Resource Site Administrator Guide

From PRAGMAgridWIKI

Contents 1 Setup auto-update grid-mapfile to synchronize with PRAGMA VO groups 2 Configure VDT updater to include PRAGMA CA bundle 3 Map VOMS groups to site systems

Setup auto-update grid-mapfile to synchronize with PRAGMA VO groups

In PRAGMA grid, a VOMRS server is used to manage user membership in groups corresponding to individual projects.
See an example below on how to configure mappings from the VOMRS project groups to local accounts on a site system using VDT and edg-mkgridmap.
There are two alternative non-VDT methods - install from RPM or use a callout to a GUMS server. See examples documented by Vladimir.

• If pacman has not been installed, install pacman

[root@rocks-96 ~]# wget http://physics.bu.edu/pacman/sample_cache/tarballs/pacman-latest.tar.gz
[root@rocks-96 ~]# cd /opt
[root@rocks-96 opt]# tar xvzf /root/pacman-latest.tar.gz
[root@rocks-96 opt]# cd pacman-3.26/
[root@rocks-96 pacman-3.26]# source ./setup.sh

• Install edg-mkgridmap

note - please backup your existing /etc/grid-security/grid-mapfile and answer the questions according to your site requirements and policies.

[root@rocks-96 opt]# mkdir vdt
[root@rocks-96 opt]# cd vdt
[root@rocks-96 vdt]# pacman -get http://vdt.cs.wisc.edu/vdt_1100_cache:EDG-Make-Gridmap
Do you want to add [http://vdt.cs.wisc.edu/vdt_1100_cache] to [trusted.caches]? (y/n/yall): y
Beginning VDT prerequisite checking script vdt-common/vdt-prereq-check...       
All prerequisite checks are satisfied.
VDT 1.10.0 installs a variety of software, each with its own license.
In order to continue, you must agree to the licenses.
You can view the licenses online at:
     http://vdt.cs.wisc.edu/licenses/1.10.0
After the installation has completed, you will also be able to view the licenses in the "licenses" directory.
Do you agree to the licenses? [y/n] y
Several services provided by the VDT create unbounded log files.
If you wish, we can rotate those file on a daily basis.
Would you like to setup daily rotation of VDT log files?
Possible answers:
    y: Yes, I want the service to run automatically (once enabled)
    n: No, I do NOT want the service to run automatically
Note: Services are enabled with vdt-control; see 'post-install/README'.
y
Do you want to run a cron job that will update the CA certificate revocation lists automatically? 
This will use the fetch-crl program that comes with the VDT. 
The cron job will run at a random time between midnight and 6:00am.
We select a random time to avoid having all VDT installations fetching CRLs at the same time.
Do you want to update the CA certification revocation lists (CRLs) automatically? [y/n] y

The VDT typically installs public certificates and signing policy files for the well-known public CA's.
This is necessary in order for you to perform GSI authentication with any remote Grid services 
(that have service/host certificates signed by these CA's).
For more information please refer to the VDT documentation:
http://vdt.cs.wisc.edu/releases/1.10.0/setup_ca.html
Where would you like to install CA files?
Choices:
        r (root)  - install into /etc/grid-security/certificates (existing CA files will be preserved)
        l (local) - install into $VDT_LOCATION/globus/share/certificates
        n (no)    - do not install
r
Do you want edg-mkgridmap daemon to be run automatically?
If so, we will run it four times a day via cron.
edg-mkgridmap will update your gridmap file by communicating with VOMS servers.
This will only be useful if you are part of a Virtual Organization (VO) or you allow users from VOs.
Do you want edg-mkgridmap daemon to be run via cron? [y/n] y
Do you want to automatically update your CA certificates?
If so, we will check for updates once a day via cron.
Do you want to automatically update your CA Certificates? [y/n] y

• Configure vdt-update-certs

If you answered "yes" to automatically update your CA certificaes in the step above, but have not setup automatically update your certificates before, then configure vdt-update-certs. Otherwise, skip this step. To configure vdt-update-certs place non-igtf certs files (for example, files in PRAGMA CA tarball) in /etc/grid-secrity/non-igtf-certs directory, then edit /opt/vdt/vdt/etc/vdt-update-certs.conf to include each non-igtf cert files.

• Create UNIX accounts for the PRAGMA VO groups to map onto.

For example, create account "pragmauser" for PRAGMA USERS group, "afguser" for Avian-Flu-Grid group.

• Create /opt/vdt/edg/etc/edg-mkgridmap.conf file as

[root@rocks-96 etc]# cat /opt/vdt/edg/etc/edg-mkgridmap.conf 
group vomss://vomrs-pragma.sdsc.edu:8443/voms/PRAGMA?/PRAGMA/Avian-Flu-Grid afguser
group vomss://vomrs-pragma.sdsc.edu:8443/voms/PRAGMA?/PRAGMA/USERS pragmauser

gmf_local /opt/vdt/edg/etc/grid-mapfile-local

Note - to add new groups in the future, simply add group/user mappings in the /opt/vdt/edg/etc/edg-mkgridmap.conf file.

• Copy /etc/grid-security/grid-mapfile to /opt/vdt/edg/etc/grid-mapfile-local file

• Create /opt/vdt/edg/log/edg-mkgridmap.log (use touch command)

• Backup and remove /etc/grid-security/grid-mapfile

• Run edg-mkgridmap for the first time

[root@rocks-96 opt]# touch /opt/vdt/edg/etc/grid-mapfile-local
[root@rocks-96 opt]# /opt/vdt/edg/sbin/edg-mkgridmap --output=/etc/grid-security/grid-mapfile

• Check the results in /etc/grid-security-grid-mapfile. If no problem, then start cron service

[root@rocks-96 vdt]# source setup.sh
[root@rocks-96 vdt]# vdt-control --on edg-mkgridmap
enabling cron service edg-mkgridmap... no crontab for root
ok
[root@rocks-96 vdt]# crontab -l
18 1,7,13,19 * * * /opt/vdt/edg/sbin/edg-mkgridmap >> /opt/vdt/edg/log/edg-mkgridmap.log 2>&1

Note - the "no crontab for root" error can be ignored.

• Install VOMS-Client

[root@rocks-96 vdt]# pacman -get http://vdt.cs.wisc.edu/vdt_1100_cache:VOMS-Client

• Create /opt/vdt/glite/etc/vomses/PRAGMA file as

[root@rocks-96 glite]# cat /opt/vdt/glite/etc/vomses/PRAGMA
"PRAGMA" "vomrs-pragma.sdsc.edu" "15001" "/DC=NET/DC=PRAGMA-GRID/OU=SDSC/CN=vomrs-pragma.sdsc.edu" "PRAGMA" "https://vomrs-pragma.sdsc.edu:443/vomrs/PRAGMA/services/VOMRS?WSDL"

• Add VDT software path to pragma profile

Add "source /opt/vdt/setup.sh" in /etc/profile.d/pragma.sh.

• Test VOMS client

Login to a VO group user account. For example, if user Cindy Zheng is a member of PRAGMA/USERS group,

[zhengc@rocks-96 ~]$ voms-proxy-init -voms PRAGMA -order /PRAGMA/USERS
Enter GRID pass phrase:
Your identity: /C=US/O=SDSC/OU=SDSC/CN=Cindy Zheng/USERID=zhengc
Creating temporary proxy ..................................................... Done
Contacting  vomrs-pragma.sdsc.edu:15001 [/DC=NET/DC=PRAGMA-GRID/OU=SDSC/CN=vomrs-pragma.sdsc.edu] "PRAGMA" Done
Creating proxy ................................. Done
Your proxy is valid until Fri Aug 22 02:26:38 2008

That's it. Congratulations!

Configure VDT updater to include PRAGMA CA bundle

Vladimir has documented an example.

Map VOMS groups to site systems

Vladimir has documented an example.