Difference between revisions of "Adding a VO to a VOMS server"

From PDP/Grid Wiki
Jump to navigationJump to search
 
(13 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
Unfortunately, there is no (officially) released version of Yaim for the configuration of a VOMS server, so the poor admin has to resort to developer-style configuration via various XML files. At least there is documentation on how to configure a VOMS server:
 
Unfortunately, there is no (officially) released version of Yaim for the configuration of a VOMS server, so the poor admin has to resort to developer-style configuration via various XML files. At least there is documentation on how to configure a VOMS server:
* [https://edms.cern.ch/file/974982/1/voms-installation-configuration-guide.pdf]voms-installation-configuration-guide.pdf
+
* [https://edms.cern.ch/file/974982/1/voms-installation-configuration-guide.pdf voms-installation-configuration-guide.pdf]
* [https://edms.cern.ch/file/974094/1/voms-admin-user-guide.pdf]voms-admin-user-guide.pdf
+
* [https://edms.cern.ch/file/974094/1/voms-admin-user-guide.pdf voms-admin-user-guide.pdf]
However, the documentation focuses on the situation where a local database is used and some script take this to the practical level.  
+
However, the documentation focuses on the situation where a local database is used and some scripts take this to the practical level (thus requiring some workaround).  
  
Disclaimer: the notes below were collected during a day of trial-and-error and need to be verified. Steps may be missing, redundant or incorrect; you mileage may vary.
+
This guide is a collection of notes gathered during a day of trial-and-error attempting to configure a new VO on a VOMS server that uses a remote database host, and to setup to voms-admin web interface.
 +
 
 +
Disclaimer: these notes still need verification. Steps may be missing, redundant or incorrect; your mileage may vary.
  
  
Line 12: Line 14:
 
Copy an existing VO definition (between tags <vo> ... </vo>).  
 
Copy an existing VO definition (between tags <vo> ... </vo>).  
 
Change at least the following parameters:
 
Change at least the following parameters:
vo.name Name of the VO
+
* vo.name:              Name of the VO
voms.port.number Unique port at which the VOMS server listens
+
* voms.port.number:      Unique port at which the VOMS server listens
voms.db.name Name of the database
+
* voms.db.name:          Name of the database
voms.db.user.name User name for the VO's database
+
* voms.db.user.name:    User name for the VO's database
voms.db.user.password Password for DB
+
* voms.db.user.password: Password for DB
 
 
  
 
== 2) Create database for the new VO ==
 
== 2) Create database for the new VO ==
Line 23: Line 24:
 
As root at the remote database server, log in to the MySQL database
 
As root at the remote database server, log in to the MySQL database
 
First create the database:
 
First create the database:
  create database <voms.db.name>
+
  CREATE DATABASE <voms.db.name>
 
Then grant access rights to this database for the VOMS database user:
 
Then grant access rights to this database for the VOMS database user:
  grant all privileges on <voms.db.name>.* to '<voms.db.user.name>'@'localhost' IDENTIFIED BY '<voms.db.user.password>';
+
  GRANT ALL PRIVILEGES ON <voms.db.name>.* TO '<voms.db.user.name>'@'localhost' \
  grant all privileges on <voms.db.name>.* to '<voms.db.user.name>'@'<VOMS-server>' IDENTIFIED BY '<voms.db.user.password>';
+
    IDENTIFIED BY '<voms.db.user.password>';
 
+
  GRANT ALL PRIVILEGES ON <voms.db.name>.* TO '<voms.db.user.name>'@'<VOMS-server>' \
 +
    IDENTIFIED BY '<voms.db.user.password>';
  
 
== 3) Configure and start gLite VOMS server for the new VO ==
 
== 3) Configure and start gLite VOMS server for the new VO ==
  
Loging as root at the VOMS host.
+
Login as root at the VOMS host.
 
To configure (for all VOs unless --vo is specified):
 
To configure (for all VOs unless --vo is specified):
 
  /opt/glite/etc/config/scripts/glite-voms-server-config.py [--vo <vo.name>] --configure
 
  /opt/glite/etc/config/scripts/glite-voms-server-config.py [--vo <vo.name>] --configure
Line 44: Line 46:
 
To start the server (for all VOs unless --vo is specified):
 
To start the server (for all VOs unless --vo is specified):
 
  /opt/glite/etc/config/scripts/glite-voms-server-config.py [--vo <vo.name>] --start
 
  /opt/glite/etc/config/scripts/glite-voms-server-config.py [--vo <vo.name>] --start
 
  
 
== 4) Enable gridmap generation ==
 
== 4) Enable gridmap generation ==
Line 52: Line 53:
 
  . /etc/glite/profile.d/glite_setenv.sh
 
  . /etc/glite/profile.d/glite_setenv.sh
 
Enable access:
 
Enable access:
  voms-admin --vo=<vo.name> --nousercert add-ACL-entry /<vo.name> ANYONE VOMS_CA 'CONTAINER_READ,MEMBERSHIP_READ' TRUE
+
  voms-admin --vo=<vo.name> --nousercert add-ACL-entry /<vo.name> ANYONE VOMS_CA \
 
+
    'CONTAINER_READ,MEMBERSHIP_READ' TRUE
  
== 5) Adding a VO administrator: ==
+
== 5) Add a VO administrator ==
  
 
As root at the VOMS host:
 
As root at the VOMS host:
Line 61: Line 62:
  
 
With a bit of luck, you may be able to access the VOMS web interface:
 
With a bit of luck, you may be able to access the VOMS web interface:
http://<voms.host>:8443/<vo.name>/
+
https://<voms.host>:8443/<vo.name>/

Latest revision as of 09:37, 24 July 2009

Unfortunately, there is no (officially) released version of Yaim for the configuration of a VOMS server, so the poor admin has to resort to developer-style configuration via various XML files. At least there is documentation on how to configure a VOMS server:

However, the documentation focuses on the situation where a local database is used and some scripts take this to the practical level (thus requiring some workaround).

This guide is a collection of notes gathered during a day of trial-and-error attempting to configure a new VO on a VOMS server that uses a remote database host, and to setup to voms-admin web interface.

Disclaimer: these notes still need verification. Steps may be missing, redundant or incorrect; your mileage may vary.


1) Add new VO definitions to VOMS server

As root at the VOMS server, edit /opt/glite/etc/config/vo-list.cfg.xml Copy an existing VO definition (between tags <vo> ... </vo>). Change at least the following parameters:

  • vo.name: Name of the VO
  • voms.port.number: Unique port at which the VOMS server listens
  • voms.db.name: Name of the database
  • voms.db.user.name: User name for the VO's database
  • voms.db.user.password: Password for DB

2) Create database for the new VO

As root at the remote database server, log in to the MySQL database First create the database:

CREATE DATABASE <voms.db.name>

Then grant access rights to this database for the VOMS database user:

GRANT ALL PRIVILEGES ON <voms.db.name>.* TO '<voms.db.user.name>'@'localhost' \
    IDENTIFIED BY '<voms.db.user.password>';
GRANT ALL PRIVILEGES ON <voms.db.name>.* TO '<voms.db.user.name>'@'<VOMS-server>' \
    IDENTIFIED BY '<voms.db.user.password>';

3) Configure and start gLite VOMS server for the new VO

Login as root at the VOMS host. To configure (for all VOs unless --vo is specified):

/opt/glite/etc/config/scripts/glite-voms-server-config.py [--vo <vo.name>] --configure

Sadly, (at least) one of the configuration scripts is not smart enough to configure a remote database server. To work around this problem, edit the file /opt/glite/etc/voms/<vo.name>/voms.conf and add the line

--contactstring=<voms.db.host>

(note that this has to be repeated every time a VO is reconfigured)!

Before the server can be started, the necessary database tables should be populated or you shall be punished with a segfault. As root @ VOMS host:

/opt/glite/sbin/voms-db-deploy.py deploy --vo <vo.name>

To start the server (for all VOs unless --vo is specified):

/opt/glite/etc/config/scripts/glite-voms-server-config.py [--vo <vo.name>] --start

4) Enable gridmap generation

Again, as root at the VOMS host. Set the environment:

. /etc/glite/profile.d/glite_setenv.sh

Enable access:

voms-admin --vo=<vo.name> --nousercert add-ACL-entry /<vo.name> ANYONE VOMS_CA \ 
    'CONTAINER_READ,MEMBERSHIP_READ' TRUE

5) Add a VO administrator

As root at the VOMS host:

/opt/glite/sbin/voms-db-deploy.py add-admin --vo <vo.name> --cert </path/to/users/grid/cert.pem>

With a bit of luck, you may be able to access the VOMS web interface: https://<voms.host>:8443/<vo.name>/