Presentation is loading. Please wait.

Presentation is loading. Please wait.

Eric Shook, Anand Padmanabhan Grid Research & educatiOn IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,

Published byAlvin Dennis Modified over 9 years ago

Similar presentations

Presentation on theme: "Eric Shook, Anand Padmanabhan Grid Research & educatiOn IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,"— Presentation transcript:

1 Eric Shook, Anand Padmanabhan Grid Research & educatiOn group @ IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City, IA 52242, USA May 16, 2006 GUMS

2 2 What is GUMS? “The GUMS service performs one and only one function: it maps user’s grid certificates/credentials to site-specific identities/credentials (e.g., UNIX accounts or Kerberos principals) in accordance with the site’s grid resource usage policy.” “The GUMS service performs one and only one function: it maps user’s grid certificates/credentials to site-specific identities/credentials (e.g., UNIX accounts or Kerberos principals) in accordance with the site’s grid resource usage policy.”http://grid.racf.bnl.gov/GUMS/guide_introduction.html

3 3 Why GUMS? GUMS allows the implementation of a single site-wide usage policy GUMS allows the implementation of a single site-wide usage policy Better control the security for accessing site’s grid resources Better control the security for accessing site’s grid resources Integrate grid information services with local information services Integrate grid information services with local information services

4 4 How-to install GUMS? pacman –get iVDGL:gums pacman –get iVDGL:gums Answer “y” to enable GUMS server to run automatically Answer “y” to enable GUMS server to run automatically (as root) (as root) –cd $VDT_LOCATION/gums-service/sbin –./addAdmin “your DN” /etc/init.d/apache restart /etc/init.d/apache restart /etc/init.d/tomcat-5 restart /etc/init.d/tomcat-5 restart Test install: https://gums-server:8443/gums Test install: https://gums-server:8443/gums

5 5 gums.config Located at: Located at:$VDT_LOCATION/gums-service/var/war/WEB-INF/classes The parts within gums.config The parts within gums.config –persistenceFactories –groupMappings userGroup userGroup accountMapping accountMapping –hostGroup

6 6 persistenceFactories Define where local data will be stored Define where local data will be stored Locations include Locations include –mysql –files –ldap Information that can be stored Information that can be stored –Local copy of VO listings

7 7 persistenceFactories (…) Example: Example: <persistenceFactory name="mysql“ className="gov.bnl.gums.hibernate.HibernatePersistenceFactory“ hibernate.connection.driver_class="com.mysql.jdbc.Driver“ hibernate.dialect="net.sf.hibernate.dialect.MySQLDialect“ hibernate.connection.url="jdbc:mysql://server:49151/GUMS_1_1" hibernate.connection.username="gums-user" hibernate.connection.username="gums-user" hibernate.connection.password=“243FKD56KDI" hibernate.connection.password=“243FKD56KDI" hibernate.connection.autoReconnect="true" hibernate.connection.autoReconnect="true" hibernate.c3p0.min_size="3" hibernate.c3p0.min_size="3" hibernate.c3p0.max_size="20“ hibernate.c3p0.max_size="20“ hibernate.c3p0.timeout="180" /> hibernate.c3p0.timeout="180" />

8 8 groupMappings Define groups of users Define groups of users Determine user group mapping Determine user group mapping Groups are defined by groupMapping Groups are defined by groupMapping –groupMapping uses three definitions userGroup userGroup accountMapping accountMapping compositeAccountMapping (not covered) compositeAccountMapping (not covered)

9 9 groupMapping Defines a group of users Defines a group of users Example: Example:

10 10 userGroup Defines list of people who are apart of a group Defines list of people who are apart of a group Information can be provided (by) Information can be provided (by) –VOMS server –LDAP group –Manually

11 11 userGroup (…) Example (VOMS) <userGroup className='gov.bnl.gums.VOMSGroup‘ url='https://voms:8443/voms/cdf/services/VOMSAdmin‘ persistenceFactory='mysql' name='cdf' Example (VOMS) <userGroup className='gov.bnl.gums.VOMSGroup‘ url='https://voms:8443/voms/cdf/services/VOMSAdmin‘ persistenceFactory='mysql' name='cdf' voGroup="/cdf" sslCertfile='/etc/grid-security/hostcert.pem' voGroup="/cdf" sslCertfile='/etc/grid-security/hostcert.pem' sslKey='/etc/grid-security/hostkey.pem‘ matchFQAN="vo" acceptProxyWithoutFQAN='true' /> sslKey='/etc/grid-security/hostkey.pem‘ matchFQAN="vo" acceptProxyWithoutFQAN='true' />

12 12 accountMapping Mapping policy for groups of users Mapping policy for groups of users Mapping options include Mapping options include –AccountPoolMapper –GroupAccountMapper –ManualAccountMapper –GecosLdapAccountMapper –GecosNisAccountMapper

13 13 accountMapping (…) Example (group accounts) Example (group accounts) Example (pool accounts) Example (pool accounts)

14 14 hostGroup Defines a group of hosts and which groupMappings will be used Defines a group of hosts and which groupMappings will be used Two groups are defined Two groups are defined –CertificateHostGroup –WildcardHostGroup (deprecated)

15 15 hostGroup (…) WildcardHostGroup WildcardHostGroup –Use of this group is discouraged –Does not properly handle certificate identities CertificateHostGroup CertificateHostGroup –Example: –Example:

16 16 What You Need to Know Names that need to match Names that need to match –CertificateHostGroup.groups == groupMapping.name –persistenceFactory.name == *.persistanceFactory –userGroup.name == table or column within mysql in relation to persistanceFactory used –accountMapping.groupName == UNIX user –accountMapping.name == pool reference name created by ‘gums’ utility program

17 17 Wildcard Warnings hostGroup CN and DN mappings utilize wildcards to cover a wide variety of hosts, hostGroup CN and DN mappings utilize wildcards to cover a wide variety of hosts, –But they can cause problems Look *closely* at your host certificates Look *closely* at your host certificates –Make certain they will match a wildcard Order matters in gums.config Order matters in gums.config

18 18 Wildcard Warnings (…) Wildcards do not match beyond Wildcards do not match beyond –‘.’, ‘/’, or ‘=‘ What does this mean? What does this mean? –If CN of certificate = “host/grow.uiowa.edu” Successful matches example Successful matches example –host/*.uiowa.edu, */*.uiowa.edu, host/grow.*.edu Unsuccessful matches example Unsuccessful matches example –*.uiowa.edu, host/*.edu, host/grow.*, host/*uiowa*

19 19 GUMS Utility Program Provides administrative functions Provides administrative functions ‘gums’ uses user not host credentials ‘gums’ uses user not host credentials –User must be a gums admin Commands available (commonly used) Commands available (commonly used) –generateGrid3UserVoMap –generateGridMapfile –pool-addRange Also available Also available –Manual mapping administrative capabilities –Update groups and caches

20 20 GUMS Utility Program (…) Example – add pool account user range Example – add pool account user range –./gums pool-addRange mysql grow grow10-99 Example – generate grid-map file Example – generate grid-map file –./gums generateGridMapFile “host cert DN here”

21 21 Useful Log Files For troubleshooting errors For troubleshooting errors $VDT_LOCATION/ $VDT_LOCATION/ –tomcat/v5/logs/gums-service-admin.log –tomcat/v5/logs/gums-service- cybersecurity.log –tomcat/v5/logs/gums-service-developer.log –gums/var/log/gums-developer.$USER.log –gums/var/log/edg-security.$USER.log

22 22 GROW’s gums.config http://grow.its.uiowa.edu/infrastructure/gums/ http://grow.its.uiowa.edu/infrastructure/gums/

23 23 Useful Resources http://grow.its.uiowa.edu/infrastructure/gums http://grow.its.uiowa.edu/infrastructure/gums http://grow.its.uiowa.edu/infrastructure/gums http://grid.racf.bnl.gov/GUMS/guide_config_gums.html http://grid.racf.bnl.gov/GUMS/guide_config_gums.html http://grid.racf.bnl.gov/GUMS/guide_config_gums.html http://osg.ivdgl.org/twiki/bin/view/Integration/GumsConfigExamples http://osg.ivdgl.org/twiki/bin/view/Integration/GumsConfigExamples http://osg.ivdgl.org/twiki/bin/view/Integration/GumsConfigExamples http://osg.ivdgl.org/twiki/bin/view/Integration/GumsAdmins http://osg.ivdgl.org/twiki/bin/view/Integration/GumsAdmins http://osg.ivdgl.org/twiki/bin/view/Integration/GumsAdmins http://osg.ivdgl.org/twiki/bin/view/Integration/GUMSTroubleshootingG uide http://osg.ivdgl.org/twiki/bin/view/Integration/GUMSTroubleshootingG uide http://osg.ivdgl.org/twiki/bin/view/Integration/GUMSTroubleshootingG uide http://osg.ivdgl.org/twiki/bin/view/Integration/GUMSTroubleshootingG uide http://grid.racf.bnl.gov/GUMS/guide_howto_configuration.html http://grid.racf.bnl.gov/GUMS/guide_howto_configuration.html http://grid.racf.bnl.gov/GUMS/guide_howto_configuration.html http://www-hep.nhn.ou.edu/atlas/grid/gums-installation-notes.txt http://www-hep.nhn.ou.edu/atlas/grid/gums-installation-notes.txt http://www-hep.nhn.ou.edu/atlas/grid/gums-installation-notes.txt http://pgl.uchicago.edu/twiki/bin/view/Laboratory/GUMS1dot1Upgrade http://pgl.uchicago.edu/twiki/bin/view/Laboratory/GUMS1dot1Upgrade http://pgl.uchicago.edu/twiki/bin/view/Laboratory/GUMS1dot1Upgrade Information from these pages were used to create this presentation Information from these pages were used to create this presentation Note: Note: –Most of these links are available from the GROW website (1 st listed)

Download ppt "Eric Shook, Anand Padmanabhan Grid Research & educatiOn IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,"

Similar presentations

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
Senior Technical Writer

Senior Technical Writer
Setting up a Subversion repository By: Matt Krass Last Updated: 4/11/07.

Setting up a Subversion repository By: Matt Krass Last Updated: 4/11/07.
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 SAN Certificate in Unity Connection Presenter Name: Bhawna Goel.

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 SAN Certificate in Unity Connection Presenter Name: Bhawna Goel.
Configuring Routing and Remote Access(RRAS) and Wireless Networking

Configuring Routing and Remote Access(RRAS) and Wireless Networking
GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.
Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.

Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.
Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.

Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
ITN270.001 Wake Tech1 ITN270 Advanced Internet Databases Lecture 15. General MySQL Administration Topics: –Securing a New MySQL Installation –MySQL Server.

ITN Wake Tech1 ITN270 Advanced Internet Databases Lecture 15. General MySQL Administration Topics: –Securing a New MySQL Installation –MySQL Server.
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Similar presentations

Ads by Google