Personal tools
You are here: Home Documentation Gums Configuration
Navigation
Log in


Forgot your password?
New user?
 
Document Actions

Gums Configuration

by admin last modified 2006-05-18 09:23

A concise guide to our installation and configuration of the GUMS server.

Installing the GUMS server is relatively straightforward.  The official instructions for doing this can be found here.  Here's the directions we followed from the OSG wiki:

First, install the gums server from pacman:
 pacman -get OSG:gums
Now, initialize a grid-proxy, and add yourself as a grid admin:   
./addAdmin "your DN"   #quotes needed due to spaces in DN string
where the DN is the subject string given by grid-init-proxy.  You may need to give the script your root password for mysql - if you don't know what it is, try "gums".  It seems that pacman will initialize the password to that.  Go to https://your-gums-server:8443/gums and click "Generate Grid Mapfile".  Enter any hostname, and make sure that you don't get an "Authorization Denied" error.

Now, edit your gums.config file (see the sample file below), and on the web interface go to "Update Members" -> "Update VO Members DataBase".  It should update the VO members database successfully.  If there are any errors, the error logs are in $VDT_LOCATION/tomcat/v5/logs/gums-service-admin.log and $VDT_LOCATION/tomcat/v5/logs/gums-service-developer.log.

Below is our gums.config file for the gums server at alliance.unl.edu (found at $VDT_LOCATION/vdt-app-data/gums/gums.config).  Change any instances of "alliance.unl.edu" to your GUMS server, and it should work fine!  For GPN clusters, we have a minimal recommended GUMS configuration here.

The GUMS configuration file below utilizes a pool of users for the role cmsuser in the CMS VO.  This means that anyone who is listed as a cmsuser will be be mapped to a random account in a pool of local accounts.  In this example, the pool is called uscmsPool.  First, create 50 (or however many you'd like) accounts named uscmsPool000 through uscmsPool050.  Next, as whatever user you added as a GUMS admin, initialize your grid proxy certificate, and do the following:
cd $VDT_LOCATION/gums
./bin/gums pool-addRange mysql uscmsPool000-050

PRIMA Authorization

GUMS acts as a central authorization server - really only one is needed per campus.  Each compute element then calls out to the GUMS server, and asks whether they should allow a certian user.  This callout system is known as PRIMA.
In order to enable PRIMA on your server, copy the gsi-authz.conf and prima-authz.conf files into your grid security directory:
cp $VDT_LOCATION/post-install/*.conf $GRID_SECURITY_DIR
cp $VDT_LOCATION/post-install/*.conf /etc/grid-security # For older versions of the OSG.
Then, edit the prima-authz.conf file so it points to your GUMS server.  In the file, edit this line:
imsContact https://gpn-husker.unl.edu:8443/gums/services/GUMSAuthorizationServicePort
Change the host name as appropriate.
Note: On a combination of RHEL 4 based distributions on the x86_64 architecture, there is a library linking error present.  Do the following to fix PRIMA callouts:
wget ftp://ftp.pbone.net/mirror/ftp.centos.org/3.7/os/i386/RedHat/RPMS/krb5-libs-1.2.7-52.i386.rpm
rpm -i krb5-libs-1.2.7-52.i386.rpm --force
Let us know if that link is broken, and we'll find you an alternate solution.

Our gums.config file

<?xml version="1.0" encoding="UTF-8"?>

<gums>
  <persistenceFactories>
    <persistenceFactory name="mysql" className="gov.bnl.gums.hibernate.HibernatePersistenceFactory" 
                        hibernate.connection.driver_class="com.mysql.jdbc.Driver"
                        hibernate.dialect="net.sf.hibernate.dialect.MySQLDialect"
                        hibernate.connection.url="jdbc:mysql://phedex.unl.edu:49152/GUMS_1_1"
                        hibernate.connection.username="gums"
                        hibernate.connection.password="*********"
                        hibernate.connection.autoReconnect="true"
                        hibernate.c3p0.min_size="3"
                        hibernate.c3p0.max_size="20"
                        hibernate.c3p0.timeout="180" />
  </persistenceFactories>

<adminUserGroup className='gov.bnl.gums.ManualUserGroup' persistenceFactory='mysql' name='admins' />

<groupMappings>

<groupMapping name="localGrid" accountingVo="localUsers" accountingDesc="localUsers">
<userGroup className="gov.bnl.gums.ManualUserGroup" persistenceFactory='mysql' name='localUsers' />
<accountMapping className="gov.bnl.gums.GroupAccountMapper" groupName="localGridUser" />
</groupMapping>

<groupMapping name="uscmsuser" accountingVo="uscms" accountingDesc="CMS">
 <userGroup className="gov.bnl.gums.VOMSGroup" url="https://lcg-voms.cern.ch:8443/voms/cms/services/VOMSAdmin"
    persistenceFactory="mysql" name="uscmsuser" voGroup="/cms/uscms" voRole="cmsuser" matchFQAN="exact"
    sslCertfile="/etc/grid-security/http/httpcert.pem" sslKey="/etc/grid-security/http/httpkey.pem"/>
 <accountMapping className="gov.bnl.gums.AccountPoolMapper" persistenceFactory="mysql" name="uscmsPool"/>
</groupMapping>
<groupMapping name="cmsuser" accountingVo="uscms" accountingDesc="CMS">
 <userGroup className="gov.bnl.gums.VOMSGroup" url="https://lcg-voms.cern.ch:8443/voms/cms/services/VOMSAdmin"
    persistenceFactory="mysql" name="cmsuser" voGroup="/cms" voRole="cmsuser" matchFQAN="exact"
    sslCertfile="/etc/grid-security/http/httpcert.pem" sslKey="/etc/grid-security/http/httpkey.pem"/>
 <accountMapping className="gov.bnl.gums.AccountPoolMapper" persistenceFactory="mysql" name="uscmsPool"/>
</groupMapping>

<groupMapping name="uscmst2admin" accountingVo="uscms" accountingDesc="CMS">
 <userGroup className="gov.bnl.gums.VOMSGroup" url="https://lcg-voms.cern.ch:8443/voms/cms/services/VOMSAdmin" 
    persistenceFactory="mysql" name="cmst2admin" voGroup="/cms/uscms" voRole="cmst2admin" matchFQAN="exact" 
    sslCertfile="/etc/grid-security/http/httpcert.pem" sslKey="/etc/grid-security/http/httpkey.pem"/>
 <accountMapping className="gov.bnl.gums.GroupAccountMapper" groupName="cmst2admin"/>
</groupMapping>

<groupMapping name="uscmssoft" accountingVo="uscms" accountingDesc="CMS">
 <userGroup className="gov.bnl.gums.VOMSGroup" url="https://lcg-voms.cern.ch:8443/voms/cms/services/VOMSAdmin" 
    persistenceFactory="mysql" name="cmssoft" voGroup="/cms/uscms" voRole="cmssoft" matchFQAN="exact" 
    sslCertfile="/etc/grid-security/http/httpcert.pem" sslKey="/etc/grid-security/http/httpkey.pem"/>
 <accountMapping className="gov.bnl.gums.GroupAccountMapper" groupName="cmssoft"/>
</groupMapping>

<groupMapping name="uscmsprod" accountingVo="uscms" accountingDesc="CMS">
 <userGroup className="gov.bnl.gums.VOMSGroup" url="https://lcg-voms.cern.ch:8443/voms/cms/services/VOMSAdmin"     
    persistenceFactory="mysql" name="cmsprod" voGroup="/cms/uscms" voRole="cmsprod" matchFQAN="exact" 
    sslCertfile="/etc/grid-security/http/httpcert.pem" sslKey="/etc/grid-security/http/httpkey.pem"/>
 <accountMapping className="gov.bnl.gums.GroupAccountMapper" groupName="cmsprod"/>
</groupMapping>

<groupMapping name="uscmsphedex" accountingVo="uscms" accountingDesc="CMS">
 <userGroup className="gov.bnl.gums.VOMSGroup" url="https://lcg-voms.cern.ch:8443/voms/cms/services/VOMSAdmin"     
    persistenceFactory="mysql" name="cmsphedex" voGroup="/cms/uscms" voRole="cmsphedex" matchFQAN="exact" 
    sslCertfile="/etc/grid-security/http/httpcert.pem" sslKey="/etc/grid-security/http/httpkey.pem"/>
 <accountMapping className="gov.bnl.gums.GroupAccountMapper" groupName="cmsphedex"/>
</groupMapping>

<groupMapping name="uscmsfrontier" accountingVo="uscms" accountingDesc="CMS">
 <userGroup className="gov.bnl.gums.VOMSGroup" url="https://lcg-voms.cern.ch:8443/voms/cms/services/VOMSAdmin" 
    persistenceFactory="mysql" name="cmsfrontier" voGroup="/cms/uscms" voRole="cmsfrontier" matchFQAN="exact" 
    sslCertfile="/etc/grid-security/http/httpcert.pem" sslKey="/etc/grid-security/http/httpkey.pem"/>
 <accountMapping className="gov.bnl.gums.GroupAccountMapper" groupName="cmsfrontier"/>
</groupMapping>

<groupMapping name="cmsuser-null" accountingVo="uscms" accountingDesc="CMS">
 <userGroup className="gov.bnl.gums.VOMSGroup" url="https://lcg-voms.cern.ch:8443/voms/cms/services/VOMSAdmin"   
    persistenceFactory="mysql" name="cmsuser-null" voGroup="/cms" matchFQAN="vo" acceptProxyWithoutFQAN="true" 
    sslCertfile="/etc/grid-security/http/httpcert.pem" sslKey="/etc/grid-security/http/httpkey.pem"/>
 <!--<accountMapping className="gov.bnl.gums.AccountPoolMapper" persistenceFactory="mysql" name="uscmsPool"/>-->
 <accountMapping className="gov.bnl.gums.GroupAccountMapper" groupName="uscms01"/>
</groupMapping>
<groupMapping name='grase' accountingVo='grase' accountingDesc='GRASE'>
     <userGroup className='gov.bnl.gums.VOMSGroup'
     url='https://dylan.ccr.buffalo.edu:8443/edg-voms-admin/GRASE/services/VOMSAdmin'
     persistenceFactory='mysql' 
     name='grase' 
     voGroup="/GRASE/grid"
     sslCertfile='/etc/grid-security/http/httpcert.pem'
     sslKey='/etc/grid-security/http/httpkey.pem' matchFQAN="ignore"
     acceptProxyWithoutFQAN="true"
     />
     <accountMapping className='gov.bnl.gums.GroupAccountMapper'
     groupName='grase' />
</groupMapping>
  <groupMapping name='osg' accountingVo='osg' accountingDesc='OSG'>
    <userGroup className='gov.bnl.gums.VOMSGroup'
        url='https://grid03.uits.indiana.edu:8443/edg-voms-admin/vos/services/VOMSAdmin'
        persistenceFactory='mysql' name='osg' voGroup="/vos/osg"
        sslCertfile='/etc/grid-security/http/httpcert.pem'
        sslKey='/etc/grid-security/http/httpkey.pem' matchFQAN="ignore"
        acceptProxyWithoutFQAN="true"
        />
    <accountMapping className='gov.bnl.gums.GroupAccountMapper' 
        groupName='osg' />
  </groupMapping>


     <groupMapping name='ivdgl' accountingVo='ivdgl' accountingDesc='iVDgL'>
       <userGroup className='gov.bnl.gums.VOMSGroup' url='https://grid03.uits.indiana.edu:8443/edg-voms-admin/vos/services/VOMSAdmin'
                persistenceFactory='mysql'
                name='ivdgl'
                voGroup="/vos/ivdglp"
                sslCertfile='/etc/grid-security/http/httpcert.pem'
                sslKey='/etc/grid-security/http/httpkey.pem'
                matchFQAN="ignore"
                acceptProxyWithoutFQAN="true"
                />
      <accountMapping className='gov.bnl.gums.GroupAccountMapper'
                     groupName='ivdgl' />
     </groupMapping>

<groupMapping name='mis' accountingVo='mis' accountingDesc='MIS'>
    <userGroup className='gov.bnl.gums.VOMSGroup'
    url='https://grid03.uits.indiana.edu:8443/edg-voms-admin/vos/services/VOMSAdmin'
    persistenceFactory='mysql'
    name='mis' 
    voGroup="/vos/mis"
    sslCertfile='/etc/grid-security/http/httpcert.pem'
    sslKey='/etc/grid-security/http/httpkey.pem' 
    matchFQAN="ignore"
    acceptProxyWithoutFQAN="true"
    />
    <accountMapping className='gov.bnl.gums.GroupAccountMapper'
    groupName='mis' />
</groupMapping>

<groupMapping name='fmri' accountingVo='fmri' accountingDesc='fMRI'>
    <userGroup className='gov.bnl.gums.VOMSGroup'
    url='https://grid03.uits.indiana.edu:8443/edg-voms-admin/vos/services/VOMSAdmin'
    persistenceFactory='mysql' 
    name='fmri' 
    voGroup="/vos/fmri"
    sslCertfile='/etc/grid-security/http/httpcert.pem'
    sslKey='/etc/grid-security/http/httpkey.pem' 
    matchFQAN="ignore"
    acceptProxyWithoutFQAN="true"
    />
    <accountMapping className='gov.bnl.gums.GroupAccountMapper' 
    groupName='fmri' />
</groupMapping>

<groupMapping name='usatlas' accountingVo='usatlas' accountingDesc='ATLAS'>
    <userGroup className='gov.bnl.gums.VOMSGroup'
    url='https://vo.racf.bnl.gov:8443/edg-voms-admin/atlas/services/VOMSAdmin'
    persistenceFactory='mysql'
    name='usatlas' 
    voGroup="/atlas/usatlas"
    sslCertfile='/etc/grid-security/http/httpcert.pem'
    sslKey='/etc/grid-security/http/httpkey.pem' 
    matchFQAN="ignore"
    acceptProxyWithoutFQAN="true"
    />
    <accountMapping className='gov.bnl.gums.GroupAccountMapper'
    groupName='usatlas1' />
</groupMapping>

        <groupMapping name='usatlas-voms' accountingVo='usatlas' accountingDesc='ATLAS'>
                <userGroup className='gov.bnl.gums.VOMSGroup'
                        url='https://vo.racf.bnl.gov:8443/edg-voms-admin/atlas/services/VOMSAdmin'
                        persistenceFactory='mysql'
                        name='usatlas-voms'
                        voGroup="/atlas/usatlas"
                        sslCertfile='/etc/grid-security/http/httpcert.pem'
                        sslKey='/etc/grid-security/http/httpkey.pem'
                        matchFQAN="exact"/>
                <accountMapping className='gov.bnl.gums.GroupAccountMapper'
                        groupName='usatlas1' />
        </groupMapping>

<groupMapping name="GLOW-voms" accountingVo="GLOW" accountingDesc="GLOW">
     <userGroup
        className="gov.bnl.gums.VOMSGroup"
        url="https://glow-voms.cs.wisc.edu:8443/edg-voms-admin/GLOW/services/VOMSAdmin"
        persistenceFactory="mysql"
        name="GLOW-voms"
        voGroup="/GLOW"
        sslCertfile="/etc/grid-security/http/httpcert.pem"
        sslKey="/etc/grid-security/http/httpkey.pem"
        matchFQAN="exact"
        acceptProxyWithoutFQAN="true"/>
     <accountMapping className="gov.bnl.gums.GroupAccountMapper" groupName="glow" />
</groupMapping>


<groupMapping name='gridex' accountingVo='gridex' accountingDesc='GridEx'>
      <userGroup className='gov.bnl.gums.VOMSGroup'
        url='https://grid03.uits.indiana.edu:8443/edg-voms-admin/vos/services/VOMSAdmin'
                persistenceFactory='mysql'
                name='gridex' voGroup="/vos/gridex"
        sslCertfile='/etc/grid-security/http/httpcert.pem'
        sslKey='/etc/grid-security/http/httpkey.pem' 
        matchFQAN="ignore"
        acceptProxyWithoutFQAN="true"
        />
      <accountMapping className='gov.bnl.gums.GroupAccountMapper'
  groupName='gridex' />
    </groupMapping>
<groupMapping name='ligo' accountingVo='ligo' accountingDesc='LIGO'>
     <userGroup className='gov.bnl.gums.VOMSGroup'
     url='https://ligo-web.aset.psu.edu:8443/voms/LIGO/services/VOMSAdmin'
     persistenceFactory='mysql' 
     name='ligo' 
     voGroup='/LIGO'
     sslCertfile='/etc/grid-security/http/httpcert.pem'
     sslKey='/etc/grid-security/http/httpkey.pem'
     matchFQAN='ignore'
     acceptProxyWithoutFQAN="true"
/>

<accountMapping className='gov.bnl.gums.GroupAccountMapper'
                 groupName='ligo' />
</groupMapping>

        <groupMapping name='cdf-voms' accountingVo='cdf' accountingDesc='CDF'>
                <userGroup className='gov.bnl.gums.VOMSGroup'
                        url='https://voms.cnaf.infn.it:8443/voms/cdf/services/VOMSAdmin'
                        persistenceFactory='mysql'
                        name='cdf-voms'
                        voGroup="/cdf"
                        sslCertfile='/etc/grid-security/http/httpcert.pem'
                        sslKey='/etc/grid-security/http/httpkey.pem'
                        matchFQAN="ignore"
                        acceptProxyWithoutFQAN="true" />
                <accountMapping className='gov.bnl.gums.GroupAccountMapper'
                        groupName='cdf' />
        </groupMapping>

<groupMapping name='nanohub' accountingVo='nanohub' accountingDesc='nanohub'>
     <userGroup className='gov.bnl.gums.VOMSGroup'
     url='https://voms.fnal.gov:8443/voms/nanohub/services/VOMSAdmin'
     persistenceFactory='mysql'
     name='nanohub'
     voGroup="/nanohub"
     sslCertfile='/etc/grid-security/http/httpcert.pem'
     sslKey='/etc/grid-security/http/httpkey.pem'
     matchFQAN="ignore"
     acceptProxyWithoutFQAN="true"
     />
     <accountMapping className='gov.bnl.gums.GroupAccountMapper' groupName='nanohub' />
</groupMapping>

<groupMapping name='dzero' accountingVo='dzero' accountingDesc='dzero'>
     <userGroup className='gov.bnl.gums.VOMSGroup'
     url='https://fermigrid2.fnal.gov:8443/voms/dzero/services/VOMSAdmin'
     persistenceFactory='mysql'
     name='dzero'
     voGroup="/dzero"
     sslCertfile='/etc/grid-security/http/httpcert.pem'
     sslKey='/etc/grid-security/http/httpkey.pem'
     acceptProxyWithoutFQAN="true"
     matchFQAN="ignore"
     />
     <accountMapping className='gov.bnl.gums.GroupAccountMapper' groupName='dzero' />
</groupMapping>

<groupMapping name='gadu' accountingVo='gadu' accountingDesc='GADU'>
     <userGroup className='gov.bnl.gums.VOMSGroup'
     url='https://voms.fnal.gov:8443/voms/gadu/services/VOMSAdmin'
     persistenceFactory='mysql'
     name='gadu'
     voGroup="/gadu"
     sslCertfile='/etc/grid-security/http/httpcert.pem'
     sslKey='/etc/grid-security/http/httpkey.pem'
     matchFQAN="ignore"
     acceptProxyWithoutFQAN="true"     />
     <accountMapping className='gov.bnl.gums.GroupAccountMapper'
     groupName='gadu' />
</groupMapping>

<groupMapping name="sdss" accountingVo="sdss" accountingDesc="SDSS">
    <userGroup
      className="gov.bnl.gums.VOMSGroup"
      url="https://voms.fnal.gov:8443/voms/sdss/services/VOMSAdmin"
      persistenceFactory="mysql"
      name="sdss"
      voGroup="/sdss/production"
      sslCertfile="/etc/grid-security/http/httpcert.pem"
      sslKey="/etc/grid-security/http/httpkey.pem"
      matchFQAN="ignore"
      acceptProxyWithoutFQAN="true"/>
    <accountMapping className="gov.bnl.gums.GroupAccountMapper" 
groupName="sdss"/>
</groupMapping>
<groupMapping name="ops" accountingVo="ops" accountingDesc="ops">
<userGroup className="gov.bnl.gums.VOMSGroup"
    url="https://lcg-voms.cern.ch:8443/voms/ops/services/VOMSAdmin"
    persistenceFactory="mysql"
    name="ops" voGroup="/ops"
    voRole="lcgadmin"
    matchFQAN="exact"
    sslCertfile="/etc/grid-security/http/httpcert.pem"
    sslKey="/etc/grid-security/http/httpkey.pem"/>
<accountMapping className='gov.bnl.gums.GroupAccountMapper'
    groupName='ops' />
</groupMapping>
<groupMapping name="gpn" accountingVo="gpn" accountingDesc="gpn">
<userGroup className="gov.bnl.gums.VOMSGroup"
    url="https://t2.unl.edu:8443/voms/gpn/services/VOMSAdmin"
    persistenceFactory="mysql"
    name="gpn" voGroup="/gpn"
    matchFQAN="ignore"
    acceptProxyWithoutFQAN="true"
    sslCertfile="/etc/grid-security/http/httpcert.pem"
    sslKey="/etc/grid-security/http/httpkey.pem"/>
<accountMapping className='gov.bnl.gums.GroupAccountMapper'
    groupName='gpn' />
</groupMapping>
</groupMappings>

  <hostGroups>
    <hostGroup className='gov.bnl.gums.WildcardHostGroup' wildcard='*.unl.edu' groups='uscmsprod,cmsuser,uscmsuser,uscmst2admin,uscmsphedex,uscmssoft,uscmsfrontier,cmsuser-null,usatlas,osg,mis,fmri,grase,usatlas-voms,gridex,ligo,ivdgl,gadu,GLOW-voms,cdf-voms,nanohub,dzero,localGrid,sdss,ops,gpn' />
  </hostGroups>

</gums>
Powered by Plone, the Open Source Content Management System