Difference between revisions of "Adding a VO to a VOMS server"

From PDP/Grid Wiki
Jump to navigationJump to search
 
 
(14 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
Unfortunately, there is no (officially) released version of Yaim for the configuration of a VOMS server, so the poor admin has to resort to developer-style configuration via various XML files. At least there is documentation on how to configure a VOMS server:
 
Unfortunately, there is no (officially) released version of Yaim for the configuration of a VOMS server, so the poor admin has to resort to developer-style configuration via various XML files. At least there is documentation on how to configure a VOMS server:
* [https://edms.cern.ch/file/974982/1/voms-installation-configuration-guide.pdf]
+
* [https://edms.cern.ch/file/974982/1/voms-installation-configuration-guide.pdf voms-installation-configuration-guide.pdf]
* [https://edms.cern.ch/file/974094/1/voms-admin-user-guide.pdf]
+
* [https://edms.cern.ch/file/974094/1/voms-admin-user-guide.pdf voms-admin-user-guide.pdf]
However, the documentation focuses on the situation where a local database is used and some script take this to the practical level.  
+
However, the documentation focuses on the situation where a local database is used and some scripts take this to the practical level (thus requiring some workaround).  
  
Disclaimer: the notes below were collected during a day of trial-and-error and need to be verified. Steps may be missing, redundant or incorrect; you mileage may vary.
+
This guide is a collection of notes gathered during a day of trial-and-error attempting to configure a new VO on a VOMS server that uses a remote database host, and to setup to voms-admin web interface.
 +
 
 +
Disclaimer: these notes still need verification. Steps may be missing, redundant or incorrect; your mileage may vary.
 +
 
 +
 
 +
== 1) Add new VO definitions to VOMS server ==
  
1) Add new VO definitions to VOMS server
 
 
As root at the VOMS server, edit /opt/glite/etc/config/vo-list.cfg.xml
 
As root at the VOMS server, edit /opt/glite/etc/config/vo-list.cfg.xml
 
Copy an existing VO definition (between tags <vo> ... </vo>).  
 
Copy an existing VO definition (between tags <vo> ... </vo>).  
 
Change at least the following parameters:
 
Change at least the following parameters:
vo.name Name of the VO
+
* vo.name:              Name of the VO
voms.port.number Unique port at which the VOMS server listens
+
* voms.port.number:      Unique port at which the VOMS server listens
voms.db.name Name of the database
+
* voms.db.name:          Name of the database
voms.db.user.name User name for the VO's database
+
* voms.db.user.name:    User name for the VO's database
voms.db.user.password Password for DB
+
* voms.db.user.password: Password for DB
 +
 
 +
== 2) Create database for the new VO ==
  
2) Create database for the new VO
 
 
As root at the remote database server, log in to the MySQL database
 
As root at the remote database server, log in to the MySQL database
 
First create the database:
 
First create the database:
  create database <voms.db.name>
+
  CREATE DATABASE <voms.db.name>
 
Then grant access rights to this database for the VOMS database user:
 
Then grant access rights to this database for the VOMS database user:
  grant all privileges on <voms.db.name>.* to '<voms.db.user.name>'@'localhost' IDENTIFIED BY '<voms.db.user.password>';
+
  GRANT ALL PRIVILEGES ON <voms.db.name>.* TO '<voms.db.user.name>'@'localhost' \
  grant all privileges on <voms.db.name>.* to '<voms.db.user.name>'@'<VOMS-server>' IDENTIFIED BY '<voms.db.user.password>';
+
    IDENTIFIED BY '<voms.db.user.password>';
 +
  GRANT ALL PRIVILEGES ON <voms.db.name>.* TO '<voms.db.user.name>'@'<VOMS-server>' \
 +
    IDENTIFIED BY '<voms.db.user.password>';
  
3) Configure and start gLite VOMS server for the new VO
+
== 3) Configure and start gLite VOMS server for the new VO ==
Loging as root at the VOMS host.
+
 
 +
Login as root at the VOMS host.
 
To configure (for all VOs unless --vo is specified):
 
To configure (for all VOs unless --vo is specified):
 
  /opt/glite/etc/config/scripts/glite-voms-server-config.py [--vo <vo.name>] --configure
 
  /opt/glite/etc/config/scripts/glite-voms-server-config.py [--vo <vo.name>] --configure
Line 39: Line 47:
 
  /opt/glite/etc/config/scripts/glite-voms-server-config.py [--vo <vo.name>] --start
 
  /opt/glite/etc/config/scripts/glite-voms-server-config.py [--vo <vo.name>] --start
  
4) Enable gridmap generation
+
== 4) Enable gridmap generation ==
 +
 
 
Again, as root at the VOMS host.
 
Again, as root at the VOMS host.
 
Set the environment:
 
Set the environment:
 
  . /etc/glite/profile.d/glite_setenv.sh
 
  . /etc/glite/profile.d/glite_setenv.sh
 
Enable access:
 
Enable access:
  voms-admin --vo=<vo.name> --nousercert add-ACL-entry /<vo.name> ANYONE VOMS_CA 'CONTAINER_READ,MEMBERSHIP_READ' TRUE
+
  voms-admin --vo=<vo.name> --nousercert add-ACL-entry /<vo.name> ANYONE VOMS_CA \
 +
    'CONTAINER_READ,MEMBERSHIP_READ' TRUE
 +
 
 +
== 5) Add a VO administrator ==
  
5) Adding a user as admin:
+
As root at the VOMS host:
  /opt/glite/sbin/voms-db-deploy.py add-admin --vo TEST --cert </path/to/users/grid/cert.pem>
+
  /opt/glite/sbin/voms-db-deploy.py add-admin --vo <vo.name> --cert </path/to/users/grid/cert.pem>
  
 
With a bit of luck, you may be able to access the VOMS web interface:
 
With a bit of luck, you may be able to access the VOMS web interface:
http://<voms.host>:8443/<vo.name>/
+
https://<voms.host>:8443/<vo.name>/

Latest revision as of 09:37, 24 July 2009

Unfortunately, there is no (officially) released version of Yaim for the configuration of a VOMS server, so the poor admin has to resort to developer-style configuration via various XML files. At least there is documentation on how to configure a VOMS server:

However, the documentation focuses on the situation where a local database is used and some scripts take this to the practical level (thus requiring some workaround).

This guide is a collection of notes gathered during a day of trial-and-error attempting to configure a new VO on a VOMS server that uses a remote database host, and to setup to voms-admin web interface.

Disclaimer: these notes still need verification. Steps may be missing, redundant or incorrect; your mileage may vary.


1) Add new VO definitions to VOMS server

As root at the VOMS server, edit /opt/glite/etc/config/vo-list.cfg.xml Copy an existing VO definition (between tags <vo> ... </vo>). Change at least the following parameters:

  • vo.name: Name of the VO
  • voms.port.number: Unique port at which the VOMS server listens
  • voms.db.name: Name of the database
  • voms.db.user.name: User name for the VO's database
  • voms.db.user.password: Password for DB

2) Create database for the new VO

As root at the remote database server, log in to the MySQL database First create the database:

CREATE DATABASE <voms.db.name>

Then grant access rights to this database for the VOMS database user:

GRANT ALL PRIVILEGES ON <voms.db.name>.* TO '<voms.db.user.name>'@'localhost' \
    IDENTIFIED BY '<voms.db.user.password>';
GRANT ALL PRIVILEGES ON <voms.db.name>.* TO '<voms.db.user.name>'@'<VOMS-server>' \
    IDENTIFIED BY '<voms.db.user.password>';

3) Configure and start gLite VOMS server for the new VO

Login as root at the VOMS host. To configure (for all VOs unless --vo is specified):

/opt/glite/etc/config/scripts/glite-voms-server-config.py [--vo <vo.name>] --configure

Sadly, (at least) one of the configuration scripts is not smart enough to configure a remote database server. To work around this problem, edit the file /opt/glite/etc/voms/<vo.name>/voms.conf and add the line

--contactstring=<voms.db.host>

(note that this has to be repeated every time a VO is reconfigured)!

Before the server can be started, the necessary database tables should be populated or you shall be punished with a segfault. As root @ VOMS host:

/opt/glite/sbin/voms-db-deploy.py deploy --vo <vo.name>

To start the server (for all VOs unless --vo is specified):

/opt/glite/etc/config/scripts/glite-voms-server-config.py [--vo <vo.name>] --start

4) Enable gridmap generation

Again, as root at the VOMS host. Set the environment:

. /etc/glite/profile.d/glite_setenv.sh

Enable access:

voms-admin --vo=<vo.name> --nousercert add-ACL-entry /<vo.name> ANYONE VOMS_CA \ 
    'CONTAINER_READ,MEMBERSHIP_READ' TRUE

5) Add a VO administrator

As root at the VOMS host:

/opt/glite/sbin/voms-db-deploy.py add-admin --vo <vo.name> --cert </path/to/users/grid/cert.pem>

With a bit of luck, you may be able to access the VOMS web interface: https://<voms.host>:8443/<vo.name>/