Grid User Management System (GUMS)

From SURAgrid
(Difference between revisions)
Jump to: navigation, search
(> RUNNING AS NON-ROOT USER? READ ON. <)
 
(2 intermediate revisions by one user not shown)
Line 72: Line 72:
 
<tt></tt>
 
<tt></tt>
  
== Configuration via Web Interface ==
+
== Configuration via Web Interface ==
 +
 
 +
<tt></tt>
 +
 
 
<tt>
 
<tt>
 
  Connect to https://yourhost.edu:8443/gums with firefox
 
  Connect to https://yourhost.edu:8443/gums with firefox
 
  Create a local account mapper so you can manually map accounts in GUMS.
 
  Create a local account mapper so you can manually map accounts in GUMS.
  [Click Account Mappers]
+
[Click Account Mappers]
  &lt;add&gt;
+
&lt;add&gt;
  Name: localMapper
+
  Name: localMapper
  Description: Manual Local Account Mapper
+
  Description: Manual Local Account Mapper
  Type: manual
+
  Type: manual
  Persistence Factory: mysql
+
  Persistence Factory: mysql
  &lt;save&gt;
+
&lt;save&gt;
 
  Now add a local user to the mapper.
 
  Now add a local user to the mapper.
  [Manual Account Mappings]
+
[Manual Account Mappings]
  &lt;add&gt;
+
&lt;add&gt;
 
   
 
   
  DN: ''some DN''
+
  DN: ''some DN''
  Account Mapper: localMapper
+
  Account Mapper: localMapper
  Account: username of local account
+
  Account: username of local account
  &lt;save&gt;
+
  &lt;save&gt;
 
   
 
   
 
  Create a new User Group.
 
  Create a new User Group.
  [UserGroups]
+
[UserGroups]
  &lt;add&gt;
+
&lt;add&gt;
  Name: local
+
  Name: local
  Description: Local Users
+
  Description: Local Users
  Type: manual
+
  Type: manual
  persistence Factory: mysql
+
  persistence Factory: mysql
  Members URI: ''blank''
+
  Members URI: ''blank''
  Non-members URI: ''blank''
+
  Non-members URI: ''blank''
 
   
 
   
  GUMS Access: read self
+
  GUMS Access: read self
  &lt;save&gt;
+
  &lt;save&gt;
 
  Add local user to local group.
 
  Add local user to local group.
  [Manual User Group Members]
+
[Manual User Group Members]
  &lt;add&gt;
+
&lt;add&gt;
  User group: local
+
  User group: local
  DN: ''thieir DN''
+
  DN: ''thieir DN''
  FQAN: ''blank for now''
+
  FQAN: ''blank for now''
  email: ''their email''
+
  email: ''their email''
 
   
 
   
  &lt;save&gt;
+
  &lt;save&gt;
  [Group  To Account Mappings]
+
[Group  To Account Mappings]
  &lt;add&gt;
+
&lt;add&gt;
  Name: localGroupToAccountMapping
+
  Name: localGroupToAccountMapping
  Description: Local Group to Account Mapping
+
  Description: Local Group to Account Mapping
  User Group(s): local
+
  User Group(s): local
  Account Mapper(s): localMapper
+
  Account Mapper(s): localMapper
  Accounting VO Subgroup: ''blank''
+
  Accounting VO Subgroup: ''blank''
  Accounting VO: ''blank''
+
  Accounting VO: ''blank''
  &lt;save&gt;
+
  &lt;save&gt;
 
   
 
   
  [Host To Group Mappings]
+
[Host To Group Mappings]
  Click &lt;edit&gt; next to the only mapping.
+
  Click &lt;edit&gt; next to the only mapping.
  Hosts: ''leave as is''
+
  Hosts: ''leave as is''
  Description: ''optional''
+
  Description: ''optional''
  Group to Account Mapping(s): localGroupToAccountMapping in 2nd pulldown
+
  Group to Account Mapping(s): localGroupToAccountMapping in 2nd pulldown
  &lt;save&gt;
+
  &lt;save&gt;
 
  Check the user mapping:
 
  Check the user mapping:
  [Map Account to Grid Identity(s)]
+
[Map Account to Grid Identity(s)]
  Enter the username you mapped above.
+
  Enter the username you mapped above.
  &lt;map account&gt;
+
  &lt;map account&gt;
 
   
 
   
 
  Check the other direction:
 
  Check the other direction:
  [Map Grid Identity to Account]
+
[Map Grid Identity to Account]
  DN for service: /DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu
+
  DN for service: /DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu
  DN for user: ''their DN''
+
  DN for user: ''their DN''
  VOMS FQAN for user: ''blank for now''
+
  VOMS FQAN for user: ''blank for now''
  &lt;map user&gt;
+
  &lt;map user&gt;
  The manual user mapping show show up.
+
  The manual user mapping show show up.
 
  Test SURAgrid VOMS
 
  Test SURAgrid VOMS
  [User Groups]
+
[User Groups]
  &lt;add&gt;
+
&lt;add&gt;
  Name: SURAgridGroup
+
  Name: SURAgridGroup
  Description: Group for SURAgrid users from VOMS
+
  Description: Group for SURAgrid users from VOMS
  Type: voms
+
  Type: voms
  VOMS Server: <font color="red">SURAgrid</font>
+
  VOMS Server: <font color="red">SURAgrid</font>
  Remainder URL: ''blank for now''
+
  Remainder URL: ''blank for now''
 
   
 
   
  Accept non-VOMS certificates: true
+
  Accept non-VOMS certificates: true
  Match VOMS certificate's FQAN as: ignroe
+
  Match VOMS certificate's FQAN as: ignroe
  VO/Group: ''blank''
+
  VO/Group: ''blank''
  Role: ''blank''
+
  Role: ''blank''
  GUMS Access: read self
+
  GUMS Access: read self
  &lt;save&gt;
+
  &lt;save&gt;
  [Account Mappers]
+
[Account Mappers]
  &lt;add&gt;
+
&lt;add&gt;
  Name: suraPoolMapper
+
  Name: suraPoolMapper
  Description: Map DNs from SURAgrid VOMS to local pool suraNNN accounts
+
  Description: Map DNs from SURAgrid VOMS to local pool suraNNN accounts
  Type: pool
+
  Type: pool
  Pool Name / Groups: SURA
+
  Pool Name / Groups: SURA
  Persistence Factory: mysql
+
  Persistence Factory: mysql
  &lt;save&gt;
+
  &lt;save&gt;
 
   
 
   
  [Manage Pool Accounts]
+
[Manage Pool Accounts]
  Account Pool Mapper: suraPoolMapper
+
  Account Pool Mapper: suraPoolMapper
  Account Pool: SURA
+
  Account Pool: SURA
  Range: sura000-020  # Create these in /etc/passwd, LDAP, NIS, etc
+
  Range: sura000-020  # Create these in /etc/passwd, LDAP, NIS, etc
  &lt;add&gt;
+
  &lt;add&gt;
  [Group To Account Mappings]
+
[Group To Account Mappings]
  Name: suraGroupToAccountMapping
+
  Name: suraGroupToAccountMapping
  Description: Map SURA Group to Accounts
+
  Description: Map SURA Group to Accounts
  User Group(s): SURAgridGroup
+
  User Group(s): SURAgridGroup
  Account Mapper(s): suraPoolMapper
+
  Account Mapper(s): suraPoolMapper
  Accounting VO Subgroup: <font color="red">SURAgrid ???</font>
+
  Accounting VO Subgroup: <font color="red">SURAgrid&nbsp;???</font>
  Accounting VO: <font color="red">SURAgrid</font>
+
  Accounting VO: <font color="red">SURAgrid</font>
  &lt;add&gt;
+
  &lt;add&gt;
  [Host To Group Mappings]
+
[Host To Group Mappings]
  &lt;Edit&gt; Group To Account Mapping(s):
+
  &lt;Edit&gt; Group To Account Mapping(s):
  &lt;add&gt; suraGroupToAccountMapping
+
  &lt;add&gt; suraGroupToAccountMapping
  &lt;save&gt;
+
  &lt;save&gt;
 
   
 
   
  [Generate Grid-Mapfile]
+
[Generate Grid-Mapfile]
  will assign pool accounts!
+
  will assign pool accounts!
  &lt;generate grid-mapfile&gt;
+
  &lt;generate grid-mapfile&gt;
  [Generate Email-Mapfile]
+
[Generate Email-Mapfile]
  shows DN, local username, e-mail
+
  shows DN, local username, e-mail
 
</tt>
 
</tt>
  
Optional: Simplify the forms for your site
+
<tt></tt>
 +
 
 +
Optional: Simplify the forms for your site  
 +
 
 +
<tt></tt>
  
 
<tt>
 
<tt>
 
  Edit the _form.jsp files in $VDT_LOCATION/tomcat/v55/webapps/gums/.
 
  Edit the _form.jsp files in $VDT_LOCATION/tomcat/v55/webapps/gums/.
 
  Preload your Service DN using
 
  Preload your Service DN using
value="/DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu"
+
value="/DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu" in the &lt;input&gt; HTML tag. </tt>
in the &lt;input&gt; HTML tag.
+
</tt>
+
  
== Client Configuration ==
+
== Client Configuration ==
  
Clients are usually configured with the <tt>'''configure-osg'''</tt>
+
Clients are usually configured with the <tt>'''configure-osg'''</tt> command which reads your <tt>config.ini</tt> file where GUMS is enabled and the gums_host defined.  
command which reads your <tt>config.ini</tt> file where GUMS is
+
enabled and the gums_host defined.
+
  
The file <tt>/etc/grid-security/gsi-authz.conf</tt> will be created by <tt>'''configure-osg'''</tt> and should contain the following
+
The file <tt>/etc/grid-security/gsi-authz.conf</tt> will be created by <tt>'''configure-osg'''</tt> and should contain the following  
 +
 
 +
<tt></tt>
  
 
<tt>
 
<tt>
Line 212: Line 217:
 
</tt>
 
</tt>
  
The file <tt>/etc/grid-security/gsi-authz.conf</tt> will be created by <tt>'''configure-osg'''</tt> and should contain the following:
+
<tt></tt>
 +
 
 +
The file <tt>/etc/grid-security/gsi-authz.conf</tt> will be created by <tt>'''configure-osg'''</tt> and should contain the following:  
 +
 
 +
<tt></tt>
  
 
<tt>
 
<tt>
  imsContact https://yourgums.edu:8443/gums/services/GUMSAuthorizationServicePort
+
  imsContact <nowiki>https://yourgums.edu:8443/gums/services/GUMSAuthorizationServicePort</nowiki>
  xacmlContact https://yourgums.edu:8443/gums/services/GUMSXACMLAuthorizationServicePort
+
  xacmlContact <nowiki>https://yourgums.edu:8443/gums/services/GUMSXACMLAuthorizationServicePort</nowiki>
 
  issuerCertDir  /etc/grid-security/vomsdir
 
  issuerCertDir  /etc/grid-security/vomsdir
 
  verifyAC false
 
  verifyAC false
Line 226: Line 235:
 
</tt>
 
</tt>
  
== Testing ==
+
<tt></tt>
  
On a different system on which you're going to use this GUMS instance
+
== Testing  ==
for authN/Z, you can test a mapping:
+
 
 +
On a different system on which you're going to use this GUMS instance for authN/Z, you can test a mapping:  
 +
 
 +
<tt></tt>
  
 
<tt>
 
<tt>
  gauss# '''gums-host mapUser -s "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"'''
+
  '''gums-host mapUser -s "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"'''
 
</tt>
 
</tt>
 +
 +
<tt></tt>

Latest revision as of 11:50, 29 June 2011

The documentation for GUMS is a bit sketchy. While GUMS is quite useful, there still seems to be some black magic involved in making it work.

Contents

[edit] Reference

OSG Documentation: Install, Configure, and Manage GUMS

This should be installed on a standalone (virtual) server. GUMS uses port 8443 so it will collide with SRM and/or GRAM4 services if you try to cut corners. It's also a good idea to harden this server and lock down all the ports with iptables, as GUMS essentially controls access to your resource.

Install certs into /etc/grid-security/host{cert,key}.pem and /etc/grid-security/http/http{cert,key}.pem.
Install pacman.

mkdir /usr/local/osg-gums
cd /usr/local/osg-gums
export INSTALL_DIR=/usr/local/osg-gums
pacman -get http://software.grid.iu.edu/osg-1.2:gums
source setup.sh
vdt-post-install
vdt/setup/configure_mysql  --version 5 -root passwd_for_mysql
vdt-ca-manage setupca --location root --url osg
Setting up CA Certificates for VDT installation at '/usr/local/osg-gums'
CA Certificates will be installed into /etc/grid-security/certificates
vdt-control --enable fetch-crl
vdt-control --enable vdt-update-certs
vdt-control --enable vdt-rotate-logs
vdt-control --enable mysql5
vdt-control --enable apache
vdt-control --enable tomcat-55
vdt-control --on

====> RUNNING AS NON-ROOT USER? READ ON. <====
vdt-control --off
Create gums user and gums group with HOME=/usr/local/osg-gums
chown -R gums:gums /usr/local/osg-gums /etc/grid-security/certificates
echo ". /usr/local/osg-gums/setup.sh" > /usr/local/osg-gums/.profile
Edit apache/conf/httpd.conf apache/conf/extra/httpd-ssl.conf
change ServerAdmin to valid e-mail.
change ServerName to current hostname.
Create /etc/init.d/vdt
Start: daemon -u gums vdt-control --on --non-root
Stop: su - gums "vdt-control --off --non-root"
chkconfig vdt on
Edit your firewall rules for port 8443 only permit your CE and SE.
Consider locking down SSH as well.
Add your DN so you can administer GUMS:
su - gums
cd $VDT_LOCATION/tomcat/v55/webapps/gums/WEB-INF/scripts

./gums-add-mysql-admin "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"
WARNING: You must have created the database before running this script!
Adding the following DN to the local database:
Certificate DN for administrator: "your DN"
Is this correct? (Enter 'yes' to proceed) yes
Adding the admin:
Enter the root mysql password (or hit enter if you didn't set one up)
Enter password: your mysql password for root

Replace the default config with the OSG config
--or--
create a custom SURAgrid-only config.

cd $VDT_LOCATION/tomcat/v55/webapps/gums/WEB-INF/config
cp -p gums.config gums.config.sav

Edit gums.config
add <vomsserver> def for ttu VOMS:
https://voms.hpcc.ttu.edu:8443/voms/suragrid/services

[edit] Configuration via Web Interface

Connect to https://yourhost.edu:8443/gums with firefox
Create a local account mapper so you can manually map accounts in GUMS.
[Click Account Mappers]
<add>
 Name: localMapper
 Description: Manual Local Account Mapper
 Type: manual
 Persistence Factory: mysql
<save>
Now add a local user to the mapper.
[Manual Account Mappings]
<add>

 DN: some DN
 Account Mapper: localMapper
 Account: username of local account
 <save>

Create a new User Group.
[UserGroups]
<add>
 Name: local
 Description: Local Users
 Type: manual
 persistence Factory: mysql
 Members URI: blank
 Non-members URI: blank

 GUMS Access: read self
 <save>
Add local user to local group.
[Manual User Group Members]
<add>
 User group: local
 DN: thieir DN
 FQAN: blank for now
 email: their email

 <save>
[Group  To Account Mappings]
<add>
 Name: localGroupToAccountMapping
 Description: Local Group to Account Mapping
 User Group(s): local
 Account Mapper(s): localMapper
 Accounting VO Subgroup: blank
 Accounting VO: blank
 <save>

[Host To Group Mappings]
 Click <edit> next to the only mapping.
 Hosts: leave as is
 Description: optional
 Group to Account Mapping(s): localGroupToAccountMapping in 2nd pulldown
 <save>
Check the user mapping:
[Map Account to Grid Identity(s)]
 Enter the username you mapped above.
 <map account>

Check the other direction:
[Map Grid Identity to Account]
 DN for service: /DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu
 DN for user: their DN
 VOMS FQAN for user: blank for now
 <map user>
 The manual user mapping show show up.
Test SURAgrid VOMS
[User Groups]
<add>
 Name: SURAgridGroup
 Description: Group for SURAgrid users from VOMS
 Type: voms
 VOMS Server: SURAgrid
 Remainder URL: blank for now

 Accept non-VOMS certificates: true
 Match VOMS certificate's FQAN as: ignroe
 VO/Group: blank
 Role: blank
 GUMS Access: read self
 <save>
[Account Mappers]
<add>
 Name: suraPoolMapper
 Description: Map DNs from SURAgrid VOMS to local pool suraNNN accounts
 Type: pool
 Pool Name / Groups: SURA
 Persistence Factory: mysql
 <save>

[Manage Pool Accounts]
 Account Pool Mapper: suraPoolMapper
 Account Pool: SURA
 Range: sura000-020  # Create these in /etc/passwd, LDAP, NIS, etc
 <add>
[Group To Account Mappings]
 Name: suraGroupToAccountMapping
 Description: Map SURA Group to Accounts
 User Group(s): SURAgridGroup
 Account Mapper(s): suraPoolMapper
 Accounting VO Subgroup: SURAgrid ???
 Accounting VO: SURAgrid
 <add>
[Host To Group Mappings]
 <Edit> Group To Account Mapping(s):
 <add> suraGroupToAccountMapping
 <save>

[Generate Grid-Mapfile]
 will assign pool accounts!
 <generate grid-mapfile>
[Generate Email-Mapfile]
 shows DN, local username, e-mail

Optional: Simplify the forms for your site

Edit the _form.jsp files in $VDT_LOCATION/tomcat/v55/webapps/gums/.
Preload your Service DN using
value="/DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu" in the <input> HTML tag. 

[edit] Client Configuration

Clients are usually configured with the configure-osg command which reads your config.ini file where GUMS is enabled and the gums_host defined.

The file /etc/grid-security/gsi-authz.conf will be created by configure-osg and should contain the following

globus_mapping /usr/local/osg/prima/lib/libprima_authz_module_scas_gcc32dbg
globus_gridmap_callout

The file /etc/grid-security/gsi-authz.conf will be created by configure-osg and should contain the following:

imsContact https://yourgums.edu:8443/gums/services/GUMSAuthorizationServicePort
xacmlContact https://yourgums.edu:8443/gums/services/GUMSXACMLAuthorizationServicePort
issuerCertDir  /etc/grid-security/vomsdir
verifyAC false
serviceCert /etc/grid-security/containercert.pem
serviceKey  /etc/grid-security/containerkey.pem
caCertDir   /usr/local/osg/globus/TRUSTED_CA
logLevel    info
samlSchemaDir /usr/local/osg/prima/etc/opensaml/

[edit] Testing

On a different system on which you're going to use this GUMS instance for authN/Z, you can test a mapping:

gums-host mapUser -s "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox