GUMS configuration for pool account mapping (Examples on SAKURA at AIST)

From PRAGMAgridWIKI

Contents 1 Create a set of pool accounts 2 Configure GUMS with Web Interface 2.1 Account Mappers 2.2 Manage Pool Accounts 2.3 User Group 2.4 Group To Account Mapping 2.5 Host To Group Mappings 3 Check the configuration 4 Get the latest VO Member list 5 Confirm the mappings 6 Notes 7 References

Create a set of pool accounts

• Determine names and ranges of the pool accounts. (eg. pgui001 to pgui030)
• Create the accounts with the useradd command or etc.

(Remember to unlock the new user accounts by replace "!!" to "*" in the password field of /etc/shadow)

Configure GUMS with Web Interface

Here we map pgui001-pgui030 to the vo group of /PRAGMA/Individuals. First, we define Account Mappers and User Group. Second, we define Group To Account Mapping by selecting Account Mappers and User Group. At the end, we define Host To Group Mapping by specifying Group To Account Mapping.

Account Mappers

• Click Account Mapper on the left side of the web interface.
• Click add at the bottom of the right page and input the following.

Name:                PRAGMAPoolAccountMapper
Description:         PRAGMA Pool Account Mapper pgui	
Type:                pool
Pool Name/Groups:    pgui
Persistence Factory: mysql

• Click save.

Manage Pool Accounts

• Click Manage Pool Accounts on the left side of the web interface.

Account Pool Mapper:   Select ''AccountMapper'' you added above.
Account Pool:          pgui
Range:                 Input the range like ''pgui001-030''.

• Cick add.

User Group

• Click User Group on the left side of the web interface.
• Click add and input the following.

Name:          PRAGMA Individuals
Description:   /PRAGMA/Individuals User Group
Type:          voms
VOMS Server:   PRAGMA
Remainder URL: /PRAGMA/services/VOMSAdmin
Accept non-VOMS certificates:      true
Match VOMS certificate's FQAN as:  vogroup
VO/Group:(optional)                /PRAGMA/Individuals
Role:(optional)       
GUMS Access:                       read self

• Click save.

Group To Account Mapping

• Click Group To Account Mappings on the left side of the web interface.
• Click add and input the following.

Name:              PRAGMA Individuals to pool-pgui
Description:       VO /PRAGMA/Individuals user to pool pguiXXX
User Group(s):     Select ''UserGroup'' you added above.
Account Mapper(s): Select ''AccountMapper'' you added above.

• Click save.

Host To Group Mappings

• Click Host To Group Mappings on the left side of the web interface.
• Add Group To Account Mapping you defined above to the existing configration.
• Because the order affects on the mapping rule, AIST sets this new mapping just after static mappings.

Check the configuration

• Click Summary on the left side of the web interface and check the mapping rules you have just added.
• See AIST's gums.config file as an example.

Get the latest VO Member list

• Click Update VO Members on the left side of the web interface.
• Click the update VO members databese button.
• If the update fails, you will see some error messages.
• If the update suceeds, accounts will be assigned to every user in the new vo group at this moment.

Confirm the mappings

• Click Generate Grid-Mapfile on the left side of the web interface and then you will see the latest mappings.
• When you generate a grid-mapfile with specifying DN of the Globus server and enabling include extended attributes (FQAN), the output format becomes usual grid-mapfile.
• You should confirm if pguiXXX are properly mapped.

Notes

• An user removed from PRAGMA VO groups will be automatically unmapped from pool account.

References

• OSG GUMS Configuration
• GUMS 1.3