Grid User Management System (GUMS)
From SURAgrid
(Difference between revisions)
(→> RUNNING AS NON-ROOT USER? READ ON. <) |
|||
| Line 72: | Line 72: | ||
<tt></tt> | <tt></tt> | ||
| − | == Configuration via Web Interface == | + | == Configuration via Web Interface == |
| + | |||
| + | <tt></tt> | ||
| + | |||
<tt> | <tt> | ||
Connect to https://yourhost.edu:8443/gums with firefox | Connect to https://yourhost.edu:8443/gums with firefox | ||
Create a local account mapper so you can manually map accounts in GUMS. | Create a local account mapper so you can manually map accounts in GUMS. | ||
| − | + | [Click Account Mappers] | |
| − | + | <add> | |
| − | + | Name: localMapper | |
| − | + | Description: Manual Local Account Mapper | |
| − | + | Type: manual | |
| − | + | Persistence Factory: mysql | |
| − | + | <save> | |
Now add a local user to the mapper. | Now add a local user to the mapper. | ||
| − | + | [Manual Account Mappings] | |
| − | + | <add> | |
| − | + | DN: ''some DN'' | |
| − | + | Account Mapper: localMapper | |
| − | + | Account: username of local account | |
| − | + | <save> | |
Create a new User Group. | Create a new User Group. | ||
| − | + | [UserGroups] | |
| − | + | <add> | |
| − | + | Name: local | |
| − | + | Description: Local Users | |
| − | + | Type: manual | |
| − | + | persistence Factory: mysql | |
| − | + | Members URI: ''blank'' | |
| − | + | Non-members URI: ''blank'' | |
| − | + | GUMS Access: read self | |
| − | + | <save> | |
Add local user to local group. | Add local user to local group. | ||
| − | + | [Manual User Group Members] | |
| − | + | <add> | |
| − | + | User group: local | |
| − | + | DN: ''thieir DN'' | |
| − | + | FQAN: ''blank for now'' | |
| − | + | email: ''their email'' | |
| − | + | <save> | |
| − | + | [Group To Account Mappings] | |
| − | + | <add> | |
| − | + | Name: localGroupToAccountMapping | |
| − | + | Description: Local Group to Account Mapping | |
| − | + | User Group(s): local | |
| − | + | Account Mapper(s): localMapper | |
| − | + | Accounting VO Subgroup: ''blank'' | |
| − | + | Accounting VO: ''blank'' | |
| − | + | <save> | |
| − | + | [Host To Group Mappings] | |
| − | + | Click <edit> next to the only mapping. | |
| − | + | Hosts: ''leave as is'' | |
| − | + | Description: ''optional'' | |
| − | + | Group to Account Mapping(s): localGroupToAccountMapping in 2nd pulldown | |
| − | + | <save> | |
Check the user mapping: | Check the user mapping: | ||
| − | + | [Map Account to Grid Identity(s)] | |
| − | + | Enter the username you mapped above. | |
| − | + | <map account> | |
Check the other direction: | Check the other direction: | ||
| − | + | [Map Grid Identity to Account] | |
| − | + | DN for service: /DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu | |
| − | + | DN for user: ''their DN'' | |
| − | + | VOMS FQAN for user: ''blank for now'' | |
| − | + | <map user> | |
| − | + | The manual user mapping show show up. | |
Test SURAgrid VOMS | Test SURAgrid VOMS | ||
| − | + | [User Groups] | |
| − | + | <add> | |
| − | + | Name: SURAgridGroup | |
| − | + | Description: Group for SURAgrid users from VOMS | |
| − | + | Type: voms | |
| − | + | VOMS Server: <font color="red">SURAgrid</font> | |
| − | + | Remainder URL: ''blank for now'' | |
| − | + | Accept non-VOMS certificates: true | |
| − | + | Match VOMS certificate's FQAN as: ignroe | |
| − | + | VO/Group: ''blank'' | |
| − | + | Role: ''blank'' | |
| − | + | GUMS Access: read self | |
| − | + | <save> | |
| − | + | [Account Mappers] | |
| + | <add> | ||
| + | Name: suraPoolMapper | ||
| + | Description: Map DNs from SURAgrid VOMS to local pool suraNNN accounts | ||
| + | Type: pool | ||
| + | Pool Name / Groups: SURA | ||
| + | Persistence Factory: mysql | ||
| + | <save> | ||
| + | |||
| + | [Manage Pool Accounts] | ||
| + | Account Pool Mapper: suraPoolMapper | ||
| + | Account Pool: SURA | ||
| + | Range: sura000-020 # Create these in /etc/passwd, LDAP, NIS, etc | ||
<add> | <add> | ||
| − | + | [Group To Account Mappings] | |
| − | + | Name: suraGroupToAccountMapping | |
| − | + | Description: Map SURA Group to Accounts | |
| − | + | User Group(s): SURAgridGroup | |
| − | + | Account Mapper(s): suraPoolMapper | |
| − | + | Accounting VO Subgroup: <font color="red">SURAgrid ???</font> | |
| + | Accounting VO: <font color="red">SURAgrid</font> | ||
| + | <add> | ||
| + | [Host To Group Mappings] | ||
| + | <Edit> Group To Account Mapping(s): | ||
| + | <add> suraGroupToAccountMapping | ||
| + | <save> | ||
| − | + | [Generate Grid-Mapfile] | |
| − | + | will assign pool accounts! | |
| − | + | <generate grid-mapfile> | |
| − | + | [Generate Email-Mapfile] | |
| − | + | shows DN, local username, e-mail | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
</tt> | </tt> | ||
| − | Optional: Simplify the forms for your site | + | <tt></tt> |
| + | |||
| + | Optional: Simplify the forms for your site | ||
| + | |||
| + | <tt></tt> | ||
<tt> | <tt> | ||
Edit the _form.jsp files in $VDT_LOCATION/tomcat/v55/webapps/gums/. | Edit the _form.jsp files in $VDT_LOCATION/tomcat/v55/webapps/gums/. | ||
Preload your Service DN using | Preload your Service DN using | ||
| − | value="/DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu" | + | value="/DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu" in the <input> HTML tag. </tt> |
| − | in the <input> HTML tag. | + | |
| − | </tt> | + | |
== Client Configuration == | == Client Configuration == | ||
Revision as of 12:45, 29 June 2011
The documentation for GUMS is a bit sketchy. While GUMS is quite useful, there still seems to be some black magic involved in making it work.
Contents |
Reference
OSG Documentation: Install, Configure, and Manage GUMS
This should be installed on a standalone (virtual) server. GUMS uses port 8443 so it will collide with SRM and/or GRAM4 services if you try to cut corners. It's also a good idea to harden this server and lock down all the ports with iptables, as GUMS essentially controls access to your resource.
Install certs into /etc/grid-security/host{cert,key}.pem and /etc/grid-security/http/http{cert,key}.pem.
Install pacman.
mkdir /usr/local/osg-gums cd /usr/local/osg-gums export INSTALL_DIR=/usr/local/osg-gums pacman -get http://software.grid.iu.edu/osg-1.2:gums source setup.sh vdt-post-install vdt/setup/configure_mysql --version 5 -root passwd_for_mysql vdt-ca-manage setupca --location root --url osg Setting up CA Certificates for VDT installation at '/usr/local/osg-gums' CA Certificates will be installed into /etc/grid-security/certificates vdt-control --enable fetch-crl vdt-control --enable vdt-update-certs vdt-control --enable vdt-rotate-logs vdt-control --enable mysql5 vdt-control --enable apache vdt-control --enable tomcat-55 vdt-control --on ====> RUNNING AS NON-ROOT USER? READ ON. <==== vdt-control --off Create gums user and gums group with HOME=/usr/local/osg-gums chown -R gums:gums /usr/local/osg-gums /etc/grid-security/certificates echo ". /usr/local/osg-gums/setup.sh" > /usr/local/osg-gums/.profile Edit apache/conf/httpd.conf apache/conf/extra/httpd-ssl.conf change ServerAdmin to valid e-mail. change ServerName to current hostname. Create /etc/init.d/vdt Start: daemon -u gums vdt-control --on --non-root Stop: su - gums "vdt-control --off --non-root" chkconfig vdt on Edit your firewall rules for port 8443 only permit your CE and SE. Consider locking down SSH as well. Add your DN so you can administer GUMS: su - gums cd $VDT_LOCATION/tomcat/v55/webapps/gums/WEB-INF/scripts ./gums-add-mysql-admin "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432" WARNING: You must have created the database before running this script! Adding the following DN to the local database: Certificate DN for administrator: "your DN" Is this correct? (Enter 'yes' to proceed) yes Adding the admin: Enter the root mysql password (or hit enter if you didn't set one up) Enter password: your mysql password for root Replace the default config with the OSG config --or-- create a custom SURAgrid-only config. cd $VDT_LOCATION/tomcat/v55/webapps/gums/WEB-INF/config cp -p gums.config gums.config.sav Edit gums.config add <vomsserver> def for ttu VOMS: https://voms.hpcc.ttu.edu:8443/voms/suragrid/services
Configuration via Web Interface
Connect to https://yourhost.edu:8443/gums with firefox Create a local account mapper so you can manually map accounts in GUMS. [Click Account Mappers] <add> Name: localMapper Description: Manual Local Account Mapper Type: manual Persistence Factory: mysql <save> Now add a local user to the mapper. [Manual Account Mappings] <add> DN: some DN Account Mapper: localMapper Account: username of local account <save> Create a new User Group. [UserGroups] <add> Name: local Description: Local Users Type: manual persistence Factory: mysql Members URI: blank Non-members URI: blank GUMS Access: read self <save> Add local user to local group. [Manual User Group Members] <add> User group: local DN: thieir DN FQAN: blank for now email: their email <save> [Group To Account Mappings] <add> Name: localGroupToAccountMapping Description: Local Group to Account Mapping User Group(s): local Account Mapper(s): localMapper Accounting VO Subgroup: blank Accounting VO: blank <save> [Host To Group Mappings] Click <edit> next to the only mapping. Hosts: leave as is Description: optional Group to Account Mapping(s): localGroupToAccountMapping in 2nd pulldown <save> Check the user mapping: [Map Account to Grid Identity(s)] Enter the username you mapped above. <map account> Check the other direction: [Map Grid Identity to Account] DN for service: /DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu DN for user: their DN VOMS FQAN for user: blank for now <map user> The manual user mapping show show up. Test SURAgrid VOMS [User Groups] <add> Name: SURAgridGroup Description: Group for SURAgrid users from VOMS Type: voms VOMS Server: SURAgrid Remainder URL: blank for now Accept non-VOMS certificates: true Match VOMS certificate's FQAN as: ignroe VO/Group: blank Role: blank GUMS Access: read self <save> [Account Mappers] <add> Name: suraPoolMapper Description: Map DNs from SURAgrid VOMS to local pool suraNNN accounts Type: pool Pool Name / Groups: SURA Persistence Factory: mysql <save> [Manage Pool Accounts] Account Pool Mapper: suraPoolMapper Account Pool: SURA Range: sura000-020 # Create these in /etc/passwd, LDAP, NIS, etc <add> [Group To Account Mappings] Name: suraGroupToAccountMapping Description: Map SURA Group to Accounts User Group(s): SURAgridGroup Account Mapper(s): suraPoolMapper Accounting VO Subgroup: SURAgrid ??? Accounting VO: SURAgrid <add> [Host To Group Mappings] <Edit> Group To Account Mapping(s): <add> suraGroupToAccountMapping <save> [Generate Grid-Mapfile] will assign pool accounts! <generate grid-mapfile> [Generate Email-Mapfile] shows DN, local username, e-mail
Optional: Simplify the forms for your site
Edit the _form.jsp files in $VDT_LOCATION/tomcat/v55/webapps/gums/. Preload your Service DN using value="/DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu" in the <input> HTML tag.
Client Configuration
Clients are usually configured with the configure-osg command which reads your config.ini file where GUMS is enabled and the gums_host defined.
The file /etc/grid-security/gsi-authz.conf will be created by configure-osg and should contain the following
globus_mapping /usr/local/osg/prima/lib/libprima_authz_module_scas_gcc32dbg globus_gridmap_callout
The file /etc/grid-security/gsi-authz.conf will be created by configure-osg and should contain the following:
imsContact https://yourgums.edu:8443/gums/services/GUMSAuthorizationServicePort xacmlContact https://yourgums.edu:8443/gums/services/GUMSXACMLAuthorizationServicePort issuerCertDir /etc/grid-security/vomsdir verifyAC false serviceCert /etc/grid-security/containercert.pem serviceKey /etc/grid-security/containerkey.pem caCertDir /usr/local/osg/globus/TRUSTED_CA logLevel info samlSchemaDir /usr/local/osg/prima/etc/opensaml/
Testing
On a different system on which you're going to use this GUMS instance for authN/Z, you can test a mapping:
gauss# gums-host mapUser -s "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"
