Adding a VO to a VOMS server

From PDP/Grid Wiki
Revision as of 10:37, 24 July 2009 by Ronalds@nikhef.nl (talk | contribs) (→‎5) Add a VO administrator)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Unfortunately, there is no (officially) released version of Yaim for the configuration of a VOMS server, so the poor admin has to resort to developer-style configuration via various XML files. At least there is documentation on how to configure a VOMS server:

However, the documentation focuses on the situation where a local database is used and some scripts take this to the practical level (thus requiring some workaround).

This guide is a collection of notes gathered during a day of trial-and-error attempting to configure a new VO on a VOMS server that uses a remote database host, and to setup to voms-admin web interface.

Disclaimer: these notes still need verification. Steps may be missing, redundant or incorrect; your mileage may vary.


1) Add new VO definitions to VOMS server

As root at the VOMS server, edit /opt/glite/etc/config/vo-list.cfg.xml Copy an existing VO definition (between tags <vo> ... </vo>). Change at least the following parameters:

  • vo.name: Name of the VO
  • voms.port.number: Unique port at which the VOMS server listens
  • voms.db.name: Name of the database
  • voms.db.user.name: User name for the VO's database
  • voms.db.user.password: Password for DB

2) Create database for the new VO

As root at the remote database server, log in to the MySQL database First create the database:

CREATE DATABASE <voms.db.name>

Then grant access rights to this database for the VOMS database user:

GRANT ALL PRIVILEGES ON <voms.db.name>.* TO '<voms.db.user.name>'@'localhost' \
    IDENTIFIED BY '<voms.db.user.password>';
GRANT ALL PRIVILEGES ON <voms.db.name>.* TO '<voms.db.user.name>'@'<VOMS-server>' \
    IDENTIFIED BY '<voms.db.user.password>';

3) Configure and start gLite VOMS server for the new VO

Login as root at the VOMS host. To configure (for all VOs unless --vo is specified):

/opt/glite/etc/config/scripts/glite-voms-server-config.py [--vo <vo.name>] --configure

Sadly, (at least) one of the configuration scripts is not smart enough to configure a remote database server. To work around this problem, edit the file /opt/glite/etc/voms/<vo.name>/voms.conf and add the line

--contactstring=<voms.db.host>

(note that this has to be repeated every time a VO is reconfigured)!

Before the server can be started, the necessary database tables should be populated or you shall be punished with a segfault. As root @ VOMS host:

/opt/glite/sbin/voms-db-deploy.py deploy --vo <vo.name>

To start the server (for all VOs unless --vo is specified):

/opt/glite/etc/config/scripts/glite-voms-server-config.py [--vo <vo.name>] --start

4) Enable gridmap generation

Again, as root at the VOMS host. Set the environment:

. /etc/glite/profile.d/glite_setenv.sh

Enable access:

voms-admin --vo=<vo.name> --nousercert add-ACL-entry /<vo.name> ANYONE VOMS_CA \ 
    'CONTAINER_READ,MEMBERSHIP_READ' TRUE

5) Add a VO administrator

As root at the VOMS host:

/opt/glite/sbin/voms-db-deploy.py add-admin --vo <vo.name> --cert </path/to/users/grid/cert.pem>

With a bit of luck, you may be able to access the VOMS web interface: https://<voms.host>:8443/<vo.name>/