SEE-GRID VO organization and usage
From EGEE-see WIki
Contents |
Introduction
This wiki page describes the organization and usage of the SEE-GRID Virtual Organization (VO). SEE-GRID VO contains the list of users that are allowed to use the SEE-GRID infrastructure. Certificate subjects of VO members are stored in a MySQL database and managed through a VO Membership Service (VOMS) web application.
User registration
In order to join the seegrid VO, new users register through the VOMS web application (user certificate needs to be loaded into the browser):
https://voms.irb.hr/voms/seegrid/
After the user's email address is verified, an email notification is automatically sent to the relevant country GIMs to approve the request. VOMS admin also receives this notification, but it is the responsibility of the GIMs to approve new users from their country and add them to the appropriate application group.
If the request is approved, a notification is sent to the user and (s)he can immediately start using SEE-GRID resources. The list of all VO members is available from:
https://voms.irb.hr/voms/seegrid/SearchUser.do
VO structure
In addition to being a member of the SEE-GRID VO, user can be assigned to groups or given special roles within the VO. Groups and roles can be global or pre-country. Global ones include:
- /seegrid - top level group containing all VO members, used for normal jobs (without special privileges or priority)
- /seegrid/Role=ops - role containing operations people running monitoring tools (SAM), should be configured on all sites and given the highest priority in order to detect problems quickly
- /seegrid/Role=sgmadmin - role containing Software Grid Managers (SGMs), allowed to deploy application software to sites
- /seegrid/Role=VO-Admin - role containing VOMS server administrators, for general server administration
Per-country (<CC> stands for the country code, i.e. AL, BA etc.) groups and roles are:
- /seegrid/<CC> - group for a country with the given country code (CC), empty by default but can be used by the sites to give additional priority to local users
- /seegrid/<CC>/App - GIMs should add country applications under this group to allow for per application accounting and prioritization
- /seegrid/<CC>/Role=VO-Admin - contains country GIMs, members of this group are authorized to approve new VO members and edit their respective country subgroup (/seegrid/<CC>)
SEE-GRID VO structure can be examined on:
https://voms.irb.hr/voms/seegrid/SearchGroups.do
This organization should allow easy application-level accounting and efficient operations:
- Global role ops is used for submission of SAM jobs to sites, and has to be configured on all sites so that all jobs submitted through it are executed immediately.
- Global role VO-Admin is used for administration of VOMS, while country-level VO-Admin roles contain country GIMs. This <CC> role allows GIMs to manage <CC> VOMS groups and roles, and to approve VOMS membership requests. Sites don't have to configure it.
- Global role sgmadmin should be assigned to all APP developers that will be installing APP software to sites using SGM tools. This should be configured on all sites, and such jobs mapped to sgm pool accounts.
- Within each country's VOMS group, there is App subgroup. GIM for each country is responsible for creating per-application subgroup in /seegrid/<CC>/App, naming it after application name. All application developers and users should create voms-proxies with the proper group selected, so that app-level accounting is possible.
VOMS proxies
VOMS enabled proxies are created using the voms-proxy-init command, for example:
$ voms-proxy-init -voms seegrid Cannot find file or dir: /home/vvidic/.glite/vomses Your identity: /C=HR/O=edu/OU=irb/CN=Valentin Vidic Enter GRID pass phrase: Creating temporary proxy ................................... Done Contacting voms.grid.auth.gr:15040 [/C=GR/O=HellasGrid/OU=auth.gr/CN=voms.grid.auth.gr] "seegrid" Done Creating proxy ......................................... Done Your proxy is valid until Tue Sep 25 00:27:21 2007
The details of the proxy should contain info on the VO membership:
$ voms-proxy-info -all subject : /C=HR/O=edu/OU=irb/CN=Valentin Vidic/CN=proxy issuer : /C=HR/O=edu/OU=irb/CN=Valentin Vidic identity : /C=HR/O=edu/OU=irb/CN=Valentin Vidic type : proxy strength : 512 bits path : /tmp/x509up_u2212 timeleft : 11:59:56 === VO seegrid extension information === VO : seegrid subject : /C=HR/O=edu/OU=irb/CN=Valentin Vidic issuer : /C=GR/O=HellasGrid/OU=auth.gr/CN=voms.grid.auth.gr attribute : /seegrid/Role=NULL/Capability=NULL attribute : /seegrid/HR/Role=NULL/Capability=NULL attribute : /seegrid/Role/VO-Admin/Role=NULL/Capability=NULL timeleft : 11:59:56
For accounting purposes and additional priority users should always use the appropriate application group instead of the generic one (/seegrid), for example:
$ voms-proxy-init -voms seegrid:/seegrid/BG/App/SALUTE
If the requested application group doesn't exist or user is not listed as member, country GIM for the given country should be contacted.
Software installation role can be requested using the following syntax:
$ voms-proxy-init -voms seegrid:/Role=sgmadmin
Finally, both group and role can be requested together:
$ voms-proxy-init -voms seegrid:/seegrid/Role=sgmadmin
