Skip to end of metadata
Go to start of metadata
Icon

This document is mainly obsoleted. Please see https://github.com/opensciencegrid/osg-vo-config

 

 

This document (will) contain everything there is to know about maintaining vo-client / vo-package.

Per  MYOSG-66 - Investigate what we need in OIM to produce identical content of vo-package Open

Related  MYOSG-37 - Create a page that publishes various VOMS related configuration files Open

VOMSES, GUMS Template, edg-mkgridmap.conf, LSC files

The VO Package configures the resource to connect to authorization and authentication services.

GOC currently published following tar balls via following URL > http://software.grid.iu.edu/osg-1.2/tarballs/

vo-client-43.tar.gz

vo-package-43.tar.gz

(version -43 is the current latest version as of this document is written)

We also publish the content of the tar ball and other files via http://software.grid.iu.edu/pacman/tarballs/vo-package/

edg-mkgridmap.osg10-Apr-2012 14:576.3K
gums-fqan.txt16-Oct-2012 13:453.6K
gums.template16-Oct-2012 17:1870K
install-vo.sh29-Apr-2009 16:132.9K
osg-make-vomsdir17-Nov-2011 22:4611K
rebuild.vomsdir.sh17-Nov-2011 22:46162
vomsdir/23-Oct-2012 17:52-
vomses

10-Apr-2012 14:57

Sample content for vomses (all 4 vomses files published are identical)

"cdf" "voms.fnal.gov" "15020" "/DC=org/DC=doegrids/OU=Services/CN=http/voms.fnal.gov" "cdf"
"cdf" "voms.cnaf.infn.it" "15001" "/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it" "cdf"
"cdf" "voms-01.pd.infn.it" "15001" "/C=IT/O=INFN/OU=Host/L=Padova/CN=voms-01.pd.infn.it" "cdf"
"fermilab" "voms.fnal.gov" "15001" "/DC=org/DC=doegrids/OU=Services/CN=http/voms.fnal.gov" "fermilab"
"star" "vo.racf.bnl.gov" "15001" "/DC=org/DC=doegrids/OU=Services/CN=vo.racf.bnl.gov" "star"
"atlas" "voms.cern.ch" "15001" "/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch" "atlas"
...
"belle" "voms.cc.kek.jp" "15020" "/C=JP/O=KEK/OU=CRC/CN=host/voms.cc.kek.jp" "belle"-
"CSIU" "voms.grid.iu.edu" "15008" "/DC=org/DC=doegrids/OU=Services/CN=http/voms.grid.iu.edu" "CSIU"-
"suragrid" "voms.hpcc.ttu.edu" "15003" "/DC=org/DC=doegrids/OU=Services/CN=http/voms.hpcc.ttu.edu" "suragrid"
"nees" "voms.fnal.gov" "15030" "/DC=org/DC=doegrids/OU=Services/CN=http/voms.fnal.gov" "nees"
"gcvo" "gc-voms.javeriana.edu.co" "15002" "/DC=org/DC=doegrids/OU=Services/CN=http/gc-voms.javeriana.edu.co" "gcvo"
"gcedu" "gc-voms.javeriana.edu.co" "15001" "/DC=org/DC=doegrids/OU=Services/CN=http/gc-voms.javeriana.edu.co" "gcedu"
"superbvo.org" "voms2.cnaf.infn.it" "15009" "/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms2.cnaf.infn.it" "superbvo.org"
"dream" "voms.hpcc.ttu.edu" "15004" "/DC=org/DC=doegrids/OU=Services/CN=http/voms.hpcc.ttu.edu" "dream"
"lbne" "voms.fnal.gov" "15029" "/DC=org/DC=doegrids/OU=Services/CN=http/voms.fnal.gov" "lbne"
"lsst" "voms.fnal.gov" "15003" "/DC=org/DC=doegrids/OU=Services/CN=http/voms.fnal.gov" "lsst"
"UC3" "voms.grid.iu.edu" "15009" "/DC=org/DC=doegrids/OU=Services/CN=http/voms.grid.iu.edu" "UC3"
"mcdrd" "fg5x3.fnal.gov" "15004" "/DC=org/DC=doegrids/OU=Services/CN=http/voms.fnal.gov" "mcdrd"
"lqcd" "voms.fnal.gov" "15024" "/DC=org/DC=doegrids/OU=Services/CN=http/voms.fnal.gov" "lqcd"

Sample content for edg-mkgridmap.conf

#### GROUP: group URI [lcluser]
#
#-------------------
# USER-VO-MAP cdf CDF -- 1 -- Dennis Box (dbox@fnal.gov)-----
group vomss://voms.fnal.gov:8443/voms/cdf cdf
group vomss://voms.cnaf.infn.it:8443/voms/cdf cdf
#-------------------
# USER-VO-MAP fermilab FERMILAB -- 2 -- Fermilab Service Desk (servicedesk@fnal.gov)--
group vomss://voms.fnal.gov:8443/voms/fermilab fermilab
#-------------------
# USER-VO-MAP mis MIS -- 6 -- Rob Quick (rquick@iupui.edu)----
group vomss://voms.grid.iu.edu:8443/voms/mis mis
...
#USER-VO-MAP lsst LSST - 53 - Gabriele Garzoglio (garzoglio@fnal.gov)
group vomss://voms.fnal.gov:8443/voms/lsst lsst
#-------------------
#USER-VO-MAP uc3 UC3 - 54 - Rob Gardner (rwg@uchicago.edu)
group vomss://voms.grid.iu.edu:8443/voms/UC3 UC3
#-------------------
#USER-VO-MAP mcdrd MCDRD - 55 - Hans Wenzel (wenzel@fnal.gov)
group vomss://voms.fnal.gov:8443/voms/mcdrd mcdrd
#-------------------
#USER-VO-MAP lqcd LQCD - 56 - James Simone (simone@fnal.gov)
group vomss://voms.fnal.gov:8443/voms/lqcd lqcd

vomses and edg-mkgridmap comes from .

#USER-VO-MAP <lower cased VO name> <OIM VO Name> - <incremented number> - <Primary Admin name / email>

group vomss://voms.fnal.gov:8443/voms/lqcd <removes . and extra space https://voms.fnal.gov:8443/voms/cdf/configuration/configuration.action>

 

Sample Content for gums.template

<?xml version="1.0" encoding="UTF-8"?>
<!-- This is a template file for VO group Mappings for OSG Version 0.4.x-
this information should be added to your gums.config file. -->
<gums>
<persistenceFactories>
<persistenceFactory
name='mysql'
className='gov.bnl.gums.hibernate.HibernatePersistenceFactory'
hibernate.connection.driver_class='com.mysql.jdbc.Driver'
hibernate.dialect='net.sf.hibernate.dialect.MySQLDialect'
hibernate.c3p0.min_size='3'
hibernate.c3p0.max_size='20'
hibernate.c3p0.timeout='180'
hibernate.connection.url='jdbc:mysql://@SERVER@/GUMS_1_1'
hibernate.connection.username='@USER@'
hibernate.connection.password='@PASSWORD@'
hibernate.connection.autoReconnect='true'/>
</persistenceFactories>
<adminUserGroup
>>>>>>>>name='admins'
>>>>>>>>persistenceFactory='mysql'/>
<groupMappings>
<!-- 1 CDF -->
<!-- CDF VOMS at Fermi -->
<groupMapping name="cdf-fnal" accountingVo="cdf" accountingDesc="CDF">
<userGroup className="gov.bnl.gums.VOMSGroup"
url="https://voms.fnal.gov:8443/voms/cdf/services/VOMSAdmin"
persistenceFactory="mysql"-
name="cdf-fnal"-
voGroup="/cdf"
sslCertfile="/etc/grid-security/http/httpcert.pem"
sslKey="/etc/grid-security/http/httpkey.pem" matchFQAN="exact"/>
<accountMapping className="gov.bnl.gums.GroupAccountMapper"
groupName="cdf"/>
</groupMapping>
<groupMapping name='cdfdev-fnal' accountingVo='cdf' accountingDesc='CDF'>
<userGroup className='gov.bnl.gums.VOMSGroup'
url='https://voms.fnal.gov:8443/voms/cdf/services/VOMSAdmin'
persistenceFactory='mysql'
name='cdfdev-fnal'
voGroup="/cdf/glidecaf"
voRole="development"
sslCertfile='/etc/grid-security/http/httpcert.pem'
sslKey='/etc/grid-security/http/httpkey.pem'
matchFQAN="exact" />
<accountMapping className='gov.bnl.gums.GroupAccountMapper'
groupName='cdfdev' />
</groupMapping>
...
<!-- 55 MCDRD -->
<groupMapping name="mcdrd" accountingVo="mcdrd" accountingDesc="MCDRD">
<userGroup className="gov.bnl.gums.VOMSGroup"-
url="https://voms.fnal.gov:8443/voms/mcdrd/services/VOMSAdmin"-
persistenceFactory="mysql"-
name="mcdrd" voGroup="/mcdrd"-
sslCertfile="/etc/grid-security/http/httpcert.pem" sslKey="/etc/grid-security/http/httpkey.pem"-
matchFQAN="exact"/>
<accountMapping className="gov.bnl.gums.GroupAccountMapper"-
groupName="mcdrd"/>
</groupMapping>
<!-- 56 LQCD -->
<groupMapping name="lqcd" accountingVo="lqcd" accountingDesc="LQCD">
<userGroup className="gov.bnl.gums.VOMSGroup"-
url="https://voms.fnal.gov:8443/voms/lqcd/services/VOMSAdmin"-
persistenceFactory="mysql"-
name="lqcd" voGroup="/lqcd"-
sslCertfile="/etc/grid-security/http/httpcert.pem" sslKey="/etc/grid-security/http/httpkey.pem"-
matchFQAN="exact"/>
<accountMapping className="gov.bnl.gums.GroupAccountMapper"-
groupName="lqcd"/>
</groupMapping>
</groupMappings>
<hostGroups>
<hostGroup className="gov.bnl.gums.CertificateHostGroup" cn="*/?*.@DOMAINNAME@" groups="cdf-fnal,cdfdev-fnal,cdffgrid-fnal,cdfnam-fnal,cdftestcaf-fnal,cdf-cnaf,cdfdev-cnaf,cdffgrid-cnaf,cdfnam-cnaf,cdftestcaf-cnaf,cdf-pd,cdfdev-pd,cdffgrid-pd,cdfnam-pd,cdftestcaf-pd,fermilab,accelerator,argoneut,cdms,minerva,miniboone,minos,mipp,mu2e,nova,numi,patriot,theory,fermilab-test,uboone,uboonepro,uboonegli,ubooneana,map,gm2,coupp,fermilab-production,accelerator-production,argoneut-production,cdms-production,minerva-production,miniboone-production,minos-production,mipp-production,nova-production,numi-production,patriot-production,theory-production,map-production,gm2-production,argoneutana,minervaana,minosana,novaana,mapana,gm2ana,fggli,argoneutgli,minervagli,minosgli,novagli,mapgli,gm2gli,fgadmin,mis,star,uscmsuser,cmsuser,uscmst2admin,uscmssoft,cmssoft,uscmsprod,uscmsphedex,cmsphedex2,uscmsfrontier,cmsuser-null,cmsproduction,LIGO,dzerouser,dzeroana,dzeroservice,dosar,des,glow,nanohub,geant4,geant4-lcgadmin,i2u2,osg,newUsatlasProd,newUsatlasSoft,newUsatlas,newAtlas,osgedu,nwicg,ops,des-production,gpn,compbiogrid,engage-ucsdgrid,engage,engage-ucsdgrid-iu,engage-iu,ilc,nysgrid,sbgrid,cigi,icecube,alice,nebiogrid,gluex,gridunesp,dayabay,hcc,belle,csiu,suragrid,nees,gcvo,gcedu,superbvo.org,superbvo.orgprod,superbvo.orgsoft,dream,lbne,lbne-production,lbneana,lbnegli,lsst,uc3,mcdrd,lqcd"/>
</hostGroups>
</gums>

These files are downloaded by OSG software team to build following packages / files

vo-client RPM

Rob Quick runs osg-make-vomsdir script (provided by osg-make-vomsdir RPM - SOFTWARE-31 - Add script to create LSC files Closed ) at GOC and publishes the latest content at http://software.grid.iu.edu/pacman/tarballs/vo-package/Software team then download /vomsdir content, then create vo-client RPM.

osg-make-vomsdir reads VOMS server data from an existingvomses file, and then queries each VOMS server directly to obtain the VOMS server certificate’s DN and issuer. The script writes VOMS certificate data into the LSC files, which it places into in a vomsdir hierarchy.

Icon

(From Tim Cartwright) BUT, and this is really important, our testing shows that the VOMS certificate information is not always correct, or at least is not good enough to allow voms-proxy-init to run without errors or warnings. For the minority of VOs that report incorrect information, I suspect that their VOMS servers may be configured incorrectly, but that is only a guess.

Thus, EVERY bit of VO data must be verified, which is hard, because it implies membership in the VO. We have no simple nor automated processes for verifying VO data. For now, I suggest asking the VO owner to verify the data, or, if someone at the GOC actually is a VO member, then verifying directly.

According to following document

> https://twiki.grid.iu.edu/bin/view/SoftwareTeam/CreateVOClient

Software team then downloads following items from software.grid.iu.edu to start building the vo-client RPM

LSC files are used when user run voms-proxy-init. (TODO - document what happens to the proxy if AC validation fails - does it matter?) What is the point of voms-proxy-init checking the server certificate with that is in LSC file? 

vo-client-edgmkgridmap RPM

/etc/edg-mkgridmap.conf (copy of GOC published vo-package:/etc/edg-mkgridmap.conf)

(TODO - document briefly how this file is used)

osg-gums-config RPM

Software team downloads following gums template (for v1.1)

 wget http://software.grid.iu.edu/pacman/tarballs/vo-package/gums.template

Then, John Weigand converts this to version 1.3 format to create gums.config.template

Software team then runs spec file for osg-gums-config to build the RPM.

(TODO - is v1.1 template used by anything? If not, should GOC publishes it in v1.3 format?)

(TODO - document briefly how this file is used)

(TODO - any other RPMs generated?)


Other users of GOC software.grid.iu.edu tarballs

MyOSG VOMS status monitor  MYOSG-65 - Update VOMS status monitor to use OSG RPM repo instead of software/packman for edg-mkgridmap config Closed

How is GOC tarball / vo-package directory generated

(TODO)

  • No labels