Embed Size (px)
Citation preview
Eric Shook, Anand PadmanabhanEric Shook, Anand Padmanabhan
Grid Research & educatiOn group @ IoWa Grid Research & educatiOn group @ IoWa (GROW)(GROW)
ITS Academic Technologies – Research ITS Academic Technologies – Research Services Services
The University of IowaThe University of IowaIowa City, IA 52242, USAIowa City, IA 52242, USA
May 16, 2006May 16, 2006
GUMSGUMS
22
What is GUMS?What is GUMS?
““The GUMS service performs one The GUMS service performs one and only one function: it maps and only one function: it maps user’s grid certificates/credentials to user’s grid certificates/credentials to site-specific identities/credentials site-specific identities/credentials (e.g., UNIX accounts or Kerberos (e.g., UNIX accounts or Kerberos principals) in accordance with the principals) in accordance with the site’s grid resource usage policy.”site’s grid resource usage policy.”
http://grid.racf.bnl.gov/GUMS/guide_introduction.htmlhttp://grid.racf.bnl.gov/GUMS/guide_introduction.html
33
Why GUMS?Why GUMS?
GUMS allows the implementation GUMS allows the implementation of a single site-wide usage policyof a single site-wide usage policy
Better control the security for Better control the security for accessing site’s grid resourcesaccessing site’s grid resources
Integrate grid information services Integrate grid information services with local information serviceswith local information services
44
How-to install GUMS? How-to install GUMS?
pacman –get iVDGL:gumspacman –get iVDGL:gums Answer “y” to enable GUMS server to run Answer “y” to enable GUMS server to run
automaticallyautomatically (as root) (as root)
– cd $VDT_LOCATION/gums-service/sbincd $VDT_LOCATION/gums-service/sbin– ./addAdmin “your DN”./addAdmin “your DN”
/etc/init.d/apache restart/etc/init.d/apache restart /etc/init.d/tomcat-5 restart/etc/init.d/tomcat-5 restart Test install: Test install:
https://gums-server:8443/gumshttps://gums-server:8443/gums
55
gums.config gums.config
Located at:Located at:$VDT_LOCATION/gums-service/var/war/WEB-INF/$VDT_LOCATION/gums-service/var/war/WEB-INF/
classesclasses
The parts within gums.configThe parts within gums.config– persistenceFactoriespersistenceFactories– groupMappingsgroupMappings
userGroupuserGroup accountMappingaccountMapping
– hostGrouphostGroup
66
persistenceFactories persistenceFactories
Define where local data will be storedDefine where local data will be stored Locations includeLocations include
– mysqlmysql– filesfiles– ldapldap
Information that can be storedInformation that can be stored– Local copy of VO listingsLocal copy of VO listings
77
persistenceFactories persistenceFactories (…)(…)
Example:Example:<persistenceFactory <persistenceFactory
name="mysql“ name="mysql“ className="gov.bnl.gums.hibernate.HibernatePersistenceFaclassName="gov.bnl.gums.hibernate.HibernatePersistenceFactory“ctory“hibernate.connection.driver_class="com.mysql.jdbc.Driver“hibernate.connection.driver_class="com.mysql.jdbc.Driver“hibernate.dialect="net.sf.hibernate.dialect.MySQLDialect“hibernate.dialect="net.sf.hibernate.dialect.MySQLDialect“hibernate.connection.url="jdbc:mysql://server:49151/hibernate.connection.url="jdbc:mysql://server:49151/GUMS_1_1"GUMS_1_1"
hibernate.connection.username="gums-user"hibernate.connection.username="gums-user" hibernate.connection.password=“243FKD56KDI"hibernate.connection.password=“243FKD56KDI" hibernate.connection.autoReconnect="true"hibernate.connection.autoReconnect="true" hibernate.c3p0.min_size="3"hibernate.c3p0.min_size="3" hibernate.c3p0.max_size="20“hibernate.c3p0.max_size="20“ hibernate.c3p0.timeout="180" />hibernate.c3p0.timeout="180" />
88
groupMappingsgroupMappings
Define groups of usersDefine groups of users Determine user group mappingDetermine user group mapping Groups are defined by groupMappingGroups are defined by groupMapping
– groupMapping uses three definitionsgroupMapping uses three definitions userGroupuserGroup accountMappingaccountMapping compositeAccountMapping (not covered)compositeAccountMapping (not covered)
99
groupMappinggroupMapping
Defines a group of usersDefines a group of users Example:Example:
<groupMapping <groupMapping name='atlasProd‘ name='atlasProd‘ accountingVo='usatlas' accountingVo='usatlas' accountingDesc='ATLAS'> accountingDesc='ATLAS'> <userGroup …> <userGroup …> <accountMapping …> <accountMapping …></groupMapping></groupMapping>
1010
userGroupuserGroup
Defines list of people who are Defines list of people who are apart of a groupapart of a group
Information can be provided (by)Information can be provided (by)– VOMS serverVOMS server– LDAP groupLDAP group– ManuallyManually
1111
userGroup (…)userGroup (…)
Example (VOMS)Example (VOMS)<userGroup <userGroup className='gov.bnl.gums.VOMSGroup‘ className='gov.bnl.gums.VOMSGroup‘ url='https://voms:8443/voms/cdf/services/VOMSAdmin‘url='https://voms:8443/voms/cdf/services/VOMSAdmin‘ persistenceFactory='mysql' persistenceFactory='mysql' name='cdf' name='cdf'
voGroup="/cdf"voGroup="/cdf" sslCertfile='/etc/grid-security/hostcert.pem' sslCertfile='/etc/grid-security/hostcert.pem'
sslKey='/etc/grid-security/hostkey.pem‘sslKey='/etc/grid-security/hostkey.pem‘ matchFQAN="vo" matchFQAN="vo" acceptProxyWithoutFQAN='true' /> acceptProxyWithoutFQAN='true' />
1212
accountMappingaccountMapping
Mapping policy for groups of usersMapping policy for groups of users Mapping options includeMapping options include
– AccountPoolMapperAccountPoolMapper– GroupAccountMapperGroupAccountMapper– ManualAccountMapperManualAccountMapper– GecosLdapAccountMapperGecosLdapAccountMapper– GecosNisAccountMapperGecosNisAccountMapper
1313
accountMapping (…)accountMapping (…)
Example (group accounts)Example (group accounts)<accountMapping<accountMapping className='gov.bnl.gums.GroupAccountMapper' className='gov.bnl.gums.GroupAccountMapper' groupName='atlas' /> groupName='atlas' />
Example (pool accounts)Example (pool accounts)<accountMapping<accountMapping className='gov.bnl.gums.AccountPoolMapper‘ className='gov.bnl.gums.AccountPoolMapper‘ persistenceFactory='mysql' persistenceFactory='mysql' name='bnlPool' /> name='bnlPool' />
1414
hostGrouphostGroup
Defines a group of hosts and which Defines a group of hosts and which groupMappings will be usedgroupMappings will be used
Two groups are definedTwo groups are defined– CertificateHostGroupCertificateHostGroup– WildcardHostGroup (deprecated)WildcardHostGroup (deprecated)
1515
hostGroup (…)hostGroup (…)
WildcardHostGroupWildcardHostGroup– Use of this group is discouragedUse of this group is discouraged– Does not properly handle certificate identitiesDoes not properly handle certificate identities
CertificateHostGroupCertificateHostGroup– Example:Example:
<hostGroup<hostGroup className="gov.bnl.gums.CertificateHostGroclassName="gov.bnl.gums.CertificateHostGroup" up" cn='*.usatlas.bnl.gov' cn='*.usatlas.bnl.gov' groups=‘atlas,cms,grow' /> groups=‘atlas,cms,grow' />
1616
What You Need to What You Need to KnowKnow
Names that need to matchNames that need to match– CertificateHostGroup.groups == CertificateHostGroup.groups ==
groupMapping.namegroupMapping.name– persistenceFactory.name == persistenceFactory.name ==
*.persistanceFactory*.persistanceFactory– userGroup.name == table or column within userGroup.name == table or column within
mysql in relation to persistanceFactory usedmysql in relation to persistanceFactory used– accountMapping.groupName == UNIX useraccountMapping.groupName == UNIX user– accountMapping.name == pool reference accountMapping.name == pool reference
name created by ‘gums’ utility programname created by ‘gums’ utility program
1717
Wildcard WarningsWildcard Warnings
hostGroup CN and DN mappings hostGroup CN and DN mappings utilize wildcards to cover a wide utilize wildcards to cover a wide variety of hosts, variety of hosts, – But they can cause problemsBut they can cause problems
Look *closely* at your host Look *closely* at your host certificatescertificates– Make certain they will match a wildcardMake certain they will match a wildcard
Order matters in gums.configOrder matters in gums.config
1818
Wildcard Warnings (…)Wildcard Warnings (…)
Wildcards do not match beyond Wildcards do not match beyond – ‘‘.’, ‘/’, or ‘=‘.’, ‘/’, or ‘=‘
What does this mean?What does this mean?– If CN of certificate = “host/grow.uiowa.edu”If CN of certificate = “host/grow.uiowa.edu”
Successful matches exampleSuccessful matches example– host/*.uiowa.edu, */*.uiowa.edu, host/grow.*.eduhost/*.uiowa.edu, */*.uiowa.edu, host/grow.*.edu
Unsuccessful matches exampleUnsuccessful matches example– *.uiowa.edu, host/*.edu, host/grow.*, host/*uiowa**.uiowa.edu, host/*.edu, host/grow.*, host/*uiowa*
1919
GUMS Utility ProgramGUMS Utility Program
Provides administrative functions Provides administrative functions ‘‘gums’ uses user not host credentialsgums’ uses user not host credentials
– User must be a gums adminUser must be a gums admin Commands available (commonly used)Commands available (commonly used)
– generateGrid3UserVoMapgenerateGrid3UserVoMap– generateGridMapfile generateGridMapfile – pool-addRangepool-addRange
Also availableAlso available– Manual mapping administrative capabilitiesManual mapping administrative capabilities– Update groups and cachesUpdate groups and caches
2020
GUMS Utility Program GUMS Utility Program (…)(…)
Example – add pool account user Example – add pool account user rangerange– ./gums pool-addRange mysql grow grow10-./gums pool-addRange mysql grow grow10-
9999 Example – generate grid-map file Example – generate grid-map file
– ./gums generateGridMapFile “host cert DN ./gums generateGridMapFile “host cert DN here”here”
2121
Useful Log FilesUseful Log Files
For troubleshooting errorsFor troubleshooting errors $VDT_LOCATION/$VDT_LOCATION/
– tomcat/v5/logs/gums-service-admin.logtomcat/v5/logs/gums-service-admin.log– tomcat/v5/logs/gums-service-tomcat/v5/logs/gums-service-
cybersecurity.logcybersecurity.log– tomcat/v5/logs/gums-service-tomcat/v5/logs/gums-service-
developer.logdeveloper.log– gums/var/log/gums-developer.$USER.loggums/var/log/gums-developer.$USER.log– gums/var/log/edg-security.$USER.loggums/var/log/edg-security.$USER.log
2222
GROW’s gums.configGROW’s gums.config
http://grow.its.uiowa.edu/infrastructure/http://grow.its.uiowa.edu/infrastructure/gums/gums/
2323
Useful ResourcesUseful Resources
http://grow.its.uiowa.edu/infrastructure/gumshttp://grow.its.uiowa.edu/infrastructure/gums http://grid.racf.bnl.gov/GUMS/guide_config_gums.htmlhttp://grid.racf.bnl.gov/GUMS/guide_config_gums.html http://osg.ivdgl.org/twiki/bin/view/Integration/http://osg.ivdgl.org/twiki/bin/view/Integration/
GumsConfigExamplesGumsConfigExamples http://osg.ivdgl.org/twiki/bin/view/Integration/GumsAdminshttp://osg.ivdgl.org/twiki/bin/view/Integration/GumsAdmins http://osg.ivdgl.org/twiki/bin/view/Integration/http://osg.ivdgl.org/twiki/bin/view/Integration/
GUMSTroubleshootingGuideGUMSTroubleshootingGuide http://grid.racf.bnl.gov/GUMS/guide_howto_configuration.htmlhttp://grid.racf.bnl.gov/GUMS/guide_howto_configuration.html http://www-hep.nhn.ou.edu/atlas/grid/gums-installation-notes.txthttp://www-hep.nhn.ou.edu/atlas/grid/gums-installation-notes.txt http://pgl.uchicago.edu/twiki/bin/view/Laboratory/GUMS1dot1Uphttp://pgl.uchicago.edu/twiki/bin/view/Laboratory/GUMS1dot1Up
gradegrade
Information from these pages were used to create this Information from these pages were used to create this presentationpresentation
Note:Note:– Most of these links are available from the GROW website (1Most of these links are available from the GROW website (1stst listed) listed)
