Grid User Management System (GUMS)

From SURAgrid
(Difference between revisions)
Jump to: navigation, search
Line 237: Line 237:
== Testing ==
== Testing ==
On a different system on which you're going to use this GUMS instance
On a different system on which you're going to use this GUMS instance for authN/Z, you can test a mapping:  
for authN/Z, you can test a mapping:
  gauss# '''gums-host mapUser -s "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"'''
  '''gums-host mapUser -s "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"'''

Latest revision as of 11:50, 29 June 2011

The documentation for GUMS is a bit sketchy. While GUMS is quite useful, there still seems to be some black magic involved in making it work.


[edit] Reference

OSG Documentation: Install, Configure, and Manage GUMS

This should be installed on a standalone (virtual) server. GUMS uses port 8443 so it will collide with SRM and/or GRAM4 services if you try to cut corners. It's also a good idea to harden this server and lock down all the ports with iptables, as GUMS essentially controls access to your resource.

Install certs into /etc/grid-security/host{cert,key}.pem and /etc/grid-security/http/http{cert,key}.pem.
Install pacman.

mkdir /usr/local/osg-gums
cd /usr/local/osg-gums
export INSTALL_DIR=/usr/local/osg-gums
pacman -get
vdt/setup/configure_mysql  --version 5 -root passwd_for_mysql
vdt-ca-manage setupca --location root --url osg
Setting up CA Certificates for VDT installation at '/usr/local/osg-gums'
CA Certificates will be installed into /etc/grid-security/certificates
vdt-control --enable fetch-crl
vdt-control --enable vdt-update-certs
vdt-control --enable vdt-rotate-logs
vdt-control --enable mysql5
vdt-control --enable apache
vdt-control --enable tomcat-55
vdt-control --on

vdt-control --off
Create gums user and gums group with HOME=/usr/local/osg-gums
chown -R gums:gums /usr/local/osg-gums /etc/grid-security/certificates
echo ". /usr/local/osg-gums/" > /usr/local/osg-gums/.profile
Edit apache/conf/httpd.conf apache/conf/extra/httpd-ssl.conf
change ServerAdmin to valid e-mail.
change ServerName to current hostname.
Create /etc/init.d/vdt
Start: daemon -u gums vdt-control --on --non-root
Stop: su - gums "vdt-control --off --non-root"
chkconfig vdt on
Edit your firewall rules for port 8443 only permit your CE and SE.
Consider locking down SSH as well.
Add your DN so you can administer GUMS:
su - gums
cd $VDT_LOCATION/tomcat/v55/webapps/gums/WEB-INF/scripts

./gums-add-mysql-admin "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"
WARNING: You must have created the database before running this script!
Adding the following DN to the local database:
Certificate DN for administrator: "your DN"
Is this correct? (Enter 'yes' to proceed) yes
Adding the admin:
Enter the root mysql password (or hit enter if you didn't set one up)
Enter password: your mysql password for root

Replace the default config with the OSG config
create a custom SURAgrid-only config.

cd $VDT_LOCATION/tomcat/v55/webapps/gums/WEB-INF/config
cp -p gums.config gums.config.sav

Edit gums.config
add <vomsserver> def for ttu VOMS:

[edit] Configuration via Web Interface

Connect to with firefox
Create a local account mapper so you can manually map accounts in GUMS.
[Click Account Mappers]
 Name: localMapper
 Description: Manual Local Account Mapper
 Type: manual
 Persistence Factory: mysql
Now add a local user to the mapper.
[Manual Account Mappings]

 DN: some DN
 Account Mapper: localMapper
 Account: username of local account

Create a new User Group.
 Name: local
 Description: Local Users
 Type: manual
 persistence Factory: mysql
 Members URI: blank
 Non-members URI: blank

 GUMS Access: read self
Add local user to local group.
[Manual User Group Members]
 User group: local
 DN: thieir DN
 FQAN: blank for now
 email: their email

[Group  To Account Mappings]
 Name: localGroupToAccountMapping
 Description: Local Group to Account Mapping
 User Group(s): local
 Account Mapper(s): localMapper
 Accounting VO Subgroup: blank
 Accounting VO: blank

[Host To Group Mappings]
 Click <edit> next to the only mapping.
 Hosts: leave as is
 Description: optional
 Group to Account Mapping(s): localGroupToAccountMapping in 2nd pulldown
Check the user mapping:
[Map Account to Grid Identity(s)]
 Enter the username you mapped above.
 <map account>

Check the other direction:
[Map Grid Identity to Account]
 DN for service: /DC=org/DC=doegrids/OU=Services/
 DN for user: their DN
 VOMS FQAN for user: blank for now
 <map user>
 The manual user mapping show show up.
Test SURAgrid VOMS
[User Groups]
 Name: SURAgridGroup
 Description: Group for SURAgrid users from VOMS
 Type: voms
 VOMS Server: SURAgrid
 Remainder URL: blank for now

 Accept non-VOMS certificates: true
 Match VOMS certificate's FQAN as: ignroe
 VO/Group: blank
 Role: blank
 GUMS Access: read self
[Account Mappers]
 Name: suraPoolMapper
 Description: Map DNs from SURAgrid VOMS to local pool suraNNN accounts
 Type: pool
 Pool Name / Groups: SURA
 Persistence Factory: mysql

[Manage Pool Accounts]
 Account Pool Mapper: suraPoolMapper
 Account Pool: SURA
 Range: sura000-020  # Create these in /etc/passwd, LDAP, NIS, etc
[Group To Account Mappings]
 Name: suraGroupToAccountMapping
 Description: Map SURA Group to Accounts
 User Group(s): SURAgridGroup
 Account Mapper(s): suraPoolMapper
 Accounting VO Subgroup: SURAgrid ???
 Accounting VO: SURAgrid
[Host To Group Mappings]
 <Edit> Group To Account Mapping(s):
 <add> suraGroupToAccountMapping

[Generate Grid-Mapfile]
 will assign pool accounts!
 <generate grid-mapfile>
[Generate Email-Mapfile]
 shows DN, local username, e-mail

Optional: Simplify the forms for your site

Edit the _form.jsp files in $VDT_LOCATION/tomcat/v55/webapps/gums/.
Preload your Service DN using
value="/DC=org/DC=doegrids/OU=Services/" in the <input> HTML tag. 

[edit] Client Configuration

Clients are usually configured with the configure-osg command which reads your config.ini file where GUMS is enabled and the gums_host defined.

The file /etc/grid-security/gsi-authz.conf will be created by configure-osg and should contain the following

globus_mapping /usr/local/osg/prima/lib/libprima_authz_module_scas_gcc32dbg

The file /etc/grid-security/gsi-authz.conf will be created by configure-osg and should contain the following:

issuerCertDir  /etc/grid-security/vomsdir
verifyAC false
serviceCert /etc/grid-security/containercert.pem
serviceKey  /etc/grid-security/containerkey.pem
caCertDir   /usr/local/osg/globus/TRUSTED_CA
logLevel    info
samlSchemaDir /usr/local/osg/prima/etc/opensaml/

[edit] Testing

On a different system on which you're going to use this GUMS instance for authN/Z, you can test a mapping:

gums-host mapUser -s "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"

Personal tools