment Standard Edition (build 142_04-b05)Java HotSpot(TM) Client VM (build 142_04-b05 mixed mode)
Preparing the certificate directory
Prepare the database
Preparing Tomcat + EGEE security
[rootgums root] cd opt[rootgums opt] wget
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 18
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
httpgridracfbnlgovmavengumstargzstomcat-5028-egeesectargz
[rootgums opt] tar -xzvf tomcat-5028-egeesectargz
[rootgums opt] vi tomcat-5028-egeesecconfserverxml
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemlog4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
[rootgums opt] tomcat-5028-egeesecbincatalinash start
Install the service
[rootgums root] cd opt
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 19
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootgums opt] wgethttpgridracfbnlgovmavengumstargzsgums-service-SNAPSHOTtargz [rootgums opt] tar -xzvf gums-service-SNAPSHOTtargz
[rootgums opt] cd gums-servicesbin[rootgums sbin] setupDatabaseUsage setupDatabase [mysql user for GUMS] [GUMS server host] [GUMS mysqlpassword]
ExamplessetupDatabase gums gumsmysitecom secret
This will make mysql authenticate as root with a password (-p) create a gumsuser with password secret authorized to connect from gumsmysitecom
[rootgums sbin] setupDatabase gums gumsmysitecom secret
[rootgums sbin] cat setupDatabasebinshMYSQLPARAM=-p
[rootgums sbin] addAdminAdds an admin in the GUMS database on localhostUsage addAdmin [DN for administrator]
ExampleaddAdmin DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345[rootgums sbin] addAdmin DC=orgDC=doegridsOU=PeopleCN=Your Self 83753
[rootgums sbin] cd [rootgums opt] ln -s gums-servicevarwartomcat-5028-egeesecwebappsgums
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 20
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltenv-entrygtltenv-entry-namegtupdateGroupsMinutesltenv-entry-namegtltenv-entry-typegtjavalangIntegerltenv-entry-typegtltenv-entry-valuegt720ltenv-entry-valuegt
ltenv-entrygt
Installing the client
[rootgums root] wgethttpgridracfbnlgovmavengumsnoarchrpmsgums-client-SNAPSHOTnoarchrpm [rootgums root] rpm -Uvh gums-client-SNAPSHOTnoarchrpm
[rootgums root] cd optgumsbin[rootgums bin] gumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given hostgenerateGridMapfile - Generate grid-mapfile for a given hostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular user
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 21
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 8
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 9
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
112 GUMS AND PRIVILEGE 10
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
113 Understanding GUMS installation
Understanding GUMS installation
Please refer to the quick installation guide if you prefer to get up and running and need thecommand line
The pieces
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 11
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Root vs non-root
Firewall and security considerations
Prepare the database
[rootwww gums-service] cat varsqlsetupDatabasemysqlCREATE DATABASE GUMS_1_1
GRANT ALLON GUMS_1_1TO USERSERVER IDENTIFIED BY PASSWORD
USE GUMS_1_1
CREATE TABLE `USER` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`GROUP_NAME` VARCHAR(255) NOT NULL`DN` varchar(255) NOT NULL`FQAN` varchar(255) default NULL
) TYPE=InnoDB
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 12
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
CREATE INDEX complete ON USER (GROUP_NAME(10) DN(70) FQAN(30))
CREATE TABLE `MAPPING` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`MAP` VARCHAR(255) NOT NULL`DN` varchar(255) default NULL`ACCOUNT` varchar(255) default NULL
) TYPE=InnoDB
CREATE INDEX complete ON MAPPING (MAP(10) DN(70))
[rootwww sbin] cat varsqladdAdminmysqlUSE GUMS_1_1
INSERT INTO USER SET DN=ADMINDN GROUP_NAME=admins
Installing the service
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 13
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etctomcathostkeypem
log4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 14
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Installing the client tools
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 15
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
12 Installation
1 2 I N S T A L L A T I O N 16
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
121 HOW TO VDT installation
HOW TO GUMS VDT installation
What is VDT and why you should use it to install GUMS
Installing through VDT
1 2 1 H O W T O V D T I N S T A L L A T I O N 17
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
122 HOW TO Manual installation
HOW TO GUMS Service quick-start installation
Preparing java
[rootgums root] java -versionjava version 142_04Java(TM) 2 Runtime Environment Standard Edition (build 142_04-b05)Java HotSpot(TM) Client VM (build 142_04-b05 mixed mode)
Preparing the certificate directory
Prepare the database
Preparing Tomcat + EGEE security
[rootgums root] cd opt[rootgums opt] wget
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 18
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
httpgridracfbnlgovmavengumstargzstomcat-5028-egeesectargz
[rootgums opt] tar -xzvf tomcat-5028-egeesectargz
[rootgums opt] vi tomcat-5028-egeesecconfserverxml
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemlog4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
[rootgums opt] tomcat-5028-egeesecbincatalinash start
Install the service
[rootgums root] cd opt
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 19
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootgums opt] wgethttpgridracfbnlgovmavengumstargzsgums-service-SNAPSHOTtargz [rootgums opt] tar -xzvf gums-service-SNAPSHOTtargz
[rootgums opt] cd gums-servicesbin[rootgums sbin] setupDatabaseUsage setupDatabase [mysql user for GUMS] [GUMS server host] [GUMS mysqlpassword]
ExamplessetupDatabase gums gumsmysitecom secret
This will make mysql authenticate as root with a password (-p) create a gumsuser with password secret authorized to connect from gumsmysitecom
[rootgums sbin] setupDatabase gums gumsmysitecom secret
[rootgums sbin] cat setupDatabasebinshMYSQLPARAM=-p
[rootgums sbin] addAdminAdds an admin in the GUMS database on localhostUsage addAdmin [DN for administrator]
ExampleaddAdmin DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345[rootgums sbin] addAdmin DC=orgDC=doegridsOU=PeopleCN=Your Self 83753
[rootgums sbin] cd [rootgums opt] ln -s gums-servicevarwartomcat-5028-egeesecwebappsgums
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 20
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltenv-entrygtltenv-entry-namegtupdateGroupsMinutesltenv-entry-namegtltenv-entry-typegtjavalangIntegerltenv-entry-typegtltenv-entry-valuegt720ltenv-entry-valuegt
ltenv-entrygt
Installing the client
[rootgums root] wgethttpgridracfbnlgovmavengumsnoarchrpmsgums-client-SNAPSHOTnoarchrpm [rootgums root] rpm -Uvh gums-client-SNAPSHOTnoarchrpm
[rootgums root] cd optgumsbin[rootgums bin] gumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given hostgenerateGridMapfile - Generate grid-mapfile for a given hostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular user
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 21
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 1 2 G U M S A N D P R I V I L E G E 9
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
112 GUMS AND PRIVILEGE 10
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
113 Understanding GUMS installation
Understanding GUMS installation
Please refer to the quick installation guide if you prefer to get up and running and need thecommand line
The pieces
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 11
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Root vs non-root
Firewall and security considerations
Prepare the database
[rootwww gums-service] cat varsqlsetupDatabasemysqlCREATE DATABASE GUMS_1_1
GRANT ALLON GUMS_1_1TO USERSERVER IDENTIFIED BY PASSWORD
USE GUMS_1_1
CREATE TABLE `USER` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`GROUP_NAME` VARCHAR(255) NOT NULL`DN` varchar(255) NOT NULL`FQAN` varchar(255) default NULL
) TYPE=InnoDB
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 12
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
CREATE INDEX complete ON USER (GROUP_NAME(10) DN(70) FQAN(30))
CREATE TABLE `MAPPING` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`MAP` VARCHAR(255) NOT NULL`DN` varchar(255) default NULL`ACCOUNT` varchar(255) default NULL
) TYPE=InnoDB
CREATE INDEX complete ON MAPPING (MAP(10) DN(70))
[rootwww sbin] cat varsqladdAdminmysqlUSE GUMS_1_1
INSERT INTO USER SET DN=ADMINDN GROUP_NAME=admins
Installing the service
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 13
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etctomcathostkeypem
log4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 14
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Installing the client tools
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 15
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
12 Installation
1 2 I N S T A L L A T I O N 16
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
121 HOW TO VDT installation
HOW TO GUMS VDT installation
What is VDT and why you should use it to install GUMS
Installing through VDT
1 2 1 H O W T O V D T I N S T A L L A T I O N 17
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
122 HOW TO Manual installation
HOW TO GUMS Service quick-start installation
Preparing java
[rootgums root] java -versionjava version 142_04Java(TM) 2 Runtime Environment Standard Edition (build 142_04-b05)Java HotSpot(TM) Client VM (build 142_04-b05 mixed mode)
Preparing the certificate directory
Prepare the database
Preparing Tomcat + EGEE security
[rootgums root] cd opt[rootgums opt] wget
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 18
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
httpgridracfbnlgovmavengumstargzstomcat-5028-egeesectargz
[rootgums opt] tar -xzvf tomcat-5028-egeesectargz
[rootgums opt] vi tomcat-5028-egeesecconfserverxml
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemlog4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
[rootgums opt] tomcat-5028-egeesecbincatalinash start
Install the service
[rootgums root] cd opt
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 19
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootgums opt] wgethttpgridracfbnlgovmavengumstargzsgums-service-SNAPSHOTtargz [rootgums opt] tar -xzvf gums-service-SNAPSHOTtargz
[rootgums opt] cd gums-servicesbin[rootgums sbin] setupDatabaseUsage setupDatabase [mysql user for GUMS] [GUMS server host] [GUMS mysqlpassword]
ExamplessetupDatabase gums gumsmysitecom secret
This will make mysql authenticate as root with a password (-p) create a gumsuser with password secret authorized to connect from gumsmysitecom
[rootgums sbin] setupDatabase gums gumsmysitecom secret
[rootgums sbin] cat setupDatabasebinshMYSQLPARAM=-p
[rootgums sbin] addAdminAdds an admin in the GUMS database on localhostUsage addAdmin [DN for administrator]
ExampleaddAdmin DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345[rootgums sbin] addAdmin DC=orgDC=doegridsOU=PeopleCN=Your Self 83753
[rootgums sbin] cd [rootgums opt] ln -s gums-servicevarwartomcat-5028-egeesecwebappsgums
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 20
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltenv-entrygtltenv-entry-namegtupdateGroupsMinutesltenv-entry-namegtltenv-entry-typegtjavalangIntegerltenv-entry-typegtltenv-entry-valuegt720ltenv-entry-valuegt
ltenv-entrygt
Installing the client
[rootgums root] wgethttpgridracfbnlgovmavengumsnoarchrpmsgums-client-SNAPSHOTnoarchrpm [rootgums root] rpm -Uvh gums-client-SNAPSHOTnoarchrpm
[rootgums root] cd optgumsbin[rootgums bin] gumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given hostgenerateGridMapfile - Generate grid-mapfile for a given hostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular user
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 21
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
112 GUMS AND PRIVILEGE 10
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
113 Understanding GUMS installation
Understanding GUMS installation
Please refer to the quick installation guide if you prefer to get up and running and need thecommand line
The pieces
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 11
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Root vs non-root
Firewall and security considerations
Prepare the database
[rootwww gums-service] cat varsqlsetupDatabasemysqlCREATE DATABASE GUMS_1_1
GRANT ALLON GUMS_1_1TO USERSERVER IDENTIFIED BY PASSWORD
USE GUMS_1_1
CREATE TABLE `USER` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`GROUP_NAME` VARCHAR(255) NOT NULL`DN` varchar(255) NOT NULL`FQAN` varchar(255) default NULL
) TYPE=InnoDB
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 12
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
CREATE INDEX complete ON USER (GROUP_NAME(10) DN(70) FQAN(30))
CREATE TABLE `MAPPING` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`MAP` VARCHAR(255) NOT NULL`DN` varchar(255) default NULL`ACCOUNT` varchar(255) default NULL
) TYPE=InnoDB
CREATE INDEX complete ON MAPPING (MAP(10) DN(70))
[rootwww sbin] cat varsqladdAdminmysqlUSE GUMS_1_1
INSERT INTO USER SET DN=ADMINDN GROUP_NAME=admins
Installing the service
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 13
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etctomcathostkeypem
log4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 14
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Installing the client tools
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 15
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
12 Installation
1 2 I N S T A L L A T I O N 16
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
121 HOW TO VDT installation
HOW TO GUMS VDT installation
What is VDT and why you should use it to install GUMS
Installing through VDT
1 2 1 H O W T O V D T I N S T A L L A T I O N 17
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
122 HOW TO Manual installation
HOW TO GUMS Service quick-start installation
Preparing java
[rootgums root] java -versionjava version 142_04Java(TM) 2 Runtime Environment Standard Edition (build 142_04-b05)Java HotSpot(TM) Client VM (build 142_04-b05 mixed mode)
Preparing the certificate directory
Prepare the database
Preparing Tomcat + EGEE security
[rootgums root] cd opt[rootgums opt] wget
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 18
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
httpgridracfbnlgovmavengumstargzstomcat-5028-egeesectargz
[rootgums opt] tar -xzvf tomcat-5028-egeesectargz
[rootgums opt] vi tomcat-5028-egeesecconfserverxml
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemlog4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
[rootgums opt] tomcat-5028-egeesecbincatalinash start
Install the service
[rootgums root] cd opt
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 19
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootgums opt] wgethttpgridracfbnlgovmavengumstargzsgums-service-SNAPSHOTtargz [rootgums opt] tar -xzvf gums-service-SNAPSHOTtargz
[rootgums opt] cd gums-servicesbin[rootgums sbin] setupDatabaseUsage setupDatabase [mysql user for GUMS] [GUMS server host] [GUMS mysqlpassword]
ExamplessetupDatabase gums gumsmysitecom secret
This will make mysql authenticate as root with a password (-p) create a gumsuser with password secret authorized to connect from gumsmysitecom
[rootgums sbin] setupDatabase gums gumsmysitecom secret
[rootgums sbin] cat setupDatabasebinshMYSQLPARAM=-p
[rootgums sbin] addAdminAdds an admin in the GUMS database on localhostUsage addAdmin [DN for administrator]
ExampleaddAdmin DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345[rootgums sbin] addAdmin DC=orgDC=doegridsOU=PeopleCN=Your Self 83753
[rootgums sbin] cd [rootgums opt] ln -s gums-servicevarwartomcat-5028-egeesecwebappsgums
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 20
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltenv-entrygtltenv-entry-namegtupdateGroupsMinutesltenv-entry-namegtltenv-entry-typegtjavalangIntegerltenv-entry-typegtltenv-entry-valuegt720ltenv-entry-valuegt
ltenv-entrygt
Installing the client
[rootgums root] wgethttpgridracfbnlgovmavengumsnoarchrpmsgums-client-SNAPSHOTnoarchrpm [rootgums root] rpm -Uvh gums-client-SNAPSHOTnoarchrpm
[rootgums root] cd optgumsbin[rootgums bin] gumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given hostgenerateGridMapfile - Generate grid-mapfile for a given hostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular user
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 21
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
113 Understanding GUMS installation
Understanding GUMS installation
Please refer to the quick installation guide if you prefer to get up and running and need thecommand line
The pieces
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 11
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Root vs non-root
Firewall and security considerations
Prepare the database
[rootwww gums-service] cat varsqlsetupDatabasemysqlCREATE DATABASE GUMS_1_1
GRANT ALLON GUMS_1_1TO USERSERVER IDENTIFIED BY PASSWORD
USE GUMS_1_1
CREATE TABLE `USER` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`GROUP_NAME` VARCHAR(255) NOT NULL`DN` varchar(255) NOT NULL`FQAN` varchar(255) default NULL
) TYPE=InnoDB
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 12
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
CREATE INDEX complete ON USER (GROUP_NAME(10) DN(70) FQAN(30))
CREATE TABLE `MAPPING` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`MAP` VARCHAR(255) NOT NULL`DN` varchar(255) default NULL`ACCOUNT` varchar(255) default NULL
) TYPE=InnoDB
CREATE INDEX complete ON MAPPING (MAP(10) DN(70))
[rootwww sbin] cat varsqladdAdminmysqlUSE GUMS_1_1
INSERT INTO USER SET DN=ADMINDN GROUP_NAME=admins
Installing the service
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 13
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etctomcathostkeypem
log4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 14
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Installing the client tools
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 15
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
12 Installation
1 2 I N S T A L L A T I O N 16
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
121 HOW TO VDT installation
HOW TO GUMS VDT installation
What is VDT and why you should use it to install GUMS
Installing through VDT
1 2 1 H O W T O V D T I N S T A L L A T I O N 17
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
122 HOW TO Manual installation
HOW TO GUMS Service quick-start installation
Preparing java
[rootgums root] java -versionjava version 142_04Java(TM) 2 Runtime Environment Standard Edition (build 142_04-b05)Java HotSpot(TM) Client VM (build 142_04-b05 mixed mode)
Preparing the certificate directory
Prepare the database
Preparing Tomcat + EGEE security
[rootgums root] cd opt[rootgums opt] wget
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 18
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
httpgridracfbnlgovmavengumstargzstomcat-5028-egeesectargz
[rootgums opt] tar -xzvf tomcat-5028-egeesectargz
[rootgums opt] vi tomcat-5028-egeesecconfserverxml
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemlog4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
[rootgums opt] tomcat-5028-egeesecbincatalinash start
Install the service
[rootgums root] cd opt
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 19
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootgums opt] wgethttpgridracfbnlgovmavengumstargzsgums-service-SNAPSHOTtargz [rootgums opt] tar -xzvf gums-service-SNAPSHOTtargz
[rootgums opt] cd gums-servicesbin[rootgums sbin] setupDatabaseUsage setupDatabase [mysql user for GUMS] [GUMS server host] [GUMS mysqlpassword]
ExamplessetupDatabase gums gumsmysitecom secret
This will make mysql authenticate as root with a password (-p) create a gumsuser with password secret authorized to connect from gumsmysitecom
[rootgums sbin] setupDatabase gums gumsmysitecom secret
[rootgums sbin] cat setupDatabasebinshMYSQLPARAM=-p
[rootgums sbin] addAdminAdds an admin in the GUMS database on localhostUsage addAdmin [DN for administrator]
ExampleaddAdmin DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345[rootgums sbin] addAdmin DC=orgDC=doegridsOU=PeopleCN=Your Self 83753
[rootgums sbin] cd [rootgums opt] ln -s gums-servicevarwartomcat-5028-egeesecwebappsgums
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 20
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltenv-entrygtltenv-entry-namegtupdateGroupsMinutesltenv-entry-namegtltenv-entry-typegtjavalangIntegerltenv-entry-typegtltenv-entry-valuegt720ltenv-entry-valuegt
ltenv-entrygt
Installing the client
[rootgums root] wgethttpgridracfbnlgovmavengumsnoarchrpmsgums-client-SNAPSHOTnoarchrpm [rootgums root] rpm -Uvh gums-client-SNAPSHOTnoarchrpm
[rootgums root] cd optgumsbin[rootgums bin] gumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given hostgenerateGridMapfile - Generate grid-mapfile for a given hostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular user
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 21
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Root vs non-root
Firewall and security considerations
Prepare the database
[rootwww gums-service] cat varsqlsetupDatabasemysqlCREATE DATABASE GUMS_1_1
GRANT ALLON GUMS_1_1TO USERSERVER IDENTIFIED BY PASSWORD
USE GUMS_1_1
CREATE TABLE `USER` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`GROUP_NAME` VARCHAR(255) NOT NULL`DN` varchar(255) NOT NULL`FQAN` varchar(255) default NULL
) TYPE=InnoDB
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 12
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
CREATE INDEX complete ON USER (GROUP_NAME(10) DN(70) FQAN(30))
CREATE TABLE `MAPPING` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`MAP` VARCHAR(255) NOT NULL`DN` varchar(255) default NULL`ACCOUNT` varchar(255) default NULL
) TYPE=InnoDB
CREATE INDEX complete ON MAPPING (MAP(10) DN(70))
[rootwww sbin] cat varsqladdAdminmysqlUSE GUMS_1_1
INSERT INTO USER SET DN=ADMINDN GROUP_NAME=admins
Installing the service
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 13
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etctomcathostkeypem
log4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 14
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Installing the client tools
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 15
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
12 Installation
1 2 I N S T A L L A T I O N 16
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
121 HOW TO VDT installation
HOW TO GUMS VDT installation
What is VDT and why you should use it to install GUMS
Installing through VDT
1 2 1 H O W T O V D T I N S T A L L A T I O N 17
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
122 HOW TO Manual installation
HOW TO GUMS Service quick-start installation
Preparing java
[rootgums root] java -versionjava version 142_04Java(TM) 2 Runtime Environment Standard Edition (build 142_04-b05)Java HotSpot(TM) Client VM (build 142_04-b05 mixed mode)
Preparing the certificate directory
Prepare the database
Preparing Tomcat + EGEE security
[rootgums root] cd opt[rootgums opt] wget
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 18
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
httpgridracfbnlgovmavengumstargzstomcat-5028-egeesectargz
[rootgums opt] tar -xzvf tomcat-5028-egeesectargz
[rootgums opt] vi tomcat-5028-egeesecconfserverxml
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemlog4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
[rootgums opt] tomcat-5028-egeesecbincatalinash start
Install the service
[rootgums root] cd opt
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 19
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootgums opt] wgethttpgridracfbnlgovmavengumstargzsgums-service-SNAPSHOTtargz [rootgums opt] tar -xzvf gums-service-SNAPSHOTtargz
[rootgums opt] cd gums-servicesbin[rootgums sbin] setupDatabaseUsage setupDatabase [mysql user for GUMS] [GUMS server host] [GUMS mysqlpassword]
ExamplessetupDatabase gums gumsmysitecom secret
This will make mysql authenticate as root with a password (-p) create a gumsuser with password secret authorized to connect from gumsmysitecom
[rootgums sbin] setupDatabase gums gumsmysitecom secret
[rootgums sbin] cat setupDatabasebinshMYSQLPARAM=-p
[rootgums sbin] addAdminAdds an admin in the GUMS database on localhostUsage addAdmin [DN for administrator]
ExampleaddAdmin DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345[rootgums sbin] addAdmin DC=orgDC=doegridsOU=PeopleCN=Your Self 83753
[rootgums sbin] cd [rootgums opt] ln -s gums-servicevarwartomcat-5028-egeesecwebappsgums
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 20
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltenv-entrygtltenv-entry-namegtupdateGroupsMinutesltenv-entry-namegtltenv-entry-typegtjavalangIntegerltenv-entry-typegtltenv-entry-valuegt720ltenv-entry-valuegt
ltenv-entrygt
Installing the client
[rootgums root] wgethttpgridracfbnlgovmavengumsnoarchrpmsgums-client-SNAPSHOTnoarchrpm [rootgums root] rpm -Uvh gums-client-SNAPSHOTnoarchrpm
[rootgums root] cd optgumsbin[rootgums bin] gumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given hostgenerateGridMapfile - Generate grid-mapfile for a given hostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular user
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 21
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
CREATE INDEX complete ON USER (GROUP_NAME(10) DN(70) FQAN(30))
CREATE TABLE `MAPPING` (`ID` INTEGER AUTO_INCREMENT PRIMARY KEY`MAP` VARCHAR(255) NOT NULL`DN` varchar(255) default NULL`ACCOUNT` varchar(255) default NULL
) TYPE=InnoDB
CREATE INDEX complete ON MAPPING (MAP(10) DN(70))
[rootwww sbin] cat varsqladdAdminmysqlUSE GUMS_1_1
INSERT INTO USER SET DN=ADMINDN GROUP_NAME=admins
Installing the service
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 13
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etctomcathostkeypem
log4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 14
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Installing the client tools
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 15
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
12 Installation
1 2 I N S T A L L A T I O N 16
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
121 HOW TO VDT installation
HOW TO GUMS VDT installation
What is VDT and why you should use it to install GUMS
Installing through VDT
1 2 1 H O W T O V D T I N S T A L L A T I O N 17
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
122 HOW TO Manual installation
HOW TO GUMS Service quick-start installation
Preparing java
[rootgums root] java -versionjava version 142_04Java(TM) 2 Runtime Environment Standard Edition (build 142_04-b05)Java HotSpot(TM) Client VM (build 142_04-b05 mixed mode)
Preparing the certificate directory
Prepare the database
Preparing Tomcat + EGEE security
[rootgums root] cd opt[rootgums opt] wget
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 18
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
httpgridracfbnlgovmavengumstargzstomcat-5028-egeesectargz
[rootgums opt] tar -xzvf tomcat-5028-egeesectargz
[rootgums opt] vi tomcat-5028-egeesecconfserverxml
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemlog4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
[rootgums opt] tomcat-5028-egeesecbincatalinash start
Install the service
[rootgums root] cd opt
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 19
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootgums opt] wgethttpgridracfbnlgovmavengumstargzsgums-service-SNAPSHOTtargz [rootgums opt] tar -xzvf gums-service-SNAPSHOTtargz
[rootgums opt] cd gums-servicesbin[rootgums sbin] setupDatabaseUsage setupDatabase [mysql user for GUMS] [GUMS server host] [GUMS mysqlpassword]
ExamplessetupDatabase gums gumsmysitecom secret
This will make mysql authenticate as root with a password (-p) create a gumsuser with password secret authorized to connect from gumsmysitecom
[rootgums sbin] setupDatabase gums gumsmysitecom secret
[rootgums sbin] cat setupDatabasebinshMYSQLPARAM=-p
[rootgums sbin] addAdminAdds an admin in the GUMS database on localhostUsage addAdmin [DN for administrator]
ExampleaddAdmin DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345[rootgums sbin] addAdmin DC=orgDC=doegridsOU=PeopleCN=Your Self 83753
[rootgums sbin] cd [rootgums opt] ln -s gums-servicevarwartomcat-5028-egeesecwebappsgums
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 20
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltenv-entrygtltenv-entry-namegtupdateGroupsMinutesltenv-entry-namegtltenv-entry-typegtjavalangIntegerltenv-entry-typegtltenv-entry-valuegt720ltenv-entry-valuegt
ltenv-entrygt
Installing the client
[rootgums root] wgethttpgridracfbnlgovmavengumsnoarchrpmsgums-client-SNAPSHOTnoarchrpm [rootgums root] rpm -Uvh gums-client-SNAPSHOTnoarchrpm
[rootgums root] cd optgumsbin[rootgums bin] gumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given hostgenerateGridMapfile - Generate grid-mapfile for a given hostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular user
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 21
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etctomcathostkeypem
log4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 14
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Installing the client tools
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 15
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
12 Installation
1 2 I N S T A L L A T I O N 16
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
121 HOW TO VDT installation
HOW TO GUMS VDT installation
What is VDT and why you should use it to install GUMS
Installing through VDT
1 2 1 H O W T O V D T I N S T A L L A T I O N 17
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
122 HOW TO Manual installation
HOW TO GUMS Service quick-start installation
Preparing java
[rootgums root] java -versionjava version 142_04Java(TM) 2 Runtime Environment Standard Edition (build 142_04-b05)Java HotSpot(TM) Client VM (build 142_04-b05 mixed mode)
Preparing the certificate directory
Prepare the database
Preparing Tomcat + EGEE security
[rootgums root] cd opt[rootgums opt] wget
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 18
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
httpgridracfbnlgovmavengumstargzstomcat-5028-egeesectargz
[rootgums opt] tar -xzvf tomcat-5028-egeesectargz
[rootgums opt] vi tomcat-5028-egeesecconfserverxml
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemlog4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
[rootgums opt] tomcat-5028-egeesecbincatalinash start
Install the service
[rootgums root] cd opt
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 19
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootgums opt] wgethttpgridracfbnlgovmavengumstargzsgums-service-SNAPSHOTtargz [rootgums opt] tar -xzvf gums-service-SNAPSHOTtargz
[rootgums opt] cd gums-servicesbin[rootgums sbin] setupDatabaseUsage setupDatabase [mysql user for GUMS] [GUMS server host] [GUMS mysqlpassword]
ExamplessetupDatabase gums gumsmysitecom secret
This will make mysql authenticate as root with a password (-p) create a gumsuser with password secret authorized to connect from gumsmysitecom
[rootgums sbin] setupDatabase gums gumsmysitecom secret
[rootgums sbin] cat setupDatabasebinshMYSQLPARAM=-p
[rootgums sbin] addAdminAdds an admin in the GUMS database on localhostUsage addAdmin [DN for administrator]
ExampleaddAdmin DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345[rootgums sbin] addAdmin DC=orgDC=doegridsOU=PeopleCN=Your Self 83753
[rootgums sbin] cd [rootgums opt] ln -s gums-servicevarwartomcat-5028-egeesecwebappsgums
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 20
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltenv-entrygtltenv-entry-namegtupdateGroupsMinutesltenv-entry-namegtltenv-entry-typegtjavalangIntegerltenv-entry-typegtltenv-entry-valuegt720ltenv-entry-valuegt
ltenv-entrygt
Installing the client
[rootgums root] wgethttpgridracfbnlgovmavengumsnoarchrpmsgums-client-SNAPSHOTnoarchrpm [rootgums root] rpm -Uvh gums-client-SNAPSHOTnoarchrpm
[rootgums root] cd optgumsbin[rootgums bin] gumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given hostgenerateGridMapfile - Generate grid-mapfile for a given hostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular user
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 21
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Installing the client tools
1 1 3 U N D E R S T A N D I N G G U M S I N S T A L L A T I O N 15
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
12 Installation
1 2 I N S T A L L A T I O N 16
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
121 HOW TO VDT installation
HOW TO GUMS VDT installation
What is VDT and why you should use it to install GUMS
Installing through VDT
1 2 1 H O W T O V D T I N S T A L L A T I O N 17
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
122 HOW TO Manual installation
HOW TO GUMS Service quick-start installation
Preparing java
[rootgums root] java -versionjava version 142_04Java(TM) 2 Runtime Environment Standard Edition (build 142_04-b05)Java HotSpot(TM) Client VM (build 142_04-b05 mixed mode)
Preparing the certificate directory
Prepare the database
Preparing Tomcat + EGEE security
[rootgums root] cd opt[rootgums opt] wget
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 18
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
httpgridracfbnlgovmavengumstargzstomcat-5028-egeesectargz
[rootgums opt] tar -xzvf tomcat-5028-egeesectargz
[rootgums opt] vi tomcat-5028-egeesecconfserverxml
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemlog4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
[rootgums opt] tomcat-5028-egeesecbincatalinash start
Install the service
[rootgums root] cd opt
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 19
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootgums opt] wgethttpgridracfbnlgovmavengumstargzsgums-service-SNAPSHOTtargz [rootgums opt] tar -xzvf gums-service-SNAPSHOTtargz
[rootgums opt] cd gums-servicesbin[rootgums sbin] setupDatabaseUsage setupDatabase [mysql user for GUMS] [GUMS server host] [GUMS mysqlpassword]
ExamplessetupDatabase gums gumsmysitecom secret
This will make mysql authenticate as root with a password (-p) create a gumsuser with password secret authorized to connect from gumsmysitecom
[rootgums sbin] setupDatabase gums gumsmysitecom secret
[rootgums sbin] cat setupDatabasebinshMYSQLPARAM=-p
[rootgums sbin] addAdminAdds an admin in the GUMS database on localhostUsage addAdmin [DN for administrator]
ExampleaddAdmin DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345[rootgums sbin] addAdmin DC=orgDC=doegridsOU=PeopleCN=Your Self 83753
[rootgums sbin] cd [rootgums opt] ln -s gums-servicevarwartomcat-5028-egeesecwebappsgums
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 20
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltenv-entrygtltenv-entry-namegtupdateGroupsMinutesltenv-entry-namegtltenv-entry-typegtjavalangIntegerltenv-entry-typegtltenv-entry-valuegt720ltenv-entry-valuegt
ltenv-entrygt
Installing the client
[rootgums root] wgethttpgridracfbnlgovmavengumsnoarchrpmsgums-client-SNAPSHOTnoarchrpm [rootgums root] rpm -Uvh gums-client-SNAPSHOTnoarchrpm
[rootgums root] cd optgumsbin[rootgums bin] gumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given hostgenerateGridMapfile - Generate grid-mapfile for a given hostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular user
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 21
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
12 Installation
1 2 I N S T A L L A T I O N 16
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
121 HOW TO VDT installation
HOW TO GUMS VDT installation
What is VDT and why you should use it to install GUMS
Installing through VDT
1 2 1 H O W T O V D T I N S T A L L A T I O N 17
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
122 HOW TO Manual installation
HOW TO GUMS Service quick-start installation
Preparing java
[rootgums root] java -versionjava version 142_04Java(TM) 2 Runtime Environment Standard Edition (build 142_04-b05)Java HotSpot(TM) Client VM (build 142_04-b05 mixed mode)
Preparing the certificate directory
Prepare the database
Preparing Tomcat + EGEE security
[rootgums root] cd opt[rootgums opt] wget
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 18
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
httpgridracfbnlgovmavengumstargzstomcat-5028-egeesectargz
[rootgums opt] tar -xzvf tomcat-5028-egeesectargz
[rootgums opt] vi tomcat-5028-egeesecconfserverxml
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemlog4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
[rootgums opt] tomcat-5028-egeesecbincatalinash start
Install the service
[rootgums root] cd opt
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 19
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootgums opt] wgethttpgridracfbnlgovmavengumstargzsgums-service-SNAPSHOTtargz [rootgums opt] tar -xzvf gums-service-SNAPSHOTtargz
[rootgums opt] cd gums-servicesbin[rootgums sbin] setupDatabaseUsage setupDatabase [mysql user for GUMS] [GUMS server host] [GUMS mysqlpassword]
ExamplessetupDatabase gums gumsmysitecom secret
This will make mysql authenticate as root with a password (-p) create a gumsuser with password secret authorized to connect from gumsmysitecom
[rootgums sbin] setupDatabase gums gumsmysitecom secret
[rootgums sbin] cat setupDatabasebinshMYSQLPARAM=-p
[rootgums sbin] addAdminAdds an admin in the GUMS database on localhostUsage addAdmin [DN for administrator]
ExampleaddAdmin DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345[rootgums sbin] addAdmin DC=orgDC=doegridsOU=PeopleCN=Your Self 83753
[rootgums sbin] cd [rootgums opt] ln -s gums-servicevarwartomcat-5028-egeesecwebappsgums
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 20
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltenv-entrygtltenv-entry-namegtupdateGroupsMinutesltenv-entry-namegtltenv-entry-typegtjavalangIntegerltenv-entry-typegtltenv-entry-valuegt720ltenv-entry-valuegt
ltenv-entrygt
Installing the client
[rootgums root] wgethttpgridracfbnlgovmavengumsnoarchrpmsgums-client-SNAPSHOTnoarchrpm [rootgums root] rpm -Uvh gums-client-SNAPSHOTnoarchrpm
[rootgums root] cd optgumsbin[rootgums bin] gumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given hostgenerateGridMapfile - Generate grid-mapfile for a given hostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular user
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 21
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
121 HOW TO VDT installation
HOW TO GUMS VDT installation
What is VDT and why you should use it to install GUMS
Installing through VDT
1 2 1 H O W T O V D T I N S T A L L A T I O N 17
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
122 HOW TO Manual installation
HOW TO GUMS Service quick-start installation
Preparing java
[rootgums root] java -versionjava version 142_04Java(TM) 2 Runtime Environment Standard Edition (build 142_04-b05)Java HotSpot(TM) Client VM (build 142_04-b05 mixed mode)
Preparing the certificate directory
Prepare the database
Preparing Tomcat + EGEE security
[rootgums root] cd opt[rootgums opt] wget
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 18
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
httpgridracfbnlgovmavengumstargzstomcat-5028-egeesectargz
[rootgums opt] tar -xzvf tomcat-5028-egeesectargz
[rootgums opt] vi tomcat-5028-egeesecconfserverxml
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemlog4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
[rootgums opt] tomcat-5028-egeesecbincatalinash start
Install the service
[rootgums root] cd opt
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 19
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootgums opt] wgethttpgridracfbnlgovmavengumstargzsgums-service-SNAPSHOTtargz [rootgums opt] tar -xzvf gums-service-SNAPSHOTtargz
[rootgums opt] cd gums-servicesbin[rootgums sbin] setupDatabaseUsage setupDatabase [mysql user for GUMS] [GUMS server host] [GUMS mysqlpassword]
ExamplessetupDatabase gums gumsmysitecom secret
This will make mysql authenticate as root with a password (-p) create a gumsuser with password secret authorized to connect from gumsmysitecom
[rootgums sbin] setupDatabase gums gumsmysitecom secret
[rootgums sbin] cat setupDatabasebinshMYSQLPARAM=-p
[rootgums sbin] addAdminAdds an admin in the GUMS database on localhostUsage addAdmin [DN for administrator]
ExampleaddAdmin DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345[rootgums sbin] addAdmin DC=orgDC=doegridsOU=PeopleCN=Your Self 83753
[rootgums sbin] cd [rootgums opt] ln -s gums-servicevarwartomcat-5028-egeesecwebappsgums
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 20
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltenv-entrygtltenv-entry-namegtupdateGroupsMinutesltenv-entry-namegtltenv-entry-typegtjavalangIntegerltenv-entry-typegtltenv-entry-valuegt720ltenv-entry-valuegt
ltenv-entrygt
Installing the client
[rootgums root] wgethttpgridracfbnlgovmavengumsnoarchrpmsgums-client-SNAPSHOTnoarchrpm [rootgums root] rpm -Uvh gums-client-SNAPSHOTnoarchrpm
[rootgums root] cd optgumsbin[rootgums bin] gumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given hostgenerateGridMapfile - Generate grid-mapfile for a given hostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular user
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 21
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
122 HOW TO Manual installation
HOW TO GUMS Service quick-start installation
Preparing java
[rootgums root] java -versionjava version 142_04Java(TM) 2 Runtime Environment Standard Edition (build 142_04-b05)Java HotSpot(TM) Client VM (build 142_04-b05 mixed mode)
Preparing the certificate directory
Prepare the database
Preparing Tomcat + EGEE security
[rootgums root] cd opt[rootgums opt] wget
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 18
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
httpgridracfbnlgovmavengumstargzstomcat-5028-egeesectargz
[rootgums opt] tar -xzvf tomcat-5028-egeesectargz
[rootgums opt] vi tomcat-5028-egeesecconfserverxml
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemlog4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
[rootgums opt] tomcat-5028-egeesecbincatalinash start
Install the service
[rootgums root] cd opt
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 19
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootgums opt] wgethttpgridracfbnlgovmavengumstargzsgums-service-SNAPSHOTtargz [rootgums opt] tar -xzvf gums-service-SNAPSHOTtargz
[rootgums opt] cd gums-servicesbin[rootgums sbin] setupDatabaseUsage setupDatabase [mysql user for GUMS] [GUMS server host] [GUMS mysqlpassword]
ExamplessetupDatabase gums gumsmysitecom secret
This will make mysql authenticate as root with a password (-p) create a gumsuser with password secret authorized to connect from gumsmysitecom
[rootgums sbin] setupDatabase gums gumsmysitecom secret
[rootgums sbin] cat setupDatabasebinshMYSQLPARAM=-p
[rootgums sbin] addAdminAdds an admin in the GUMS database on localhostUsage addAdmin [DN for administrator]
ExampleaddAdmin DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345[rootgums sbin] addAdmin DC=orgDC=doegridsOU=PeopleCN=Your Self 83753
[rootgums sbin] cd [rootgums opt] ln -s gums-servicevarwartomcat-5028-egeesecwebappsgums
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 20
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltenv-entrygtltenv-entry-namegtupdateGroupsMinutesltenv-entry-namegtltenv-entry-typegtjavalangIntegerltenv-entry-typegtltenv-entry-valuegt720ltenv-entry-valuegt
ltenv-entrygt
Installing the client
[rootgums root] wgethttpgridracfbnlgovmavengumsnoarchrpmsgums-client-SNAPSHOTnoarchrpm [rootgums root] rpm -Uvh gums-client-SNAPSHOTnoarchrpm
[rootgums root] cd optgumsbin[rootgums bin] gumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given hostgenerateGridMapfile - Generate grid-mapfile for a given hostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular user
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 21
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
httpgridracfbnlgovmavengumstargzstomcat-5028-egeesectargz
[rootgums opt] tar -xzvf tomcat-5028-egeesectargz
[rootgums opt] vi tomcat-5028-egeesecconfserverxml
ltConnector port=8443maxThreads=150 minSpareThreads=25 maxSpareThreads=75enableLookups=false disableUploadTimeout=trueacceptCount=100 debug=0 scheme=https secure=true
sSLImplementation=orgglitesecuritytrustmanagertomcatTMSSLImplementationsslCAFiles=etcgrid-securitycertificates0crlFiles=etcgrid-securitycertificatesr0sslCertFile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemlog4jConfFile=opttomcat-5028-egeesecconflog4j-trustmanagerpropertiesclientAuth=true sslProtocol=TLS gt
[rootgums opt] tomcat-5028-egeesecbincatalinash start
Install the service
[rootgums root] cd opt
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 19
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootgums opt] wgethttpgridracfbnlgovmavengumstargzsgums-service-SNAPSHOTtargz [rootgums opt] tar -xzvf gums-service-SNAPSHOTtargz
[rootgums opt] cd gums-servicesbin[rootgums sbin] setupDatabaseUsage setupDatabase [mysql user for GUMS] [GUMS server host] [GUMS mysqlpassword]
ExamplessetupDatabase gums gumsmysitecom secret
This will make mysql authenticate as root with a password (-p) create a gumsuser with password secret authorized to connect from gumsmysitecom
[rootgums sbin] setupDatabase gums gumsmysitecom secret
[rootgums sbin] cat setupDatabasebinshMYSQLPARAM=-p
[rootgums sbin] addAdminAdds an admin in the GUMS database on localhostUsage addAdmin [DN for administrator]
ExampleaddAdmin DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345[rootgums sbin] addAdmin DC=orgDC=doegridsOU=PeopleCN=Your Self 83753
[rootgums sbin] cd [rootgums opt] ln -s gums-servicevarwartomcat-5028-egeesecwebappsgums
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 20
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltenv-entrygtltenv-entry-namegtupdateGroupsMinutesltenv-entry-namegtltenv-entry-typegtjavalangIntegerltenv-entry-typegtltenv-entry-valuegt720ltenv-entry-valuegt
ltenv-entrygt
Installing the client
[rootgums root] wgethttpgridracfbnlgovmavengumsnoarchrpmsgums-client-SNAPSHOTnoarchrpm [rootgums root] rpm -Uvh gums-client-SNAPSHOTnoarchrpm
[rootgums root] cd optgumsbin[rootgums bin] gumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given hostgenerateGridMapfile - Generate grid-mapfile for a given hostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular user
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 21
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootgums opt] wgethttpgridracfbnlgovmavengumstargzsgums-service-SNAPSHOTtargz [rootgums opt] tar -xzvf gums-service-SNAPSHOTtargz
[rootgums opt] cd gums-servicesbin[rootgums sbin] setupDatabaseUsage setupDatabase [mysql user for GUMS] [GUMS server host] [GUMS mysqlpassword]
ExamplessetupDatabase gums gumsmysitecom secret
This will make mysql authenticate as root with a password (-p) create a gumsuser with password secret authorized to connect from gumsmysitecom
[rootgums sbin] setupDatabase gums gumsmysitecom secret
[rootgums sbin] cat setupDatabasebinshMYSQLPARAM=-p
[rootgums sbin] addAdminAdds an admin in the GUMS database on localhostUsage addAdmin [DN for administrator]
ExampleaddAdmin DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345[rootgums sbin] addAdmin DC=orgDC=doegridsOU=PeopleCN=Your Self 83753
[rootgums sbin] cd [rootgums opt] ln -s gums-servicevarwartomcat-5028-egeesecwebappsgums
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 20
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltenv-entrygtltenv-entry-namegtupdateGroupsMinutesltenv-entry-namegtltenv-entry-typegtjavalangIntegerltenv-entry-typegtltenv-entry-valuegt720ltenv-entry-valuegt
ltenv-entrygt
Installing the client
[rootgums root] wgethttpgridracfbnlgovmavengumsnoarchrpmsgums-client-SNAPSHOTnoarchrpm [rootgums root] rpm -Uvh gums-client-SNAPSHOTnoarchrpm
[rootgums root] cd optgumsbin[rootgums bin] gumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given hostgenerateGridMapfile - Generate grid-mapfile for a given hostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular user
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 21
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltenv-entrygtltenv-entry-namegtupdateGroupsMinutesltenv-entry-namegtltenv-entry-typegtjavalangIntegerltenv-entry-typegtltenv-entry-valuegt720ltenv-entry-valuegt
ltenv-entrygt
Installing the client
[rootgums root] wgethttpgridracfbnlgovmavengumsnoarchrpmsgums-client-SNAPSHOTnoarchrpm [rootgums root] rpm -Uvh gums-client-SNAPSHOTnoarchrpm
[rootgums root] cd optgumsbin[rootgums bin] gumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given hostgenerateGridMapfile - Generate grid-mapfile for a given hostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular user
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 21
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
mapfileCache-refresh - Regerates mapfiles in the cacheupdateGroups - Contact VO servers and retrieve user lists
For help on any commandgums command --help
[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpslocalhost8443gumsservicesGUMSAdmingumsauthz=httpslocalhost8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] vi etcgums-clientproperties[rootgums bin] cat etcgums-clientpropertiesgumslocation=httpsgumsmysitecom8443gumsservicesGUMSAdmingumsauthz=httpsgumsmysitecom8443gumsservicesGUMSAuthorizationServicePort
[rootgums bin] su - username[usernamegums bin] grid-proxy-init[usernamegums bin] gums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=testingtestgov
Problems
1 2 2 H O W T O M A N U A L I N S T A L L A T I O N 22
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
123 HOW TO Upgrade from 10
HOW TO Upgrade from 10 to 11
Database
Configuration file
Main differences
1 2 3 H O W T O U P G R A D E F R O M 1 0 23
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Compatibility with PRIMA
Compatibility with GUMS Client
gums generateGridMapfile DC=orgDC=doegridsOU=ServicesCN=testmysiteorg
1 2 3 H O W T O U P G R A D E F R O M 1 0 24
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
13 Using GUMS
1 3 U S I N G G U M S 25
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
131 Configuration
Configuring GUMS
1 3 1 C O N F I G U R A T I O N 26
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1311 gumsconfig
gumsconfig
ltgumsgtltpersistenceFactoriesgtltpersistenceFactorygt
ltpersistenceFactoriesgtltadminUserGroupgtltgroupMappingsgtltgroupMappinggt
ltuserGroupgtltaccountMappinggt
ltgroupMappinggtltgroupMappinggt
ltuserGroupgtltcompositeAccountMappinggtltaccountMappinggtltaccountMappinggtltaccountMappinggt
ltcompositeAccountMappinggtltgroupMappinggt
ltgroupMappingsgt
lthostGroupsgtlthostGroupgt
lthostGroupsgtltgumsgt
Understanding the GUMS configuration file
persistenceFactories
1 3 1 1 G U M S C O N F I G 27
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
groupMappings
hostGroups
lthostGroupsgtlt-- RHIC gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=starbnlgov
gtlthostGroup className=govbnlgumsCertificateHostGroup cn=phenixbnlgov
gt
lt-- ATLAS test gatekeeper --gtlthostGroup className=govbnlgumsCertificateHostGroup
cn=mygkusatlasbnlgov gt
lt-- Rest of ATLAS gatekeepers --gtlthostGroup className=govbnlgumsCertificateHostGroup cn=usatlasbnlgov
gtlthostGroupsgt
in the order specified
lthostGroup className=govbnlgumsCertificateHostGroupcn=mygkusatlasbnlgovgroups=atlasProdusatlasPoolivdglPool gt
in the order specified
The firstmatch will define the map
1 3 1 1 G U M S C O N F I G 28
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=atlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=atlasProdvoGroup=atlasvoRole=productionsslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypem gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
ltgroupMapping name=usatlasPool accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=osgusatlasvoGroup=atlasusatlassslCertfile=etcgrid-securitygumscertpemsslKey=etcgrid-securitygumskeypemacceptProxiesWithoutFQAN=truegt
ltcompositeAccountMappinggtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltcompositeAccountMappinggt
ltgroupMappinggt
1 3 1 1 G U M S C O N F I G 29
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
in the order listed
persistenceFactories
ltpersistenceFactoriesgtltpersistenceFactory name=mysql
className=govbnlgumsMySQLPersistenceFactory gtltpersistenceFactoriesgt
persistenceFactory
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
mysqlfilesldap
className The class that is going to provide theimplementation for the persistence layer Itmust implement govbnlgumsPersistenceFactory
govbnlgumshibernateHibernatePersistenceFactoryorgmysiteHRDatabaseFactory
govbnlgumsHibernatePersistenceFactory
ltpersistenceFactory name=mysqlclassName=govbnlgumshibernateHibernatePersistenceFactoryhibernateconnectionusername=gumshibernateconnectionpassword=mysecret
1 3 1 1 G U M S C O N F I G 30
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
hibernateconnectionurl=jdbcmysqlmydbmysiteorgGUMS_1_1hibernateconnectiondriver_class=commysqljdbcDriverhibernatedialect=netsfhibernatedialectMySQLDialecthibernateconnectionpool_size=3 gt
adminUserGroup
groupMappings
groupMapping
Attribute Description Examples
name The name that will be used by the othercomponents to refer to thispersistenceFactory
atlasstarphenix
accountingVo The lower case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasivdgl
accountingDesc The upper case OSG accounting name thatwill be used to generate the inverse maps forthis group
atlasiVDgL
userGroup
Attribute Description Examples
className The class that is going to provide theimplementation for the user group It mustimplement govbnlgumsUserGroup
govbnlgumsLDAPGroupgovbnlgumsVOMSGroupgovbnlgumsManualGroup
govbnlgumsLDAPGroup
1 3 1 1 G U M S C O N F I G 31
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
server The LDAP server from which to retrieve theinformation
grid-vonikhefnl
query The query to be used on the server ou=usatlaso=atlasdc=eu-datagriddc=orgou=Peopleo=atlasdc=eu-datagriddc=org
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasusatlas
ltuserGroup className=govbnlgumsLDAPGroupserver=grid-vonikhefnlquery=ou=Peopleo=atlasdc=eu-datagriddc=orgpersistanceFactory=mysql name=atlas gt
govbnlgumsVOMSGroup
Attribute Description Examples
url The url of the web services for VOMS Noticethat it needs the full url of the service it wontbe constructed from the server name or vo
httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
voGroup The group defined within the VO atlastestatlasgroupsubgroup
voRole The role defined within the VO productionmyrole
1 3 1 1 G U M S C O N F I G 32
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
matchFQAN Defines how the VOMS attribute (or role) ismatched There are 4 possible waysbull exact (default) - the FQAN in the proxy
has to be the same as what voGroup andvoRole specify
bull group - the FQAN in the proxy has to bethe same group or any subgroup role isignored
bull vo - the FQAN in the proxy has to be ofthe same vo
bull ignore - the FQAN in the proxy iscompletely ignored
exactgroupvoignore
acceptProxyWithoutFQAN Defines whether normal proxies that isnon-VOMS proxies are to be accepted Iftrue a non-VOMS proxy with the DN as partof the group will be accepted
truefalse
sslCertfile The certificate to be used to connect toVOMS
etcgrid-securityhostcertpem
sslKey The private key to be used to connect toVOMS
etcgrid-securityhostkeypem
sslKeyPasswd The password of the key to be used toconnect to VOMS Do not set if the keydoesnt have a password (such as whenusing host certificates)
mysecret
sslCAFiles The set of CA certificate files to be used toconnect to VOMS The value is a wildcardthat matches the cert files
etcgrid-securitycertificates0
persistenceFactory
The persistence layer to be used to storelocally the list of users The string must beone of the names defined within thepersistenceFactories section
mysql
name The name of the cache within the persistencefactory Refer to the specifics of thepersistence factory itself
atlasTestatlasGroupSubgroup
ltuserGroup className=govbnlgumsVOMSGroupurl=httpsvoracfbnlgov8443edg-voms-adminatlasservicesVOMSAdmin
persistanceFactory=mysql name=atlasvoGroup=atlastest
1 3 1 1 G U M S C O N F I G 33
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
govbnlgumsManualGroup
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thelist of users The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the group within the persistencefactory Refer to the specifics of thepersistence factory itself
testtestbedAadmins
ltuserGroup className=govbnlgumsManualUserGrouppersistanceFactory=mysql name=testGroup gt
compositeAccountMapping
accountMapping
1 3 1 1 G U M S C O N F I G 34
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the mapping It mustimplement govbnlgumsAccountMapping
govbnlgumsManualAccountMappergovbnlgumsGecosLdapAccountMappergovbnlgumsGecosNisAccountMappergovbnlgumsAccountPoolMappergovbnlgumsGroupAccountMapper
govbnlgumsGecosNisAccountMapper
Attribute Description Examples
jndiNisUrl The url as defined in the Java JNDI driverthat allows to specify the NIS server and thedomain
nisnisbnlgovatlas
ltaccountMapping className=govbnlgumsGecosNisAccountMapperjndiNisUrl=nisnismysiteorgdomain gt
govbnlgumsGecosLdapAccountMapper
Attribute Description Examples
jndiLdapUrl The url as defined in the Java JNDI driverthat allows to specify the LDAP server andthe domain
ldapldapbnlgovdc=usatlasdc=bnldc=gov
ltaccountMapping className=govbnlgumsGecosLdapAccountMapperjndiLdapUrl=ldapldapmysiteorgdc=domaindc=mysitedc=gov gt
govbnlgumsAccountPoolMapper
1 3 1 1 G U M S C O N F I G 35
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
persistenceFactory
The persistence layer to be used to store thepool mapping The string must be one of thenames defined within thepersistenceFactories section
mysql
name The name of the pool within the persistencefactory Refer to the specifics of thepersistence factory itself
mysitePoolosgPool
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
govbnlgumsGroupAccountMapper
Attribute Description Examples
groupName The name of the account atlastestAccount
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=atlas gt
hostGroups
hostGroup
1 3 1 1 G U M S C O N F I G 36
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
className The class that is going to provide theimplementation for the hostGroup It mustimplement govbnlgumsHostGroup
govbnlgumsCertificateHostGroup
groups A list of groupMappings in the order ofpreference To determine which group shouldbe used for a particular user GUMS will startfrom the beginning of the list until it finds amatch Therefore if there would be more thanone match (ie a user is part of more groups)the first one in the list is used
group1group2
govbnlgumsWildcardHostGroup (deprecated)
Attribute Description Examples
wildcard The wildcard for the set of hosts to beincluded The wildcard is a string where canbe substituted with any character except That is bnlgov wouldnt matchmyhostusatlasbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorg
lthostGroup className=govbnlgumsWildcardHostGroupwildcard=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
govbnlgumsCertificateHostGroup
1 3 1 1 G U M S C O N F I G 37
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Attribute Description Examples
cn The wildcard on the CN for the set of servicesto be included The cn is a string where canbe substituted with any character except or = That is bnlgov wouldnt matchmyhostusatlasbnlgov or hosttestbnlgov
myhostmysiteorgatlasmysiteorgatlasmysiteorghostmysiteorggridftpmysiteorg
dn The wildcard on the DN for the set of servicesto be included The wildcard is a string where can be substituted with any characterexcept or =
DC=orgDC=doegridsOU=ServicesCN=mycompanycom
lthostGroup className=govbnlgumsCertificateHostGroupcn=usatlasbnlgovgroups=gridexsdssuscmsusatlasGroupbtevligoivdgl gt
1 3 1 1 G U M S C O N F I G 38
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1312 Examples
Configuration examples
Mapping people from a VOMS server
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemmatchFQAN=VO acceptProxyWithoutFQAN=true gt
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatlas1 gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
Allowing ad-hoc list of people
ltgroupMapping name=testersgtltuserGroup className=govbnlgumsManualUserGroup
persistenceFactory=mysql name=testers gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
ltgroupMappinggt
1 3 1 2 E X A M P L E S 39
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=testers gt
Using account pools
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsAccountPoolMapper
persistenceFactory=mysql name=bnlPool gtltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlas gt
gt bingums pool-addRange mysql bnlPool grid0000-199
Composite mapping
1 3 1 2 E X A M P L E S 40
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltcompositeAccountMappinggt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=bnlMap gt
ltaccountMapping className=govbnlgumsAccountPoolMapperpersistenceFactory=mysql name=bnlPool gt
ltcompositeAccountMappinggtltgroupMappinggt
Mapping based on groupsroles
ltgroupMapping name=usatlas accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasvoGroup=atlasusatlas sslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgtltaccountMapping className=govbnlgumsGroupAccountMapper
groupName=usatlas1 gtltgroupMappinggt
ltgroupMapping name=usatlasProd accountingVo=usatlas accountingDesc=ATLASgtltuserGroup className=govbnlgumsVOMSGroupurl=httpsvomscernch8443edg-voms-adminatlasservicesVOMSAdminpersistenceFactory=mysql name=usatlasProdvoGroup=atlas voRole=productionsslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypemgt
1 3 1 2 E X A M P L E S 41
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltaccountMapping className=govbnlgumsGroupAccountMappergroupName=usatprod gt
ltgroupMappinggt
lthostGroup className=govbnlgumsCertificateHostGroupcn=mysitecom groups=usatlasProdusatlas gt
1 3 1 2 E X A M P L E S 42
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
132 GUMS commands
GUMS command line tools
List of client tools
List of server tools
1 3 2 G U M S C O M M A N D S 43
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1321 bingums
bingums
Authentication and authorization
bingums commands
[carcassiatestgk01 ~]$ optgumsbingumsusage gums command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for a given servicehostgenerateGridMapfile - Generate grid-mapfile for a given servicehostmanualGroup-add - Includes a DN in a groupmanualGroup-remove - Removes a DN from a groupmanualMapping-add - Adds a DN-to-username in a mappingmanualMapping-remove - Removes a DN from a mappingmapUser - Local credential used for a particular usermapfileCache-refresh - Regerates mapfiles in the cachepool-addRange - Adds accounts to an account poolupdateGroups - Contact VO servers and retrieve user listsversion - Retrieve GUMS client version
For help on any commandgums command --help
[carcassiatestgk01 ~]$ optgumsbingums mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
1 3 2 1 B I N G U M S 44
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at atime-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums mapUser
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[carcassiatestgk01 ~]$ optgumsbingums mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
1 3 2 1 B I N G U M S 45
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
gums generateGridMapfile
[carcassiatestgk01 ~]$ optgumsbingums generateGridMapfileDC=orgDC=doegridsOU=ServicesCN=gatekeepermysitecom---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[carcassiatestgk01 ~]$ optgumsbingums generateGrid3UserVoMapDC=orgDC=doegridsOU=ServicesCN=testmysitecomUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
Manual groups and mappings managements commands
1 3 2 1 B I N G U M S 46
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
ltgroupMapping name=example1 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsManualUserGroup persistenceFactory=mysql
name=group1 gtltaccountMapping className=govbnlgumsGroupAccountMapper groupName=myacc
gtltgroupMappinggt
ltgroupMapping name=example2 accountingVo=myvo accountingDesc=myVogtltuserGroup className=govbnlgumsVOMSGroup
url=httpsvomsmysitecom8443edg-voms-admin-myvoservicesVOMSAdminpersistenceFactory=mysql name=myvovoGroup=myvosslCertfile=etcgrid-securityhostcertpemsslKey=etcgrid-securityhostkeypem gt
ltaccountMapping className=govbnlgumsManualAccountMapperpersistenceFactory=mysql name=map1gt
ltgroupMappinggt
gums manualGroup-add
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-add mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualGroup-remove
[carcassiatestgk01 ~]$ optgumsbingums manualGroup-remove mysql group1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
gums manualMapping-add
1 3 2 1 B I N G U M S 47
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-add mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345 carcassi
gums manualMapping-remove
[carcassiatestgk01 ~]$ optgumsbingums manualMapping-remove mysql map1DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
Other commands
gums updateGroups
[carcassiatestgk01 ~]$ optgumsbingums updateGroups
gums pool-addRange
[carcassiatestgk01 ~]$ optgumsbingums pool-addRange mysql pool1 grid0020-40
1 3 2 1 B I N G U M S 48
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1322 bingums-host
bingums-host
Authentication and authorization
bingums-host commands
[rootmygk bin]$ gums-hostusage gums-host command [command-options]CommandsgenerateGrid3UserVoMap - Generate grid3-user-vo-maptxt for this hostgenerateGridMapfile - Generate grid-mapfile for this hostmapUser - Local credential used for a particular userversion - Retrieve GUMS client version
For help on any commandgums-host command --help
[rootmygk bin] gums-host mapUser --helpusage gums mapUser [-s SERVICEDN] [-n TIMES] [-t NREQUESTS] [-b] [-f
FQAN] [-i FQANISSUER] USERDN1 [USERDN2] Maps the grid identity to the local userOptions-s--service ltarggt DN of the service When using gums-host it defaults
to the host credential DN-f--fqan ltarggt Fully Qualified Attribute Name as it would be
selected using voms-proxy-init no extended information bydefault-t--timing ltarggt enables timing grouping the requests For example
-t 100 will give you timing information on 100 requests at a
1 3 2 2 B I N G U M S - H O S T 49
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
time-b--bypassCallout connects directly to GUMS instead of using the
callout-i--issuer ltarggt Fully Qualified Attribute Name Issuer that is the
DN of the VOMS service that issued the attribute certificate-n--ntimes ltarggt number of times the request will be repeated
--help print this message
Service mapping generation commands
gums-host mapUser
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName grid12345]
[rootmygk bin] gums-host mapUser -s DC=orgDC=doegridsOU=ServiceCN=mygkmysitecom -f myvoRole=role1 -i DC=orgDC=doegridsOU=ServiceCN=vomsmysitecom DC=orgDC=doegridsOU=PeopleCN=Gabriele Carcassi 12345
LocalId[userName special1]
gums generateGridMapfile
1 3 2 2 B I N G U M S - H O S T 50
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootmygk bin] gums-host generateGridMapfile---- members of vo usatlas ----C=CHO=CERNOU=GRIDCN=Frederik Orellana 5894 usatlas1C=CHO=CERNOU=GRIDCN=Michela Biglietti 4798 usatlas1C=CHO=CERNOU=GRIDCN=Miguel De Oliveira Branco 2423 usatlas1C=CHO=CERNOU=GRIDCN=Shulamit Moed 9840 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alden Stradling 409738 usatlas1DC=orgDC=doegridsOU=PeopleCN=Aldo Saavedra 942457 usatlas1DC=orgDC=doegridsOU=PeopleCN=Alexandre V Vaniachine 778117 usatlas1
gums generateGrid3UserVoMap
[rootmygk bin] gums-host generateGrid3UserVoMapUser-VO map comment line format of each regular line line account VO Next 2 lines with VO names same order all lowercase with case (lines startingwith voi VOc)voi usatlas ivdgl ligo btev uscms sdss gridex graseVOc ATLAS iVDgL LIGO BTeV CMS SDSS GRIDEX GRASE---- accounts for vo usatlas ----usatlas1 usatlas---- accounts for vo ivdgl ----ivdgl ivdgl
1 3 2 2 B I N G U M S - H O S T 51
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
133 GUMS logs
GUMS Logs
Administrators log (gums-service-adminlog)
Developers log
Site security log
1 3 3 G U M S L O G S 52
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
[rootatlasgrid13 log] cat etcsysconfigsyslog Options to syslogd -m 0 disables MARK messages -r enables logging from remote machines -x disables DNS lookups on messages recieved with -r See syslogd(8) for more detailsSYSLOGD_OPTIONS=-r -m 0 Options to klogd -2 prints all kernel oops messages twice once for klogd to decode and once for processing with ksymoops -x disables all klogd processing of oops messages entirely See klogd(8) for more detailsKLOGD_OPTIONS=-x
1 3 3 G U M S L O G S 53
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1331 Logging implementation details
Log implementation details
Administrators log
Developers log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 54
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Site security log
1 3 3 1 L O G G I N G I M P L E M E N T A T I O N D E T A I L S 55
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
14 Site integration
Integrating GUMS and site services
if you choose to print this you might alsowant to print the code to which the online version of this article links
Changing storage for GUMS data
1 4 S I T E I N T E G R A T I O N 56
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
throw new javalangUnsupportedOperationException()
Creating a mapping policy
ltaccountMapping className=govbnlgumsGroupAccountMapper groupName=test gt
1 4 S I T E I N T E G R A T I O N 57
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Creating a group
throw new javalangUnsupportedOperationException(Group cannot be enumerated)
1 4 S I T E I N T E G R A T I O N 58
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
15 FAQ
Frequently Asked Questions
General
Using GUMS
Building GUMS
Comparing GUMS with other tools
General
1 5 F A Q 59
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Using GUMS
Building GUMS
Comparing GUMS with other tools
1 5 F A Q 60
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
1 5 F A Q 61
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
16 Troubleshooting FAQ
Troubleshooting FAQ
General tips
Access problems
General tips
1 6 T R O U B L E S H O O T I N G F A Q 62
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Access problems
GUMS encountered an errorError Type govbnlgumsadminAuthorizationDeniedExceptionError Message Authorization denied
VDT_LOCATIONapachelogs[Tue Jun 07 150245 2005] [error] Certificate Verification Error (20) unableto get local issuer certificate
1 6 T R O U B L E S H O O T I N G F A Q 63
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
17 Changes
Release History
Version Date Description
110 2005-07-20
101 2005-04-07
100 2005-03-16
071 2005-02-01
07 2005-01-14
061 2004-08-10
06 2004-07-01
05 2004-05-20
undetermined before March 2004
Release 110 - 2005-07-20
Type Changes By
Review GUMS maven structure (ie plug-independencies projectxml)
carcassi
Fix tomcat deployment in build (ie devserver being down once in a while)
carcassi
Mapping according to Gecos field available inboth NIS and LDAP
carcassi
One can filter on the full CN of a hostcertificate
carcassi
The Service Certificate DN is now theidentifier for hosts and machines
carcassi
Release version in command line carcassi
1 7 C H A N G E S 64
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
If gumsconfig isnt found the first time atomcat restart was needed
carcassi
Minor updates to the web interface carcassi
VOMS Admin v10x (glite) compatibility carcassi
Support for mapfile cache terminated webservice door only
carcassi
FQAN allows for - _ and in the vo grouprole and capability
carcassi
DB reviewed better indexing and transationuse
carcassi
Updating from VOMS is no longer blocking carcassi
Release 101 - 2005-04-07
Type Changes By
Including setupDatabase with the modificationmade for VDT
carcassi
gums-client rpm now obsoletes gums-hostand gums-admin (no need to remove package)
carcassi
Error code from scripts was incorrect thatcaused cron job to update maps in case oferror too
carcassi
Release 100 - 2005-03-16
Type Changes By
Repackaging of the client componentsmerged admin and host and named it client
carcassi
Fixed minor issues with authorizationobligations for storage system
mlorch
Double add to a manual group now fails carcassi
1 7 C H A N G E S 65
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script that creates the database and changesthe configuration accordingly
carcassi
Repackaging of the service component carcassi
Server identity is now gums host name carcassi
GUMS accept new style proxies carcassi
The accounts in the pool are used inalphabetical order
carcassi
Inverse map is now generated exploring allthe DNFQAN combinations
carcassi
Gridmapfile is generated simulating userswith no FQAN
carcassi
LDAP integration for primary gid change atBNL once an account is assigned
carcassi
Release 071 - 2005-02-01
Type Changes By
Log names review so that they both client andserver can stay (through links) in the samedirectory
carcassi
NIS update is done every hour and is nowthread safe
carcassi
Log file permission for the command line toolsare set so multiple users can use it (importantfor admin)
carcassi
GUMS host can now be used for stresstesting and timing the server response
carcassi
Added connection pooling on mysql server carcassi
Solved a race condition that would makeGUMS hang in some circumstances
carcassi
AuthZ callout without GT3 both client andserver stubs
mlorch
Added code for Privilege Project in GUMSrepository and build process
carcassi
1 7 C H A N G E S 66
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Release 07 - 2005-01-14
Type Changes By
Better logging server logs all commands withboth input and output
carcassi
More complete command line interface carcassi
Web service implementation carcassi
HostWildcards can be more than one commaseparated
carcassi
Support for VOMS Fully Qualified Attributenames
carcassi
AuthZ service to be contacted by Globuscallout
carcassi
Support for grid3-user-vo-maptxt generation carcassi
Many many other refinements carcassi
Release 061 - 2004-08-10
Type Changes By
Nightly build and reporting with Maven carcassi
Removed all the old code from 06 carcassi
Better log system logs for developerresource admin and site admin in place
carcassi
Ability to retrieve groups from within a VOMSserver (finally)
carcassi
No more duplication in the mapfiles carcassi
Improved database caching for grid-mapfileyou specify on the server which gatekeepermaps should be generated
carcassi
Improved error handling (ie a failed updateon one group doesnt block the others)
carcassi
1 7 C H A N G E S 67
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Installation through RPMs (cron jobs installedautomatically)
carcassi
Unit tests to Grid3 VOs included carcassi
LDAP access improved can access LCG devVO
carcassi
Release 06 - 2004-07-01
Type Changes By
XML configuration file for mapping policy carcassi
Log infrastructure carcassi
More flexible architecture carcassi
Decoupled grid-mapfile generation fromdatabase caching for distribution ongatekeeper
carcassi
Web interface to generate grid-mapfiles andmap users
carcassi
Better command line interfaces (feel like Unixcommands)
carcassi
Release 05 - 2004-05-20
Type Changes By
GUMS in production at BNL carcassi
NISMapperretrieves the GECOS field andmatches with certificate CN
carcassi
Architecture to allow different type ofmappings for different hosts
carcassi
Release undetermined - before March 2004
1 7 C H A N G E S 68
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D
Type Changes By
Script to fetch user from VOMS dtyu
Script to map user to local account tomw
1 7 C H A N G E S 69
copy 2 0 0 3 B R O O K H A V E N N A T I O N A L L A B O R A T O R Y bull A L L R I G H T S R E S E R V E D