Sections

About GridPP

Documents

Activities

Management

Wiki

Help Pages

GridPP Virtual Organisation Authorisation Server

The VO server provides proof of authorisation for members of GridPP, and is intended to be used by people who need access to Testbed resources (ie machines at institutes) but who are not listed in other VO servers (such as the ones for LHC experiments hosted by NIKHEF.)

The VO server exports lists of group members via LDAP, and is compatible with the VO LDAP servers used by EU DataGrid. However, instead of raw group lists being stored within the LDAP server, a gateway has been written to publish existing website group lists as VO group lists too.

That is: groups created for use with this website can now also be used as VO groups to authorise access to parts of the Testbed. Additional groups can also be created purely for use with testbeds, but easily administered using the website management tools.

An experimental VOMS Service is also available, exporting the same group information via signed VOMS attributes.

Currently, one group, testbed, has been created specifically for authorising GridPP members who need access to equipment that is part of GridPP testbed work.

Groups can be inspected manually using ldapsearch. For instance: ldapsearch -x -h vo.gridpp.ac.uk -b 'ou=testbed,dc=gridpp,dc=ac,dc=uk' '(objectClass=*)' will list members of group testbed.

Please note: the server does not implement all browsing and searching requests, so you may not be able to browse it with a randomly chosen LDAP browser. For testing, you should use ldapsearch or mkgridmap.

Local installation

The most important application of the VO servers is in constructing a site's grid-mapfile which controls access to the gatekeeper (or CE) and gsi ftpd servers.

EDG has produced a script for doing this, and this can be obtained as the RPM edg-mkgridmap from http://datagrid.in2p3.fr/distribution/datagrid/wp6/RPMS/

To install this RPM, you will also need to have several Perl modules installed already (in particular, perl-Convert-ASN1 perl-IO-Socket-SSL perl-Net_SSLeay perl-perl-ldap) All necessary modules can be obtained in RPM format for RedHat 6.2 from http://datagrid.in2p3.fr/distribution/external/RPMS/ (These appear to work fine for later versions of RedHat too.)

Once installed, the /opt/edg/etc/mkgridmap.conf file must be edited by hand. This lists many EDG VO servers, some of which you may want to trust. Any group ldap:// lines you leave uncommented will allow everyone listed by them to access your testbed equipment.

To trust the GridPP testbed group, add the line: 

group ldap://vo.gridpp.ac.uk/ou=testbed,dc=gridpp,dc=ac,dc=uk .

You should also comment out the default ACL: 

#allow *INFN*
(ie by default, everyone from INFN can access your site, but no one else including you!) With the ACL commented out, everyone listed by the VO servers in the groups you specify has access.

If you want to use the dynamic/pool accounts feature of the Testbed1 Globus distribution, you should also set: 

default_lcluser .

You can now try running the mkgridmap script. (Using the command line option -t prints useful debugging information.) You should see something like this with -t on: 

[root@pc63 etc]# ../sbin/mkgridmap -t
############ CONFIGURATION ############
CONFIGURATION FILE: /opt/edg/etc/mkgridmap.conf
GROUP             : ldap://vo.gridpp.ac.uk/ou=testbed,dc=gridpp,dc=ac,dc=uk 
ACL               : allow *
DEFAULT LOCAL USER: .
GRID-MAPFILE-LOCAL: 
############
############ GroupDN: ou=testbed,dc=gridpp,dc=ac,dc=uk ############
 allowed by rule .*
 allowed by rule .*
 allowed by rule .*
############
"/O=Grid/O=UKHEP/OU=ph.gla.ac.uk/CN=Gavin McCance" .
"/O=Grid/O=UKHEP/OU=hepgrid.clrc.ac.uk/CN=Andrew Sansum" .
"/O=Grid/O=UKHEP/OU=hep.man.ac.uk/CN=Andrew McNab" .

Once you have it working, you need to decide whether to automatically use it to build your grid-mapfile, or whether you will manually review it (if you are going to use static accounts then you will need this step so you can create new accounts.) We strongly recommend opting for an automated solution.

If you are using the EDG Testbed software, then you should use its own automatic procedure for creating the grid-mapfile. (At the time of writing this is the script /opt/edg/etc/cron/mkgridmap-cron but you should check with your EDG or GridPP instructions on how best to do this.)

Otherwise, you will probably want to create a cron script which automatically concatenates your local file and the output of mkgridmap (the first matching line is used, so if you want to map local users to named static accounts and remote users to pool accounts, you must include your local grid-mapfile first.)

With RedHat Linux, an executable file like this in /etc/cron.daily will probably be sufficient: 

#!/bin/sh

if [ -r /etc/grid-security/grid-mapfile-local ] ; then
 cp /etc/grid-security/grid-mapfile-local \
    /etc/grid-security/grid-mapfile-tmp
else
 rm -f /etc/grid-security/grid-mapfile-tmp
fi

/opt/edg/sbin/mkgridmap >>/etc/grid-security/grid-mapfile-tmp 2>/dev/null

if [ $? = 0 ] ; then
 mv -f /etc/grid-security/grid-mapfile-tmp \
       /etc/grid-security/grid-mapfile
fi

This assumes that your grid-mapfile is in /etc/grid-security. Other possible locations (depending on the variable GRIDMAP as seen in the environment of the Globus daemons) are /opt/globus/etc or /share/grid-security

Babar VO

A VO for Babar is also hosted on the same server. This can be accessed using the procedure outlined above, but instead of the line: 

group ldap://vo.gridpp.ac.uk/ou=testbed,dc=gridpp,dc=ac,dc=uk .
you should use: 
group ldap://babar-vo.gridpp.ac.uk/ou=babar,dc=gridpp,dc=ac,dc=uk .

Last modified Mon 21 April 2008 . View page history
Switch to HTTPS . Website Help . Print View . Built with GridSite 1.4.3
For more about GridPP please contact Neasan O'Neill