Eric Shook, Anand Padmanabhan Grid Research & educatiOn IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City, IA 52242, USA May 16, 2006 GUMS

2 What is GUMS? “The GUMS service performs one and only one function: it maps user’s grid certificates/credentials to site-specific identities/credentials (e.g., UNIX accounts or Kerberos principals) in accordance with the site’s grid resource usage policy.” “The GUMS service performs one and only one function: it maps user’s grid certificates/credentials to site-specific identities/credentials (e.g., UNIX accounts or Kerberos principals) in accordance with the site’s grid resource usage policy.”

3 Why GUMS? GUMS allows the implementation of a single site-wide usage policy GUMS allows the implementation of a single site-wide usage policy Better control the security for accessing site’s grid resources Better control the security for accessing site’s grid resources Integrate grid information services with local information services Integrate grid information services with local information services

4 How-to install GUMS? pacman –get iVDGL:gums pacman –get iVDGL:gums Answer “y” to enable GUMS server to run automatically Answer “y” to enable GUMS server to run automatically (as root) (as root) –cd $VDT_LOCATION/gums-service/sbin –./addAdmin “your DN” /etc/init.d/apache restart /etc/init.d/apache restart /etc/init.d/tomcat-5 restart /etc/init.d/tomcat-5 restart Test install: Test install:

5 gums.config Located at: Located at:$VDT_LOCATION/gums-service/var/war/WEB-INF/classes The parts within gums.config The parts within gums.config –persistenceFactories –groupMappings userGroup userGroup accountMapping accountMapping –hostGroup

6 persistenceFactories Define where local data will be stored Define where local data will be stored Locations include Locations include –mysql –files –ldap Information that can be stored Information that can be stored –Local copy of VO listings

7 persistenceFactories (…) Example: Example: <persistenceFactory name="mysql“ className="gov.bnl.gums.hibernate.HibernatePersistenceFactory“ hibernate.connection.driver_class="com.mysql.jdbc.Driver“ hibernate.dialect="net.sf.hibernate.dialect.MySQLDialect“ hibernate.connection.url="jdbc:mysql://server:49151/GUMS_1_1" hibernate.connection.username="gums-user" hibernate.connection.username="gums-user" hibernate.connection.password=“243FKD56KDI" hibernate.connection.password=“243FKD56KDI" hibernate.connection.autoReconnect="true" hibernate.connection.autoReconnect="true" hibernate.c3p0.min_size="3" hibernate.c3p0.min_size="3" hibernate.c3p0.max_size="20“ hibernate.c3p0.max_size="20“ hibernate.c3p0.timeout="180" /> hibernate.c3p0.timeout="180" />

8 groupMappings Define groups of users Define groups of users Determine user group mapping Determine user group mapping Groups are defined by groupMapping Groups are defined by groupMapping –groupMapping uses three definitions userGroup userGroup accountMapping accountMapping compositeAccountMapping (not covered) compositeAccountMapping (not covered)

9 groupMapping Defines a group of users Defines a group of users Example: Example:

10 userGroup Defines list of people who are apart of a group Defines list of people who are apart of a group Information can be provided (by) Information can be provided (by) –VOMS server –LDAP group –Manually

11 userGroup (…) Example (VOMS) <userGroup className='gov.bnl.gums.VOMSGroup‘ url=' persistenceFactory='mysql' name='cdf' Example (VOMS) <userGroup className='gov.bnl.gums.VOMSGroup‘ url=' persistenceFactory='mysql' name='cdf' voGroup="/cdf" sslCertfile='/etc/grid-security/hostcert.pem' voGroup="/cdf" sslCertfile='/etc/grid-security/hostcert.pem' sslKey='/etc/grid-security/hostkey.pem‘ matchFQAN="vo" acceptProxyWithoutFQAN='true' /> sslKey='/etc/grid-security/hostkey.pem‘ matchFQAN="vo" acceptProxyWithoutFQAN='true' />

12 accountMapping Mapping policy for groups of users Mapping policy for groups of users Mapping options include Mapping options include –AccountPoolMapper –GroupAccountMapper –ManualAccountMapper –GecosLdapAccountMapper –GecosNisAccountMapper

13 accountMapping (…) Example (group accounts) Example (group accounts) Example (pool accounts) Example (pool accounts)

14 hostGroup Defines a group of hosts and which groupMappings will be used Defines a group of hosts and which groupMappings will be used Two groups are defined Two groups are defined –CertificateHostGroup –WildcardHostGroup (deprecated)

15 hostGroup (…) WildcardHostGroup WildcardHostGroup –Use of this group is discouraged –Does not properly handle certificate identities CertificateHostGroup CertificateHostGroup –Example: –Example:

16 What You Need to Know Names that need to match Names that need to match –CertificateHostGroup.groups == groupMapping.name –persistenceFactory.name == *.persistanceFactory –userGroup.name == table or column within mysql in relation to persistanceFactory used –accountMapping.groupName == UNIX user –accountMapping.name == pool reference name created by ‘gums’ utility program

17 Wildcard Warnings hostGroup CN and DN mappings utilize wildcards to cover a wide variety of hosts, hostGroup CN and DN mappings utilize wildcards to cover a wide variety of hosts, –But they can cause problems Look *closely* at your host certificates Look *closely* at your host certificates –Make certain they will match a wildcard Order matters in gums.config Order matters in gums.config

18 Wildcard Warnings (…) Wildcards do not match beyond Wildcards do not match beyond –‘.’, ‘/’, or ‘=‘ What does this mean? What does this mean? –If CN of certificate = “host/grow.uiowa.edu” Successful matches example Successful matches example –host/*.uiowa.edu, */*.uiowa.edu, host/grow.*.edu Unsuccessful matches example Unsuccessful matches example –*.uiowa.edu, host/*.edu, host/grow.*, host/*uiowa*

19 GUMS Utility Program Provides administrative functions Provides administrative functions ‘gums’ uses user not host credentials ‘gums’ uses user not host credentials –User must be a gums admin Commands available (commonly used) Commands available (commonly used) –generateGrid3UserVoMap –generateGridMapfile –pool-addRange Also available Also available –Manual mapping administrative capabilities –Update groups and caches

20 GUMS Utility Program (…) Example – add pool account user range Example – add pool account user range –./gums pool-addRange mysql grow grow10-99 Example – generate grid-map file Example – generate grid-map file –./gums generateGridMapFile “host cert DN here”

21 Useful Log Files For troubleshooting errors For troubleshooting errors $VDT_LOCATION/ $VDT_LOCATION/ –tomcat/v5/logs/gums-service-admin.log –tomcat/v5/logs/gums-service- cybersecurity.log –tomcat/v5/logs/gums-service-developer.log –gums/var/log/gums-developer.$USER.log –gums/var/log/edg-security.$USER.log

22 GROW’s gums.config

23 Useful Resources uide uide uide uide Information from these pages were used to create this presentation Information from these pages were used to create this presentation Note: Note: –Most of these links are available from the GROW website (1 st listed)