Grid User Management System (GUMS)

From SURAgrid
Jump to: navigation, search

The documentation for GUMS is a bit sketchy. While GUMS is quite useful, there still seems to be some black magic involved in making it work.

Contents

Reference

OSG Documentation: Install, Configure, and Manage GUMS

This should be installed on a standalone (virtual) server. GUMS uses port 8443 so it will collide with SRM and/or GRAM4 services if you try to cut corners. It's also a good idea to harden this server and lock down all the ports with iptables, as GUMS essentially controls access to your resource.

Install certs into /etc/grid-security/host{cert,key}.pem and /etc/grid-security/http/http{cert,key}.pem.
Install pacman.

mkdir /usr/local/osg-gums
cd /usr/local/osg-gums
export INSTALL_DIR=/usr/local/osg-gums
pacman -get http://software.grid.iu.edu/osg-1.2:gums
source setup.sh
vdt-post-install
vdt/setup/configure_mysql  --version 5 -root passwd_for_mysql
vdt-ca-manage setupca --location root --url osg
Setting up CA Certificates for VDT installation at '/usr/local/osg-gums'
CA Certificates will be installed into /etc/grid-security/certificates
vdt-control --enable fetch-crl
vdt-control --enable vdt-update-certs
vdt-control --enable vdt-rotate-logs
vdt-control --enable mysql5
vdt-control --enable apache
vdt-control --enable tomcat-55
vdt-control --on

====> RUNNING AS NON-ROOT USER? READ ON. <====
vdt-control --off
Create gums user and gums group with HOME=/usr/local/osg-gums
chown -R gums:gums /usr/local/osg-gums /etc/grid-security/certificates
echo ". /usr/local/osg-gums/setup.sh" > /usr/local/osg-gums/.profile
Edit apache/conf/httpd.conf apache/conf/extra/httpd-ssl.conf
change ServerAdmin to valid e-mail.
change ServerName to current hostname.
Create /etc/init.d/vdt
Start: daemon -u gums vdt-control --on --non-root
Stop: su - gums "vdt-control --off --non-root"
chkconfig vdt on
Edit your firewall rules for port 8443 only permit your CE and SE.
Consider locking down SSH as well.
Add your DN so you can administer GUMS:
su - gums
cd $VDT_LOCATION/tomcat/v55/webapps/gums/WEB-INF/scripts

./gums-add-mysql-admin "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"
WARNING: You must have created the database before running this script!
Adding the following DN to the local database:
Certificate DN for administrator: "your DN"
Is this correct? (Enter 'yes' to proceed) yes
Adding the admin:
Enter the root mysql password (or hit enter if you didn't set one up)
Enter password: your mysql password for root

Replace the default config with the OSG config
--or--
create a custom SURAgrid-only config.

cd $VDT_LOCATION/tomcat/v55/webapps/gums/WEB-INF/config
cp -p gums.config gums.config.sav

Edit gums.config
add <vomsserver> def for ttu VOMS:
https://voms.hpcc.ttu.edu:8443/voms/suragrid/services

Configuration via Web Interface

Connect to https://yourhost.edu:8443/gums with firefox
Create a local account mapper so you can manually map accounts in GUMS.
 [Click Account Mappers]
 <add>
  Name: localMapper
  Description: Manual Local Account Mapper
  Type: manual
  Persistence Factory: mysql
 <save>
Now add a local user to the mapper.
 [Manual Account Mappings]
 <add>

  DN: some DN
  Account Mapper: localMapper
  Account: username of local account
  <save>

Create a new User Group.
 [UserGroups]
 <add>
  Name: local
  Description: Local Users
  Type: manual
  persistence Factory: mysql
  Members URI: blank
  Non-members URI: blank

  GUMS Access: read self
  <save>
Add local user to local group.
 [Manual User Group Members]
 <add>
  User group: local
  DN: thieir DN
  FQAN: blank for now
  email: their email

  <save>
 [Group  To Account Mappings]
 <add>
  Name: localGroupToAccountMapping
  Description: Local Group to Account Mapping
  User Group(s): local
  Account Mapper(s): localMapper
  Accounting VO Subgroup: blank
  Accounting VO: blank
  <save>

 [Host To Group Mappings]
  Click <edit> next to the only mapping.
  Hosts: leave as is
  Description: optional
  Group to Account Mapping(s): localGroupToAccountMapping in 2nd pulldown
  <save>
Check the user mapping:
 [Map Account to Grid Identity(s)]
  Enter the username you mapped above.
  <map account>

Check the other direction:
 [Map Grid Identity to Account]
  DN for service: /DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu
  DN for user: their DN
  VOMS FQAN for user: blank for now
  <map user>
  The manual user mapping show show up.
Test SURAgrid VOMS
 [User Groups]
 <add>
  Name: SURAgridGroup
  Description: Group for SURAgrid users from VOMS
  Type: voms
  VOMS Server: SURAgrid
  Remainder URL: blank for now

  Accept non-VOMS certificates: true
  Match VOMS certificate's FQAN as: ignroe
  VO/Group: blank
  Role: blank
  GUMS Access: read self
  <save>
 [Account Mappers]
 <add>
  Name: suraPoolMapper
  Description: Map DNs from SURAgrid VOMS to local pool suraNNN accounts
  Type: pool
  Pool Name / Groups: SURA
  Persistence Factory: mysql
  <save>

 [Manage Pool Accounts]
  Account Pool Mapper: suraPoolMapper
  Account Pool: SURA
  Range: sura000-020  # Create these in /etc/passwd, LDAP, NIS, etc
  <add>
 [Group To Account Mappings]
  Name: suraGroupToAccountMapping
  Description: Map SURA Group to Accounts
  User Group(s): SURAgridGroup
  Account Mapper(s): suraPoolMapper
  Accounting VO Subgroup: SURAgrid ???
  Accounting VO: SURAgrid
  <add>
 [Host To Group Mappings]
  <Edit> Group To Account Mapping(s):
  <add> suraGroupToAccountMapping
  <save>

 [Generate Grid-Mapfile]
  will assign pool accounts!
  <generate grid-mapfile>
 [Generate Email-Mapfile]
  shows DN, local username, e-mail

Optional: Simplify the forms for your site

Edit the _form.jsp files in $VDT_LOCATION/tomcat/v55/webapps/gums/.
Preload your Service DN using

value="/DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu" in the <input> HTML tag.

Client Configuration

Clients are usually configured with the configure-osg command which reads your config.ini file where GUMS is enabled and the gums_host defined.

The file /etc/grid-security/gsi-authz.conf will be created by configure-osg and should contain the following

globus_mapping /usr/local/osg/prima/lib/libprima_authz_module_scas_gcc32dbg
globus_gridmap_callout

The file /etc/grid-security/gsi-authz.conf will be created by configure-osg and should contain the following:

imsContact https://yourgums.edu:8443/gums/services/GUMSAuthorizationServicePort
xacmlContact https://yourgums.edu:8443/gums/services/GUMSXACMLAuthorizationServicePort
issuerCertDir  /etc/grid-security/vomsdir
verifyAC false
serviceCert /etc/grid-security/containercert.pem
serviceKey  /etc/grid-security/containerkey.pem
caCertDir   /usr/local/osg/globus/TRUSTED_CA
logLevel    info
samlSchemaDir /usr/local/osg/prima/etc/opensaml/

Testing

On a different system on which you're going to use this GUMS instance for authN/Z, you can test a mapping:

gauss# gums-host mapUser -s "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox