Grid User Management System (GUMS)
The documentation for GUMS is a bit sketchy. While GUMS is quite useful, there still seems to be some black magic involved in making it work.
This should be installed on a standalone (virtual) server. GUMS uses port 8443 so it will collide with SRM and/or GRAM4 services if you try to cut corners. It's also a good idea to harden this server and lock down all the ports with iptables, as GUMS essentially controls access to your resource.
mkdir /usr/local/osg-gums cd /usr/local/osg-gums export INSTALL_DIR=/usr/local/osg-gums pacman -get http://software.grid.iu.edu/osg-1.2:gums source setup.sh vdt-post-install vdt/setup/configure_mysql --version 5 -root passwd_for_mysql vdt-ca-manage setupca --location root --url osg Setting up CA Certificates for VDT installation at '/usr/local/osg-gums' CA Certificates will be installed into /etc/grid-security/certificates vdt-control --enable fetch-crl vdt-control --enable vdt-update-certs vdt-control --enable vdt-rotate-logs vdt-control --enable mysql5 vdt-control --enable apache vdt-control --enable tomcat-55 vdt-control --on ====> RUNNING AS NON-ROOT USER? READ ON. <==== vdt-control --off Create gums user and gums group with HOME=/usr/local/osg-gums chown -R gums:gums /usr/local/osg-gums /etc/grid-security/certificates echo ". /usr/local/osg-gums/setup.sh" > /usr/local/osg-gums/.profile Edit apache/conf/httpd.conf apache/conf/extra/httpd-ssl.conf change ServerAdmin to valid e-mail. change ServerName to current hostname. Create /etc/init.d/vdt Start: daemon -u gums vdt-control --on --non-root Stop: su - gums "vdt-control --off --non-root" chkconfig vdt on Edit your firewall rules for port 8443 only permit your CE and SE. Consider locking down SSH as well. Add your DN so you can administer GUMS: su - gums cd $VDT_LOCATION/tomcat/v55/webapps/gums/WEB-INF/scripts ./gums-add-mysql-admin "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432" WARNING: You must have created the database before running this script! Adding the following DN to the local database: Certificate DN for administrator: "your DN" Is this correct? (Enter 'yes' to proceed) yes Adding the admin: Enter the root mysql password (or hit enter if you didn't set one up) Enter password: your mysql password for root Replace the default config with the OSG config --or-- create a custom SURAgrid-only config. cd $VDT_LOCATION/tomcat/v55/webapps/gums/WEB-INF/config cp -p gums.config gums.config.sav Edit gums.config add <vomsserver> def for ttu VOMS: https://voms.hpcc.ttu.edu:8443/voms/suragrid/services
Configuration via Web Interface
Connect to https://yourhost.edu:8443/gums with firefox Create a local account mapper so you can manually map accounts in GUMS. [Click Account Mappers] <add> Name: localMapper Description: Manual Local Account Mapper Type: manual Persistence Factory: mysql <save> Now add a local user to the mapper. [Manual Account Mappings] <add> DN: some DN Account Mapper: localMapper Account: username of local account <save> Create a new User Group. [UserGroups] <add> Name: local Description: Local Users Type: manual persistence Factory: mysql Members URI: blank Non-members URI: blank GUMS Access: read self <save> Add local user to local group. [Manual User Group Members] <add> User group: local DN: thieir DN FQAN: blank for now email: their email <save> [Group To Account Mappings] <add> Name: localGroupToAccountMapping Description: Local Group to Account Mapping User Group(s): local Account Mapper(s): localMapper Accounting VO Subgroup: blank Accounting VO: blank <save> [Host To Group Mappings] Click <edit> next to the only mapping. Hosts: leave as is Description: optional Group to Account Mapping(s): localGroupToAccountMapping in 2nd pulldown <save> Check the user mapping: [Map Account to Grid Identity(s)] Enter the username you mapped above. <map account> Check the other direction: [Map Grid Identity to Account] DN for service: /DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu DN for user: their DN VOMS FQAN for user: blank for now <map user> The manual user mapping show show up. Test SURAgrid VOMS [User Groups] <add> Name: SURAgridGroup Description: Group for SURAgrid users from VOMS Type: voms VOMS Server: SURAgrid Remainder URL: blank for now Accept non-VOMS certificates: true Match VOMS certificate's FQAN as: ignroe VO/Group: blank Role: blank GUMS Access: read self <save> [Account Mappers] <add> Name: suraPoolMapper Description: Map DNs from SURAgrid VOMS to local pool suraNNN accounts Type: pool Pool Name / Groups: SURA Persistence Factory: mysql <save> [Manage Pool Accounts] Account Pool Mapper: suraPoolMapper Account Pool: SURA Range: sura000-020 # Create these in /etc/passwd, LDAP, NIS, etc <add> [Group To Account Mappings] Name: suraGroupToAccountMapping Description: Map SURA Group to Accounts User Group(s): SURAgridGroup Account Mapper(s): suraPoolMapper Accounting VO Subgroup: SURAgrid ??? Accounting VO: SURAgrid <add> [Host To Group Mappings] <Edit> Group To Account Mapping(s): <add> suraGroupToAccountMapping <save> [Generate Grid-Mapfile] will assign pool accounts! <generate grid-mapfile> [Generate Email-Mapfile] shows DN, local username, e-mail
Optional: Simplify the forms for your site
Edit the _form.jsp files in $VDT_LOCATION/tomcat/v55/webapps/gums/. Preload your Service DN using
value="/DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu" in the <input> HTML tag.
Clients are usually configured with the configure-osg command which reads your config.ini file where GUMS is enabled and the gums_host defined.
The file /etc/grid-security/gsi-authz.conf will be created by configure-osg and should contain the following
globus_mapping /usr/local/osg/prima/lib/libprima_authz_module_scas_gcc32dbg globus_gridmap_callout
The file /etc/grid-security/gsi-authz.conf will be created by configure-osg and should contain the following:
imsContact https://yourgums.edu:8443/gums/services/GUMSAuthorizationServicePort xacmlContact https://yourgums.edu:8443/gums/services/GUMSXACMLAuthorizationServicePort issuerCertDir /etc/grid-security/vomsdir verifyAC false serviceCert /etc/grid-security/containercert.pem serviceKey /etc/grid-security/containerkey.pem caCertDir /usr/local/osg/globus/TRUSTED_CA logLevel info samlSchemaDir /usr/local/osg/prima/etc/opensaml/
On a different system on which you're going to use this GUMS instance for authN/Z, you can test a mapping:
gauss# gums-host mapUser -s "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"