Grid User Management System (GUMS)

From SURAgrid
(Difference between revisions)
Jump to: navigation, search
(Created page with "The documentation for GUMS is a bit sketchy. While GUMS is quite useful, there still seems to be some black magic involved in making it work. == Reference == [https://twiki.gr...")
 
(> RUNNING AS NON-ROOT USER? READ ON. <)
Line 2: Line 2:
 
useful, there still seems to be some black magic involved in making it work.
 
useful, there still seems to be some black magic involved in making it work.
  
== Reference ==
+
== Reference ==
  
[https://twiki.grid.iu.edu/bin/view/ReleaseDocumentation/InstallConfigureAndManageGUMS OSG Documentation: Install, Configure, and Manage GUMS]
+
[https://twiki.grid.iu.edu/bin/view/ReleaseDocumentation/InstallConfigureAndManageGUMS OSG Documentation: Install, Configure, and Manage GUMS]  
  
This should be installed on a standalone (virtual) server. GUMS uses port
+
This should be installed on a standalone (virtual) server. GUMS uses port 8443 so it will collide with SRM and/or GRAM4 services if you try to cut corners. It's also a good idea to harden this server and lock down all the ports with iptables, as GUMS essentially controls access to your resource.  
8443 so it will collide with SRM and/or GRAM4 services if you try to
+
cut corners. It's also a good idea to harden this server and lock
+
down all the ports with iptables, as GUMS essentially controls access
+
to your resource.  
+
  
[[Requesting Certificates|Install certs]]
+
[[Requesting Certificates|Install certs]] into /etc/grid-security/host{cert,key}.pem and /etc/grid-security/http/http{cert,key}.pem.<br> [[Pacman|Install pacman]].  
into /etc/grid-security/host{cert,key}.pem and
+
 
/etc/grid-security/http/http{cert,key}.pem.<br/>
+
<tt></tt>
[[Pacman|Install pacman]].
+
  
 
<tt>
 
<tt>
  '''mkdir /usr/local/osg-gums
+
  '''mkdir /usr/local/osg-gums'''
 
  cd /usr/local/osg-gums
 
  cd /usr/local/osg-gums
 
  export INSTALL_DIR=/usr/local/osg-gums
 
  export INSTALL_DIR=/usr/local/osg-gums
Line 27: Line 22:
 
  vdt-ca-manage setupca --location root --url osg
 
  vdt-ca-manage setupca --location root --url osg
 
  Setting up CA Certificates for VDT installation at '/usr/local/osg-gums'
 
  Setting up CA Certificates for VDT installation at '/usr/local/osg-gums'
  CA Certificates will be installed into /etc/grid-security/certificates'''
+
  CA Certificates will be installed into /etc/grid-security/certificates
  '''vdt-control --enable fetch-crl
+
  '''vdt-control --enable fetch-crl'''
 
  vdt-control --enable vdt-update-certs
 
  vdt-control --enable vdt-update-certs
 
  vdt-control --enable vdt-rotate-logs
 
  vdt-control --enable vdt-rotate-logs
Line 34: Line 29:
 
  vdt-control --enable apache
 
  vdt-control --enable apache
 
  vdt-control --enable tomcat-55
 
  vdt-control --enable tomcat-55
  vdt-control --on'''
+
  vdt-control --on
 
   
 
   
  ====> RUNNING AS NON-ROOT USER? READ ON. <====
+
  ====&gt; RUNNING AS NON-ROOT USER? READ ON. &lt;====
 
  '''vdt-control --off'''
 
  '''vdt-control --off'''
 
  Create gums user and gums group with HOME=/usr/local/osg-gums
 
  Create gums user and gums group with HOME=/usr/local/osg-gums
 
  '''chown -R gums:gums /usr/local/osg-gums /etc/grid-security/certificates'''
 
  '''chown -R gums:gums /usr/local/osg-gums /etc/grid-security/certificates'''
  '''echo ". /usr/local/osg-gums/setup.sh" > /usr/local/osg-gums/.profile'''
+
  '''echo ". /usr/local/osg-gums/setup.sh" &gt; /usr/local/osg-gums/.profile'''
 
  Edit apache/conf/httpd.conf apache/conf/extra/httpd-ssl.conf
 
  Edit apache/conf/httpd.conf apache/conf/extra/httpd-ssl.conf
  change ServerAdmin to valid e-mail.
+
change ServerAdmin to valid e-mail.
  change ServerName to current hostname.
+
change ServerName to current hostname.
 
  Create /etc/init.d/vdt
 
  Create /etc/init.d/vdt
  Start: daemon -u gums vdt-control --on --non-root
+
Start: daemon -u gums vdt-control --on --non-root
  Stop: su - gums "vdt-control --off --non-root"
+
Stop: su - gums "vdt-control --off --non-root"
 
  '''chkconfig vdt on'''
 
  '''chkconfig vdt on'''
 
  Edit your firewall rules for port 8443 only permit your CE and SE.
 
  Edit your firewall rules for port 8443 only permit your CE and SE.
Line 55: Line 50:
 
   
 
   
 
  '''./gums-add-mysql-admin "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"'''
 
  '''./gums-add-mysql-admin "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"'''
  WARNING: You must have created the database before running this script!
+
WARNING: You must have created the database before running this script!
  Adding the following DN to the local database:
+
Adding the following DN to the local database:
  Certificate DN for administrator: "''your DN''"
+
Certificate DN for administrator: "''your DN''"
  Is this correct? (Enter 'yes' to proceed) ''yes''
+
Is this correct? (Enter 'yes' to proceed) ''yes''
  Adding the admin:
+
Adding the admin:
  Enter the root mysql password (or hit enter if you didn't set one up)
+
Enter the root mysql password (or hit enter if you didn't set one up)
  Enter password: ''your mysql password for root''
+
Enter password: ''your mysql password for root''
 
+
 
  Replace the default config with the OSG config
 
  Replace the default config with the OSG config
 
  --or--
 
  --or--
 
  create a custom SURAgrid-only config.
 
  create a custom SURAgrid-only config.
 
   
 
   
  '''cd $VDT_LOCATION/tomcat/v55/webapps/gums/WEB-INF/config
+
  '''cd $VDT_LOCATION/tomcat/v55/webapps/gums/WEB-INF/config'''
  cp -p gums.config gums.config.sav'''
+
  cp -p gums.config gums.config.sav
 
+
 
  Edit gums.config
 
  Edit gums.config
  add &lt;vomsserver&gt; def for ttu VOMS:
+
add &lt;vomsserver&gt; def for ttu VOMS:
  <nowiki>https://voms.hpcc.ttu.edu:8443/voms/suragrid/services</nowiki>
+
<nowiki>https://voms.hpcc.ttu.edu:8443/voms/suragrid/services</nowiki>
 
</tt>
 
</tt>
 +
 +
<tt></tt>
  
 
== Configuration via Web Interface ==
 
== Configuration via Web Interface ==

Revision as of 11:43, 29 June 2011

The documentation for GUMS is a bit sketchy. While GUMS is quite useful, there still seems to be some black magic involved in making it work.

Contents

Reference

OSG Documentation: Install, Configure, and Manage GUMS

This should be installed on a standalone (virtual) server. GUMS uses port 8443 so it will collide with SRM and/or GRAM4 services if you try to cut corners. It's also a good idea to harden this server and lock down all the ports with iptables, as GUMS essentially controls access to your resource.

Install certs into /etc/grid-security/host{cert,key}.pem and /etc/grid-security/http/http{cert,key}.pem.
Install pacman.

mkdir /usr/local/osg-gums
cd /usr/local/osg-gums
export INSTALL_DIR=/usr/local/osg-gums
pacman -get http://software.grid.iu.edu/osg-1.2:gums
source setup.sh
vdt-post-install
vdt/setup/configure_mysql  --version 5 -root passwd_for_mysql
vdt-ca-manage setupca --location root --url osg
Setting up CA Certificates for VDT installation at '/usr/local/osg-gums'
CA Certificates will be installed into /etc/grid-security/certificates
vdt-control --enable fetch-crl
vdt-control --enable vdt-update-certs
vdt-control --enable vdt-rotate-logs
vdt-control --enable mysql5
vdt-control --enable apache
vdt-control --enable tomcat-55
vdt-control --on

====> RUNNING AS NON-ROOT USER? READ ON. <====
vdt-control --off
Create gums user and gums group with HOME=/usr/local/osg-gums
chown -R gums:gums /usr/local/osg-gums /etc/grid-security/certificates
echo ". /usr/local/osg-gums/setup.sh" > /usr/local/osg-gums/.profile
Edit apache/conf/httpd.conf apache/conf/extra/httpd-ssl.conf
change ServerAdmin to valid e-mail.
change ServerName to current hostname.
Create /etc/init.d/vdt
Start: daemon -u gums vdt-control --on --non-root
Stop: su - gums "vdt-control --off --non-root"
chkconfig vdt on
Edit your firewall rules for port 8443 only permit your CE and SE.
Consider locking down SSH as well.
Add your DN so you can administer GUMS:
su - gums
cd $VDT_LOCATION/tomcat/v55/webapps/gums/WEB-INF/scripts

./gums-add-mysql-admin "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"
WARNING: You must have created the database before running this script!
Adding the following DN to the local database:
Certificate DN for administrator: "your DN"
Is this correct? (Enter 'yes' to proceed) yes
Adding the admin:
Enter the root mysql password (or hit enter if you didn't set one up)
Enter password: your mysql password for root

Replace the default config with the OSG config
--or--
create a custom SURAgrid-only config.

cd $VDT_LOCATION/tomcat/v55/webapps/gums/WEB-INF/config
cp -p gums.config gums.config.sav

Edit gums.config
add <vomsserver> def for ttu VOMS:
https://voms.hpcc.ttu.edu:8443/voms/suragrid/services

Configuration via Web Interface

Connect to https://yourhost.edu:8443/gums with firefox
Create a local account mapper so you can manually map accounts in GUMS.
 [Click Account Mappers]
 <add>
  Name: localMapper
  Description: Manual Local Account Mapper
  Type: manual
  Persistence Factory: mysql
 <save>
Now add a local user to the mapper.
 [Manual Account Mappings]
 <add>

  DN: some DN
  Account Mapper: localMapper
  Account: username of local account
  <save>

Create a new User Group.
 [UserGroups]
 <add>
  Name: local
  Description: Local Users
  Type: manual
  persistence Factory: mysql
  Members URI: blank
  Non-members URI: blank

  GUMS Access: read self
  <save>
Add local user to local group.
 [Manual User Group Members]
 <add>
  User group: local
  DN: thieir DN
  FQAN: blank for now
  email: their email

  <save>
 [Group  To Account Mappings]
 <add>
  Name: localGroupToAccountMapping
  Description: Local Group to Account Mapping
  User Group(s): local
  Account Mapper(s): localMapper
  Accounting VO Subgroup: blank
  Accounting VO: blank
  <save>

 [Host To Group Mappings]
  Click <edit> next to the only mapping.
  Hosts: leave as is
  Description: optional
  Group to Account Mapping(s): localGroupToAccountMapping in 2nd pulldown
  <save>
Check the user mapping:
 [Map Account to Grid Identity(s)]
  Enter the username you mapped above.
  <map account>

Check the other direction:
 [Map Grid Identity to Account]
  DN for service: /DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu
  DN for user: their DN
  VOMS FQAN for user: blank for now
  <map user>
  The manual user mapping show show up.
Test SURAgrid VOMS
 [User Groups]
 <add>
  Name: SURAgridGroup
  Description: Group for SURAgrid users from VOMS
  Type: voms
  VOMS Server: SURAgrid
  Remainder URL: blank for now

  Accept non-VOMS certificates: true
  Match VOMS certificate's FQAN as: ignroe
  VO/Group: blank
  Role: blank
  GUMS Access: read self
  <save>
 [Account Mappers]
 <add>
  Name: suraPoolMapper
  Description: Map DNs from SURAgrid VOMS to local pool suraNNN accounts
  Type: pool
  Pool Name / Groups: SURA
  Persistence Factory: mysql
  <save>

 [Manage Pool Accounts]
  Account Pool Mapper: suraPoolMapper
  Account Pool: SURA
  Range: sura000-020  # Create these in /etc/passwd, LDAP, NIS, etc
  <add>
 [Group To Account Mappings]
  Name: suraGroupToAccountMapping
  Description: Map SURA Group to Accounts
  User Group(s): SURAgridGroup
  Account Mapper(s): suraPoolMapper
  Accounting VO Subgroup: SURAgrid ???
  Accounting VO: SURAgrid
  <add>
 [Host To Group Mappings]
  <Edit> Group To Account Mapping(s):
  <add> suraGroupToAccountMapping
  <save>

 [Generate Grid-Mapfile]
  will assign pool accounts!
  <generate grid-mapfile>
 [Generate Email-Mapfile]
  shows DN, local username, e-mail

Optional: Simplify the forms for your site

Edit the _form.jsp files in $VDT_LOCATION/tomcat/v55/webapps/gums/.
Preload your Service DN using

value="/DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu" in the <input> HTML tag.

Client Configuration

Clients are usually configured with the configure-osg command which reads your config.ini file where GUMS is enabled and the gums_host defined.

The file /etc/grid-security/gsi-authz.conf will be created by configure-osg and should contain the following

globus_mapping /usr/local/osg/prima/lib/libprima_authz_module_scas_gcc32dbg
globus_gridmap_callout

The file /etc/grid-security/gsi-authz.conf will be created by configure-osg and should contain the following:

imsContact https://yourgums.edu:8443/gums/services/GUMSAuthorizationServicePort
xacmlContact https://yourgums.edu:8443/gums/services/GUMSXACMLAuthorizationServicePort
issuerCertDir  /etc/grid-security/vomsdir
verifyAC false
serviceCert /etc/grid-security/containercert.pem
serviceKey  /etc/grid-security/containerkey.pem
caCertDir   /usr/local/osg/globus/TRUSTED_CA
logLevel    info
samlSchemaDir /usr/local/osg/prima/etc/opensaml/

Testing

On a different system on which you're going to use this GUMS instance for authN/Z, you can test a mapping:

gauss# gums-host mapUser -s "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox