[THEGrid] Fwd: [Tigre-develop] Registering to VOMS server, how to pull grid-mapfile; how to install TACC CA and other certificates

Alan Sill Alan.Sill at ttu.edu
Thu Nov 10 11:00:39 CST 2005 

These instructions apply to THEGrid users, too...

Alan

Begin forwarded message:

> From: Alan Sill <Alan.Sill at ttu.edu>
> Date: November 10, 2005 10:24:08 AM CST
> To: TIGRE developers <tigre-develop at hipcat.net>
> Cc: TIGRE steering <tigre-steering at hipcat.net>
> Subject: [Tigre-develop] Registering to VOMS server, how to pull 
> grid-mapfile; how to install TACC CA and other certificates
>
> Hi all,
>
> OK, I have made some adjustments to the VOMRS interface and to the 
> VOMS server initial prototype for TIGRE that allow those who want to 
> use this mechanism to install local grid-mapfile entries as follows.
>
> I will post instructions on the HiPCAT TIGRE web site on how to do 
> this.  Overall, roughly, the steps involved are fairly simple and 
> involve either installing the VDT "EDG-Make-Gridmap" package on top of 
> the TIGRE install-cache based installation, or pulling the 
> grid-mapfile from another computer that has already done so and 
> merging it with your existing grid-mapfile.  The steps that I will 
> post have provisions for mapping TIGRE users to an appropriate account 
> (of your choice) based on their group membership.
>
> Note these in their simple form do NOT make use of the full "Privilege 
> Project" software or infrastructure, i.e. do NOT use GUMS, PRIMA, etc. 
> and instead are the "simple grid-map mapping" we agreed to at the 
> start of the project as the first step.  The only infrastructure that 
> we introduce at this point is a simple grid-mapfile pulling daemon 
> that pulls the information on our registered certificates out of the 
> VOMS database that you put there by loading a certificate into your 
> browser and going to the URL:
>
> https://scnh005.phys.ttu.edu:8443/vo/TIGRE/vomrs
>
> and registering it according to the instructions that I sent out 
> earlier.  Once approved, your certificate will then b e entered into 
> the list that will be pulled according to the group memberships that 
> you select from the VOMS server by daemons or by hand by 
> administrators of TIGRE-connected resources.
>
> Those who use OSG can simply add the following to their 
> edg-mkgridmap.conf file and instantly as soon as the upgrade daemon 
> next runs have a list of TIGRE users added to their grid-mapfile with 
> the indicated mappings.  (You can feel free to adjust the accounts to 
> which the TIGRE groups are mapped, which are the last entries in each 
> line, to accounts of your choice on your systems):
>
> # cat /usr/local/grid_OSG-0.2.1/edg/etc/edg-mkgridmap.conf
> #### GROUP: group URI [lcluser]
> #
> # TIGRE VO additions - 2005-11-09 A. Sill:
> # TIGRE VO:
> # Admins: Alan Sill <Alan.Sill at ttu.edu>, Marg Murray 
> <marg at tacc.utexas.edu>
> # Groups: Assigned via VOMRS interface.  Here we use these to map to 
> accounts.
> #
> # TxChem:
> # Group admin: Srirangam Addepalli <Srirangam.V.Addepalli at ttu.edu>
> group 
> vomss://scnh005.phys.ttu.edu:8443/voms/TIGRE?/TIGRE/TxChem/endyne 
> endyne
> group vomss://scnh005.phys.ttu.edu:8443/voms/TIGRE?/TIGRE/TxChem/venus 
> venus
> #
> # vGrADS:
> # Group Admin: Mark Mazina <mmzn at cs.rice.edu>
> group vomss://scnh005.phys.ttu.edu:8443/voms/TIGRE?/TIGRE/vGrADS vgrads
> #
> # THEGrid:
> # Group admin: Alan Sill <Alan.Sill at ttu.edu>
> group vomss://scnh005.phys.ttu.edu:8443/voms/TIGRE?/TIGRE/THEGrid/CMS 
> uscms01
> group 
> vomss://scnh005.phys.ttu.edu:8443/voms/TIGRE?/TIGRE/THEGrid/ATLAS 
> usatlas1
> group 
> vomss://scnh005.phys.ttu.edu:8443/voms/TIGRE?/TIGRE/THEGrid/ALICE 
> alice
> #
> # Allow everyone else in TIGRE to fall through to the general TIGRE VO:
> group vomss://scnh005.phys.ttu.edu:8443/voms/TIGRE?/TIGRE tigre
>
> [...  followed by the rest of your OSG mappings ...]
>
> You will also have to add the CA files for TACC (obtainable from Marg 
> Murray or send me mail) and the vGrADS Simple CA (send mail to Mark 
> Mazina or to me) to the /etc/grid-security/certificates area or 
> wherever your local gatekeeper checks for certificate authority files 
> by default on your compute element.
>
> We can add other groups and other mappings, or adjust these as needed 
> -- easier to do while the project is small.  Note that the limitation 
> of the grid-mapfile method is that only ONE such mapping can apply for 
> any given certificate registered, which is why the full Privilege 
> architecture was invented in the first place, but it is not so much of 
> a problem at this stage; note for example that there is nothing to 
> prevent you from registering secondary certificates into the VOMRS 
> server to control which account you use, if you have certificates from 
> more than one authority.  (If you have only one, but want to control 
> and use multiple account mappings, then we had better move on to the 
> full Privilege architecture or something like it.)
>
> The above is actually enough information for those who have done this 
> before to use the new TIGRE VO with their system.  I'll post more 
> complete information for those who are starting from scratch or from 
> the TIGRE cache alone to be able to get a current grid-mapfile.  For 
> information, I attach a grid-mapfile pulled from the system as of this 
> morning as an example of what you will get (with mappings controlled 
> by you as per the configuration file given above) from the TIGRE 
> prototype system.
>
> Let me know if you have any questions,
>
> Alan
>
> Alan Sill
> TIGRE Senior Scientist
> High Performance Computing Center
> TTU
>
> ====================================================================
> :  Alan Sill, Texas Tech University  Office: Admin 233, MS 4-1167  :
> :  e-mail: Alan.Sill at ttu.edu   ph. 806-742-4350  fax 806-742-4358  :
> ====================================================================
>
>
> [alansill at testwulf test_tigre]$ cat test.out
> "/C=US/O=UTAustin/OU=TACC/CN=Margaret Murray/UID=marg" endyne
> "/DC=org/DC=doegrids/OU=People/CN=Alan Sill 503049" tigre
> "/DC=org/DC=doegrids/OU=People/CN=David John Chaffin 229507" endyne
> "/DC=org/DC=doegrids/OU=People/CN=Heejong Kim 166017" uscms
> "/DC=org/DC=doegrids/OU=People/CN=Joseph Ghobrial 918507" alice
> "/DC=org/DC=doegrids/OU=People/CN=Kazim Ziya Gumus 461726" uscms
> "/DC=org/DC=doegrids/OU=People/CN=Srirangam Addepalli 82478" endyne
> "/O=vGrADS Simple CA/OU=cs.uh.edu/CN=Bo Liu" endyne
> "/O=vGrADS Simple CA/OU=ir.rice.edu/CN=Mark Mazina" vgrads
>
> _______________________________________________
> tigre-develop mailing list
> tigre-develop at mail.tlc2.uh.edu
> https://mail.tlc2.uh.edu/mailman/listinfo/tigre-develop
>
====================================================================
:  Alan Sill, Texas Tech University  Office: Admin 233, MS 4-1167  :
:  e-mail: Alan.Sill at ttu.edu   ph. 806-742-4350  fax 806-742-4358  :
====================================================================

More information about the THEGrid mailing list