Grid User Management System (GUMS)
(Created page with "The documentation for GUMS is a bit sketchy. While GUMS is quite useful, there still seems to be some black magic involved in making it work. == Reference == [https://twiki.gr...") |
(→> RUNNING AS NON-ROOT USER? READ ON. <) |
||
Line 2: | Line 2: | ||
useful, there still seems to be some black magic involved in making it work. | useful, there still seems to be some black magic involved in making it work. | ||
− | == Reference == | + | == Reference == |
− | [https://twiki.grid.iu.edu/bin/view/ReleaseDocumentation/InstallConfigureAndManageGUMS OSG Documentation: Install, Configure, and Manage GUMS] | + | [https://twiki.grid.iu.edu/bin/view/ReleaseDocumentation/InstallConfigureAndManageGUMS OSG Documentation: Install, Configure, and Manage GUMS] |
− | This should be installed on a standalone (virtual) server. | + | This should be installed on a standalone (virtual) server. GUMS uses port 8443 so it will collide with SRM and/or GRAM4 services if you try to cut corners. It's also a good idea to harden this server and lock down all the ports with iptables, as GUMS essentially controls access to your resource. |
− | 8443 so it will collide with SRM and/or GRAM4 services if you try to | + | |
− | cut corners. | + | |
− | down all the ports with iptables, as GUMS essentially controls access | + | |
− | to your resource. | + | |
− | [[Requesting Certificates|Install certs]] | + | [[Requesting Certificates|Install certs]] into /etc/grid-security/host{cert,key}.pem and /etc/grid-security/http/http{cert,key}.pem.<br> [[Pacman|Install pacman]]. |
− | into /etc/grid-security/host{cert,key}.pem and | + | |
− | /etc/grid-security/http/http{cert,key}.pem.<br | + | <tt></tt> |
− | [[Pacman|Install pacman]]. | + | |
<tt> | <tt> | ||
− | '''mkdir /usr/local/osg-gums | + | '''mkdir /usr/local/osg-gums''' |
cd /usr/local/osg-gums | cd /usr/local/osg-gums | ||
export INSTALL_DIR=/usr/local/osg-gums | export INSTALL_DIR=/usr/local/osg-gums | ||
Line 27: | Line 22: | ||
vdt-ca-manage setupca --location root --url osg | vdt-ca-manage setupca --location root --url osg | ||
Setting up CA Certificates for VDT installation at '/usr/local/osg-gums' | Setting up CA Certificates for VDT installation at '/usr/local/osg-gums' | ||
− | CA Certificates will be installed into /etc/grid-security/certificates | + | CA Certificates will be installed into /etc/grid-security/certificates |
− | '''vdt-control --enable fetch-crl | + | '''vdt-control --enable fetch-crl''' |
vdt-control --enable vdt-update-certs | vdt-control --enable vdt-update-certs | ||
vdt-control --enable vdt-rotate-logs | vdt-control --enable vdt-rotate-logs | ||
Line 34: | Line 29: | ||
vdt-control --enable apache | vdt-control --enable apache | ||
vdt-control --enable tomcat-55 | vdt-control --enable tomcat-55 | ||
− | vdt-control --on | + | vdt-control --on |
− | ==== | + | ====> RUNNING AS NON-ROOT USER? READ ON. <==== |
'''vdt-control --off''' | '''vdt-control --off''' | ||
Create gums user and gums group with HOME=/usr/local/osg-gums | Create gums user and gums group with HOME=/usr/local/osg-gums | ||
'''chown -R gums:gums /usr/local/osg-gums /etc/grid-security/certificates''' | '''chown -R gums:gums /usr/local/osg-gums /etc/grid-security/certificates''' | ||
− | '''echo ". /usr/local/osg-gums/setup.sh" | + | '''echo ". /usr/local/osg-gums/setup.sh" > /usr/local/osg-gums/.profile''' |
Edit apache/conf/httpd.conf apache/conf/extra/httpd-ssl.conf | Edit apache/conf/httpd.conf apache/conf/extra/httpd-ssl.conf | ||
− | + | change ServerAdmin to valid e-mail. | |
− | + | change ServerName to current hostname. | |
Create /etc/init.d/vdt | Create /etc/init.d/vdt | ||
− | + | Start: daemon -u gums vdt-control --on --non-root | |
− | + | Stop: su - gums "vdt-control --off --non-root" | |
'''chkconfig vdt on''' | '''chkconfig vdt on''' | ||
Edit your firewall rules for port 8443 only permit your CE and SE. | Edit your firewall rules for port 8443 only permit your CE and SE. | ||
Line 55: | Line 50: | ||
'''./gums-add-mysql-admin "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"''' | '''./gums-add-mysql-admin "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"''' | ||
− | + | WARNING: You must have created the database before running this script! | |
− | + | Adding the following DN to the local database: | |
− | + | Certificate DN for administrator: "''your DN''" | |
− | + | Is this correct? (Enter 'yes' to proceed) ''yes'' | |
− | + | Adding the admin: | |
− | + | Enter the root mysql password (or hit enter if you didn't set one up) | |
− | + | Enter password: ''your mysql password for root'' | |
− | + | ||
Replace the default config with the OSG config | Replace the default config with the OSG config | ||
--or-- | --or-- | ||
create a custom SURAgrid-only config. | create a custom SURAgrid-only config. | ||
− | '''cd $VDT_LOCATION/tomcat/v55/webapps/gums/WEB-INF/config | + | '''cd $VDT_LOCATION/tomcat/v55/webapps/gums/WEB-INF/config''' |
− | cp -p gums.config gums.config.sav | + | cp -p gums.config gums.config.sav |
− | + | ||
Edit gums.config | Edit gums.config | ||
− | + | add <vomsserver> def for ttu VOMS: | |
− | + | <nowiki>https://voms.hpcc.ttu.edu:8443/voms/suragrid/services</nowiki> | |
</tt> | </tt> | ||
+ | |||
+ | <tt></tt> | ||
== Configuration via Web Interface == | == Configuration via Web Interface == |
Revision as of 11:43, 29 June 2011
The documentation for GUMS is a bit sketchy. While GUMS is quite useful, there still seems to be some black magic involved in making it work.
Contents |
Reference
OSG Documentation: Install, Configure, and Manage GUMS
This should be installed on a standalone (virtual) server. GUMS uses port 8443 so it will collide with SRM and/or GRAM4 services if you try to cut corners. It's also a good idea to harden this server and lock down all the ports with iptables, as GUMS essentially controls access to your resource.
Install certs into /etc/grid-security/host{cert,key}.pem and /etc/grid-security/http/http{cert,key}.pem.
Install pacman.
mkdir /usr/local/osg-gums cd /usr/local/osg-gums export INSTALL_DIR=/usr/local/osg-gums pacman -get http://software.grid.iu.edu/osg-1.2:gums source setup.sh vdt-post-install vdt/setup/configure_mysql --version 5 -root passwd_for_mysql vdt-ca-manage setupca --location root --url osg Setting up CA Certificates for VDT installation at '/usr/local/osg-gums' CA Certificates will be installed into /etc/grid-security/certificates vdt-control --enable fetch-crl vdt-control --enable vdt-update-certs vdt-control --enable vdt-rotate-logs vdt-control --enable mysql5 vdt-control --enable apache vdt-control --enable tomcat-55 vdt-control --on ====> RUNNING AS NON-ROOT USER? READ ON. <==== vdt-control --off Create gums user and gums group with HOME=/usr/local/osg-gums chown -R gums:gums /usr/local/osg-gums /etc/grid-security/certificates echo ". /usr/local/osg-gums/setup.sh" > /usr/local/osg-gums/.profile Edit apache/conf/httpd.conf apache/conf/extra/httpd-ssl.conf change ServerAdmin to valid e-mail. change ServerName to current hostname. Create /etc/init.d/vdt Start: daemon -u gums vdt-control --on --non-root Stop: su - gums "vdt-control --off --non-root" chkconfig vdt on Edit your firewall rules for port 8443 only permit your CE and SE. Consider locking down SSH as well. Add your DN so you can administer GUMS: su - gums cd $VDT_LOCATION/tomcat/v55/webapps/gums/WEB-INF/scripts ./gums-add-mysql-admin "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432" WARNING: You must have created the database before running this script! Adding the following DN to the local database: Certificate DN for administrator: "your DN" Is this correct? (Enter 'yes' to proceed) yes Adding the admin: Enter the root mysql password (or hit enter if you didn't set one up) Enter password: your mysql password for root Replace the default config with the OSG config --or-- create a custom SURAgrid-only config. cd $VDT_LOCATION/tomcat/v55/webapps/gums/WEB-INF/config cp -p gums.config gums.config.sav Edit gums.config add <vomsserver> def for ttu VOMS: https://voms.hpcc.ttu.edu:8443/voms/suragrid/services
Configuration via Web Interface
Connect to https://yourhost.edu:8443/gums with firefox Create a local account mapper so you can manually map accounts in GUMS. [Click Account Mappers] <add> Name: localMapper Description: Manual Local Account Mapper Type: manual Persistence Factory: mysql <save> Now add a local user to the mapper. [Manual Account Mappings] <add> DN: some DN Account Mapper: localMapper Account: username of local account <save> Create a new User Group. [UserGroups] <add> Name: local Description: Local Users Type: manual persistence Factory: mysql Members URI: blank Non-members URI: blank GUMS Access: read self <save> Add local user to local group. [Manual User Group Members] <add> User group: local DN: thieir DN FQAN: blank for now email: their email <save> [Group To Account Mappings] <add> Name: localGroupToAccountMapping Description: Local Group to Account Mapping User Group(s): local Account Mapper(s): localMapper Accounting VO Subgroup: blank Accounting VO: blank <save> [Host To Group Mappings] Click <edit> next to the only mapping. Hosts: leave as is Description: optional Group to Account Mapping(s): localGroupToAccountMapping in 2nd pulldown <save> Check the user mapping: [Map Account to Grid Identity(s)] Enter the username you mapped above. <map account> Check the other direction: [Map Grid Identity to Account] DN for service: /DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu DN for user: their DN VOMS FQAN for user: blank for now <map user> The manual user mapping show show up. Test SURAgrid VOMS [User Groups] <add> Name: SURAgridGroup Description: Group for SURAgrid users from VOMS Type: voms VOMS Server: SURAgrid Remainder URL: blank for now Accept non-VOMS certificates: true Match VOMS certificate's FQAN as: ignroe VO/Group: blank Role: blank GUMS Access: read self <save> [Account Mappers] <add> Name: suraPoolMapper Description: Map DNs from SURAgrid VOMS to local pool suraNNN accounts Type: pool Pool Name / Groups: SURA Persistence Factory: mysql <save> [Manage Pool Accounts] Account Pool Mapper: suraPoolMapper Account Pool: SURA Range: sura000-020 # Create these in /etc/passwd, LDAP, NIS, etc <add> [Group To Account Mappings] Name: suraGroupToAccountMapping Description: Map SURA Group to Accounts User Group(s): SURAgridGroup Account Mapper(s): suraPoolMapper Accounting VO Subgroup: SURAgrid ??? Accounting VO: SURAgrid <add> [Host To Group Mappings] <Edit> Group To Account Mapping(s): <add> suraGroupToAccountMapping <save> [Generate Grid-Mapfile] will assign pool accounts! <generate grid-mapfile> [Generate Email-Mapfile] shows DN, local username, e-mail
Optional: Simplify the forms for your site
Edit the _form.jsp files in $VDT_LOCATION/tomcat/v55/webapps/gums/. Preload your Service DN using
value="/DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu" in the <input> HTML tag.
Client Configuration
Clients are usually configured with the configure-osg command which reads your config.ini file where GUMS is enabled and the gums_host defined.
The file /etc/grid-security/gsi-authz.conf will be created by configure-osg and should contain the following
globus_mapping /usr/local/osg/prima/lib/libprima_authz_module_scas_gcc32dbg globus_gridmap_callout
The file /etc/grid-security/gsi-authz.conf will be created by configure-osg and should contain the following:
imsContact https://yourgums.edu:8443/gums/services/GUMSAuthorizationServicePort xacmlContact https://yourgums.edu:8443/gums/services/GUMSXACMLAuthorizationServicePort issuerCertDir /etc/grid-security/vomsdir verifyAC false serviceCert /etc/grid-security/containercert.pem serviceKey /etc/grid-security/containerkey.pem caCertDir /usr/local/osg/globus/TRUSTED_CA logLevel info samlSchemaDir /usr/local/osg/prima/etc/opensaml/
Testing
On a different system on which you're going to use this GUMS instance for authN/Z, you can test a mapping:
gauss# gums-host mapUser -s "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"