Difference between revisions of "Adding a VO to a VOMS server"
Line 1: | Line 1: | ||
Unfortunately, there is no (officially) released version of Yaim for the configuration of a VOMS server, so the poor admin has to resort to developer-style configuration via various XML files. At least there is documentation on how to configure a VOMS server: | Unfortunately, there is no (officially) released version of Yaim for the configuration of a VOMS server, so the poor admin has to resort to developer-style configuration via various XML files. At least there is documentation on how to configure a VOMS server: | ||
− | * [https://edms.cern.ch/file/974982/1/voms-installation-configuration-guide.pdf] | + | * [https://edms.cern.ch/file/974982/1/voms-installation-configuration-guide.pdf]voms-installation-configuration-guide.pdf |
− | * [https://edms.cern.ch/file/974094/1/voms-admin-user-guide.pdf] | + | * [https://edms.cern.ch/file/974094/1/voms-admin-user-guide.pdf]voms-admin-user-guide.pdf |
However, the documentation focuses on the situation where a local database is used and some script take this to the practical level. | However, the documentation focuses on the situation where a local database is used and some script take this to the practical level. | ||
Disclaimer: the notes below were collected during a day of trial-and-error and need to be verified. Steps may be missing, redundant or incorrect; you mileage may vary. | Disclaimer: the notes below were collected during a day of trial-and-error and need to be verified. Steps may be missing, redundant or incorrect; you mileage may vary. | ||
− | 1) Add new VO definitions to VOMS server | + | |
+ | == 1) Add new VO definitions to VOMS server == | ||
+ | |||
As root at the VOMS server, edit /opt/glite/etc/config/vo-list.cfg.xml | As root at the VOMS server, edit /opt/glite/etc/config/vo-list.cfg.xml | ||
Copy an existing VO definition (between tags <vo> ... </vo>). | Copy an existing VO definition (between tags <vo> ... </vo>). | ||
Line 16: | Line 18: | ||
voms.db.user.password Password for DB | voms.db.user.password Password for DB | ||
− | 2) Create database for the new VO | + | |
+ | == 2) Create database for the new VO == | ||
+ | |||
As root at the remote database server, log in to the MySQL database | As root at the remote database server, log in to the MySQL database | ||
First create the database: | First create the database: | ||
Line 24: | Line 28: | ||
grant all privileges on <voms.db.name>.* to '<voms.db.user.name>'@'<VOMS-server>' IDENTIFIED BY '<voms.db.user.password>'; | grant all privileges on <voms.db.name>.* to '<voms.db.user.name>'@'<VOMS-server>' IDENTIFIED BY '<voms.db.user.password>'; | ||
− | 3) Configure and start gLite VOMS server for the new VO | + | |
+ | == 3) Configure and start gLite VOMS server for the new VO == | ||
+ | |||
Loging as root at the VOMS host. | Loging as root at the VOMS host. | ||
To configure (for all VOs unless --vo is specified): | To configure (for all VOs unless --vo is specified): | ||
Line 39: | Line 45: | ||
/opt/glite/etc/config/scripts/glite-voms-server-config.py [--vo <vo.name>] --start | /opt/glite/etc/config/scripts/glite-voms-server-config.py [--vo <vo.name>] --start | ||
− | 4) Enable gridmap generation | + | |
+ | == 4) Enable gridmap generation == | ||
+ | |||
Again, as root at the VOMS host. | Again, as root at the VOMS host. | ||
Set the environment: | Set the environment: | ||
Line 46: | Line 54: | ||
voms-admin --vo=<vo.name> --nousercert add-ACL-entry /<vo.name> ANYONE VOMS_CA 'CONTAINER_READ,MEMBERSHIP_READ' TRUE | voms-admin --vo=<vo.name> --nousercert add-ACL-entry /<vo.name> ANYONE VOMS_CA 'CONTAINER_READ,MEMBERSHIP_READ' TRUE | ||
− | 5) Adding a | + | |
− | /opt/glite/sbin/voms-db-deploy.py add-admin --vo | + | == 5) Adding a VO administrator: == |
+ | |||
+ | As root at the VOMS host: | ||
+ | /opt/glite/sbin/voms-db-deploy.py add-admin --vo <vo.name> --cert </path/to/users/grid/cert.pem> | ||
With a bit of luck, you may be able to access the VOMS web interface: | With a bit of luck, you may be able to access the VOMS web interface: | ||
http://<voms.host>:8443/<vo.name>/ | http://<voms.host>:8443/<vo.name>/ |
Revision as of 13:27, 17 July 2009
Unfortunately, there is no (officially) released version of Yaim for the configuration of a VOMS server, so the poor admin has to resort to developer-style configuration via various XML files. At least there is documentation on how to configure a VOMS server:
However, the documentation focuses on the situation where a local database is used and some script take this to the practical level.
Disclaimer: the notes below were collected during a day of trial-and-error and need to be verified. Steps may be missing, redundant or incorrect; you mileage may vary.
1) Add new VO definitions to VOMS server
As root at the VOMS server, edit /opt/glite/etc/config/vo-list.cfg.xml Copy an existing VO definition (between tags <vo> ... </vo>). Change at least the following parameters: vo.name Name of the VO voms.port.number Unique port at which the VOMS server listens voms.db.name Name of the database voms.db.user.name User name for the VO's database voms.db.user.password Password for DB
2) Create database for the new VO
As root at the remote database server, log in to the MySQL database First create the database:
create database <voms.db.name>
Then grant access rights to this database for the VOMS database user:
grant all privileges on <voms.db.name>.* to '<voms.db.user.name>'@'localhost' IDENTIFIED BY '<voms.db.user.password>'; grant all privileges on <voms.db.name>.* to '<voms.db.user.name>'@'<VOMS-server>' IDENTIFIED BY '<voms.db.user.password>';
3) Configure and start gLite VOMS server for the new VO
Loging as root at the VOMS host. To configure (for all VOs unless --vo is specified):
/opt/glite/etc/config/scripts/glite-voms-server-config.py [--vo <vo.name>] --configure
Sadly, (at least) one of the configuration scripts is not smart enough to configure a remote database server. To work around this problem, edit the file /opt/glite/etc/voms/<vo.name>/voms.conf and add the line
--contactstring=<voms.db.host>
(note that this has to be repeated every time a VO is reconfigured)!
Before the server can be started, the necessary database tables should be populated or you shall be punished with a segfault. As root @ VOMS host:
/opt/glite/sbin/voms-db-deploy.py deploy --vo <vo.name>
To start the server (for all VOs unless --vo is specified):
/opt/glite/etc/config/scripts/glite-voms-server-config.py [--vo <vo.name>] --start
4) Enable gridmap generation
Again, as root at the VOMS host. Set the environment:
. /etc/glite/profile.d/glite_setenv.sh
Enable access:
voms-admin --vo=<vo.name> --nousercert add-ACL-entry /<vo.name> ANYONE VOMS_CA 'CONTAINER_READ,MEMBERSHIP_READ' TRUE
5) Adding a VO administrator:
As root at the VOMS host:
/opt/glite/sbin/voms-db-deploy.py add-admin --vo <vo.name> --cert </path/to/users/grid/cert.pem>
With a bit of luck, you may be able to access the VOMS web interface: http://<voms.host>:8443/<vo.name>/