Grid User Management System (GUMS)

From SURAgrid
Jump to: navigation, search

The documentation for GUMS is a bit sketchy. While GUMS is quite useful, there still seems to be some black magic involved in making it work.

Contents

Reference

OSG Documentation: Install, Configure, and Manage GUMS

This should be installed on a standalone (virtual) server. GUMS uses port 8443 so it will collide with SRM and/or GRAM4 services if you try to cut corners. It's also a good idea to harden this server and lock down all the ports with iptables, as GUMS essentially controls access to your resource.

Install certs into /etc/grid-security/host{cert,key}.pem and /etc/grid-security/http/http{cert,key}.pem.
Install pacman.

mkdir /usr/local/osg-gums
cd /usr/local/osg-gums
export INSTALL_DIR=/usr/local/osg-gums
pacman -get http://software.grid.iu.edu/osg-1.2:gums
source setup.sh
vdt-post-install
vdt/setup/configure_mysql  --version 5 -root passwd_for_mysql
vdt-ca-manage setupca --location root --url osg
Setting up CA Certificates for VDT installation at '/usr/local/osg-gums'
CA Certificates will be installed into /etc/grid-security/certificates
vdt-control --enable fetch-crl
vdt-control --enable vdt-update-certs
vdt-control --enable vdt-rotate-logs
vdt-control --enable mysql5
vdt-control --enable apache
vdt-control --enable tomcat-55
vdt-control --on

====> RUNNING AS NON-ROOT USER? READ ON. <====
vdt-control --off
Create gums user and gums group with HOME=/usr/local/osg-gums
chown -R gums:gums /usr/local/osg-gums /etc/grid-security/certificates
echo ". /usr/local/osg-gums/setup.sh" > /usr/local/osg-gums/.profile
Edit apache/conf/httpd.conf apache/conf/extra/httpd-ssl.conf
change ServerAdmin to valid e-mail.
change ServerName to current hostname.
Create /etc/init.d/vdt
Start: daemon -u gums vdt-control --on --non-root
Stop: su - gums "vdt-control --off --non-root"
chkconfig vdt on
Edit your firewall rules for port 8443 only permit your CE and SE.
Consider locking down SSH as well.
Add your DN so you can administer GUMS:
su - gums
cd $VDT_LOCATION/tomcat/v55/webapps/gums/WEB-INF/scripts

./gums-add-mysql-admin "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"
WARNING: You must have created the database before running this script!
Adding the following DN to the local database:
Certificate DN for administrator: "your DN"
Is this correct? (Enter 'yes' to proceed) yes
Adding the admin:
Enter the root mysql password (or hit enter if you didn't set one up)
Enter password: your mysql password for root

Replace the default config with the OSG config
--or--
create a custom SURAgrid-only config.

cd $VDT_LOCATION/tomcat/v55/webapps/gums/WEB-INF/config
cp -p gums.config gums.config.sav

Edit gums.config
add <vomsserver> def for ttu VOMS:
https://voms.hpcc.ttu.edu:8443/voms/suragrid/services

Configuration via Web Interface

Connect to https://yourhost.edu:8443/gums with firefox
Create a local account mapper so you can manually map accounts in GUMS.
[Click Account Mappers]
<add>
 Name: localMapper
 Description: Manual Local Account Mapper
 Type: manual
 Persistence Factory: mysql
<save>
Now add a local user to the mapper.
[Manual Account Mappings]
<add>

 DN: some DN
 Account Mapper: localMapper
 Account: username of local account
 <save>

Create a new User Group.
[UserGroups]
<add>
 Name: local
 Description: Local Users
 Type: manual
 persistence Factory: mysql
 Members URI: blank
 Non-members URI: blank

 GUMS Access: read self
 <save>
Add local user to local group.
[Manual User Group Members]
<add>
 User group: local
 DN: thieir DN
 FQAN: blank for now
 email: their email

 <save>
[Group  To Account Mappings]
<add>
 Name: localGroupToAccountMapping
 Description: Local Group to Account Mapping
 User Group(s): local
 Account Mapper(s): localMapper
 Accounting VO Subgroup: blank
 Accounting VO: blank
 <save>

[Host To Group Mappings]
 Click <edit> next to the only mapping.
 Hosts: leave as is
 Description: optional
 Group to Account Mapping(s): localGroupToAccountMapping in 2nd pulldown
 <save>
Check the user mapping:
[Map Account to Grid Identity(s)]
 Enter the username you mapped above.
 <map account>

Check the other direction:
[Map Grid Identity to Account]
 DN for service: /DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu
 DN for user: their DN
 VOMS FQAN for user: blank for now
 <map user>
 The manual user mapping show show up.
Test SURAgrid VOMS
[User Groups]
<add>
 Name: SURAgridGroup
 Description: Group for SURAgrid users from VOMS
 Type: voms
 VOMS Server: SURAgrid
 Remainder URL: blank for now

 Accept non-VOMS certificates: true
 Match VOMS certificate's FQAN as: ignroe
 VO/Group: blank
 Role: blank
 GUMS Access: read self
 <save>
[Account Mappers]
<add>
 Name: suraPoolMapper
 Description: Map DNs from SURAgrid VOMS to local pool suraNNN accounts
 Type: pool
 Pool Name / Groups: SURA
 Persistence Factory: mysql
 <save>

[Manage Pool Accounts]
 Account Pool Mapper: suraPoolMapper
 Account Pool: SURA
 Range: sura000-020  # Create these in /etc/passwd, LDAP, NIS, etc
 <add>
[Group To Account Mappings]
 Name: suraGroupToAccountMapping
 Description: Map SURA Group to Accounts
 User Group(s): SURAgridGroup
 Account Mapper(s): suraPoolMapper
 Accounting VO Subgroup: SURAgrid ???
 Accounting VO: SURAgrid
 <add>
[Host To Group Mappings]
 <Edit> Group To Account Mapping(s):
 <add> suraGroupToAccountMapping
 <save>

[Generate Grid-Mapfile]
 will assign pool accounts!
 <generate grid-mapfile>
[Generate Email-Mapfile]
 shows DN, local username, e-mail

Optional: Simplify the forms for your site

Edit the _form.jsp files in $VDT_LOCATION/tomcat/v55/webapps/gums/.
Preload your Service DN using
value="/DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu" in the <input> HTML tag. 

Client Configuration

Clients are usually configured with the configure-osg command which reads your config.ini file where GUMS is enabled and the gums_host defined.

The file /etc/grid-security/gsi-authz.conf will be created by configure-osg and should contain the following

globus_mapping /usr/local/osg/prima/lib/libprima_authz_module_scas_gcc32dbg
globus_gridmap_callout

The file /etc/grid-security/gsi-authz.conf will be created by configure-osg and should contain the following:

imsContact https://yourgums.edu:8443/gums/services/GUMSAuthorizationServicePort
xacmlContact https://yourgums.edu:8443/gums/services/GUMSXACMLAuthorizationServicePort
issuerCertDir  /etc/grid-security/vomsdir
verifyAC false
serviceCert /etc/grid-security/containercert.pem
serviceKey  /etc/grid-security/containerkey.pem
caCertDir   /usr/local/osg/globus/TRUSTED_CA
logLevel    info
samlSchemaDir /usr/local/osg/prima/etc/opensaml/

Testing

On a different system on which you're going to use this GUMS instance for authN/Z, you can test a mapping:

gums-host mapUser -s "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox