Difference between revisions of "Adding a VO to a VOMS server"
| (3 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
* [https://edms.cern.ch/file/974982/1/voms-installation-configuration-guide.pdf voms-installation-configuration-guide.pdf] | * [https://edms.cern.ch/file/974982/1/voms-installation-configuration-guide.pdf voms-installation-configuration-guide.pdf] | ||
* [https://edms.cern.ch/file/974094/1/voms-admin-user-guide.pdf voms-admin-user-guide.pdf] | * [https://edms.cern.ch/file/974094/1/voms-admin-user-guide.pdf voms-admin-user-guide.pdf] | ||
| − | However, the documentation focuses on the situation where a local database is used and some | + | However, the documentation focuses on the situation where a local database is used and some scripts take this to the practical level (thus requiring some workaround). |
| − | This guide is a collection of notes during a day of trial-and-error attempting to configure a new VO on a VOMS server that uses a remote database host, and to setup to voms-admin web interface. | + | This guide is a collection of notes gathered during a day of trial-and-error attempting to configure a new VO on a VOMS server that uses a remote database host, and to setup to voms-admin web interface. |
Disclaimer: these notes still need verification. Steps may be missing, redundant or incorrect; your mileage may vary. | Disclaimer: these notes still need verification. Steps may be missing, redundant or incorrect; your mileage may vary. | ||
| Line 14: | Line 14: | ||
Copy an existing VO definition (between tags <vo> ... </vo>). | Copy an existing VO definition (between tags <vo> ... </vo>). | ||
Change at least the following parameters: | Change at least the following parameters: | ||
| − | vo.name Name of the VO | + | * vo.name: Name of the VO |
| − | voms.port.number Unique port at which the VOMS server listens | + | * voms.port.number: Unique port at which the VOMS server listens |
| − | voms.db.name Name of the database | + | * voms.db.name: Name of the database |
| − | voms.db.user.name User name for the VO's database | + | * voms.db.user.name: User name for the VO's database |
| − | voms.db.user.password Password for DB | + | * voms.db.user.password: Password for DB |
| − | |||
== 2) Create database for the new VO == | == 2) Create database for the new VO == | ||
| Line 63: | Line 62: | ||
With a bit of luck, you may be able to access the VOMS web interface: | With a bit of luck, you may be able to access the VOMS web interface: | ||
| − | + | https://<voms.host>:8443/<vo.name>/ | |
Latest revision as of 09:37, 24 July 2009
Unfortunately, there is no (officially) released version of Yaim for the configuration of a VOMS server, so the poor admin has to resort to developer-style configuration via various XML files. At least there is documentation on how to configure a VOMS server:
However, the documentation focuses on the situation where a local database is used and some scripts take this to the practical level (thus requiring some workaround).
This guide is a collection of notes gathered during a day of trial-and-error attempting to configure a new VO on a VOMS server that uses a remote database host, and to setup to voms-admin web interface.
Disclaimer: these notes still need verification. Steps may be missing, redundant or incorrect; your mileage may vary.
1) Add new VO definitions to VOMS server
As root at the VOMS server, edit /opt/glite/etc/config/vo-list.cfg.xml Copy an existing VO definition (between tags <vo> ... </vo>). Change at least the following parameters:
- vo.name: Name of the VO
- voms.port.number: Unique port at which the VOMS server listens
- voms.db.name: Name of the database
- voms.db.user.name: User name for the VO's database
- voms.db.user.password: Password for DB
2) Create database for the new VO
As root at the remote database server, log in to the MySQL database First create the database:
CREATE DATABASE <voms.db.name>
Then grant access rights to this database for the VOMS database user:
GRANT ALL PRIVILEGES ON <voms.db.name>.* TO '<voms.db.user.name>'@'localhost' \
IDENTIFIED BY '<voms.db.user.password>';
GRANT ALL PRIVILEGES ON <voms.db.name>.* TO '<voms.db.user.name>'@'<VOMS-server>' \
IDENTIFIED BY '<voms.db.user.password>';
3) Configure and start gLite VOMS server for the new VO
Login as root at the VOMS host. To configure (for all VOs unless --vo is specified):
/opt/glite/etc/config/scripts/glite-voms-server-config.py [--vo <vo.name>] --configure
Sadly, (at least) one of the configuration scripts is not smart enough to configure a remote database server. To work around this problem, edit the file /opt/glite/etc/voms/<vo.name>/voms.conf and add the line
--contactstring=<voms.db.host>
(note that this has to be repeated every time a VO is reconfigured)!
Before the server can be started, the necessary database tables should be populated or you shall be punished with a segfault. As root @ VOMS host:
/opt/glite/sbin/voms-db-deploy.py deploy --vo <vo.name>
To start the server (for all VOs unless --vo is specified):
/opt/glite/etc/config/scripts/glite-voms-server-config.py [--vo <vo.name>] --start
4) Enable gridmap generation
Again, as root at the VOMS host. Set the environment:
. /etc/glite/profile.d/glite_setenv.sh
Enable access:
voms-admin --vo=<vo.name> --nousercert add-ACL-entry /<vo.name> ANYONE VOMS_CA \
'CONTAINER_READ,MEMBERSHIP_READ' TRUE
5) Add a VO administrator
As root at the VOMS host:
/opt/glite/sbin/voms-db-deploy.py add-admin --vo <vo.name> --cert </path/to/users/grid/cert.pem>
With a bit of luck, you may be able to access the VOMS web interface: https://<voms.host>:8443/<vo.name>/
