Grid User Management System
This article describes all the components of GUMS and all the installation details: it is not meant as a quick installation guide. Please, refer to the quick installation guide if you prefer to get up and running and need the command line. This guide assumes you are familiar with SQL, a bit of Java, Tomcat, ..., and that you are not interested in the exact command lines to write. It's meant for giving all the pieces of the puzzle so that an admin is comfortable with what GUMS does, and has an idea where to put his hands in case of problems.
Before beginning, we describe what components are there in GUMS.
The installation steps are:
GUMS can be run as both root and non-root. The only issue is the host certificate: GUMS must be able to access a host/service certificate with its private key for authentication. Generally, it is located in /etc/grid-mapfile/hostcert.pem with root permissions. One could either set those permissions to a different user, or create another copy for gums. Such as /etc/grid-security/gumscert.pem.
GUMS doesn't require any port to be installed outside the site firewall. The only requirement is to have an inbound TCP port opened on the GUMS server (default 8443), and an outbound port from all gatekeeper to that GUMS port.
All GUMS requests are over SSL. Grid certificates are used for authentication and authorization.
All access to GUMS is logged. Logs can be configured to use syslogd, which can be used to forward the logs to the cybersecurity department of the site.
You will need a mysql server, with version 4.0.18 or greater installed. You can either install one from scratch (follow the instruction on mysql's site) or you can use an installation you have ready.
The gums service comes with a ./sbin/setupDatabase script which will create the database, and modify the policy file with the relevant information. The script will make you log in as root in mysql, will create a user and a database. You can see the script in ./var/sql/setupDatabase.mysql.
[root@www gums-service]# cat var/sql/setupDatabase.mysql CREATE DATABASE GUMS_1_1; GRANT ALL ON GUMS_1_1.* TO @USER@@'@SERVER@' IDENTIFIED BY '@PASSWORD@'; USE GUMS_1_1; CREATE TABLE `USER` ( `ID` INTEGER AUTO_INCREMENT PRIMARY KEY, `GROUP_NAME` VARCHAR(255) NOT NULL, `DN` varchar(255) NOT NULL, `FQAN` varchar(255) default NULL ) TYPE=InnoDB; CREATE INDEX complete ON USER (GROUP_NAME(10), DN(70), FQAN(30)); CREATE TABLE `MAPPING` ( `ID` INTEGER AUTO_INCREMENT PRIMARY KEY, `MAP` VARCHAR(255) NOT NULL, `DN` varchar(255) default NULL, `ACCOUNT` varchar(255) default NULL ) TYPE=InnoDB; CREATE INDEX complete ON MAPPING (MAP(10), DN(70));
The database structure is very simple: it's just a place to store lists of users (in the USER table) and a list of mappings (MAPPING). It's meant to be simple: it's direct consequence of the requirement that GUMS should be easily ported to other persistence mechanisms (i.e. LDAP, other site internal DB, ...). The first table will be mainly used to cache the values from the VO servers. For example, in the policy you will specify you want to map all the users from the ATLAS VO to the 'usatlas1' account: from time to time GUMS will query the VO server and store the list of users in the USER table. For each mapping request, GUMS will look at its local copy instead of the remote VO server.
The USER and MAPPING tables are also critical for manual user groups and manual mappings. This means an admin is free to create a group of certificates, or a certificate to user mapping, to handle special cases. GUMS will have commands to add entries to these mapping, so you do not need to use the DB directly. You can if you want, though, for integration purposes. In any case, the use of these manual groups and mappings has a big effect: this is critical information that cannot be lost. Which means you will need to backup the server. This is a good candidate for integration: you might want to keep this information in the same information system you use for user account, as the information is connected.
To sum up: if you do not use manual groups and mappings, the information in the database can be regenerated at any time. If you do, GUMS has critical information, and you might want to make it safer through some kind of backup.
Once you created the database, you probably want to insert your DN in the USER table within a group you will later use in GUMS as the admin group. You can use the ./sbin/addAdmin script, which will use the ./var/sql/addAdmin.mysql template:
[root@www sbin]# cat ../var/sql/addAdmin.mysql USE GUMS_1_1; INSERT INTO USER SET DN="@ADMINDN@", GROUP_NAME="admins";
This inserts a DN in a manual user group named "admins".
Once the database is prepared: you can now proceed to install the Service
GUMS is written in java, and requires java to be installed to run. It was developed and tested against Sun JDK 1.4.2 and 1.5.0, but it will run on any 1.4.x and 1.5.x compliant JVM. If you need to install java, or learn more about it, refer to the documentation at http://java.sun.com.
The GUMS service is a standard J2EE application, which means it's application directory (./var/war) can be installed in any compliant engine. The VDT installation uses Apache+Tomcat combination: you should refer to the VDT documentation for more information.
We provide a tarball containing a Tomcat 5.0.28 + EGEE security preconfigured, which is the configuration GUMS was developed against. The EGEE provides an SSL Socket Factory that Tomcat uses to create the SSL connections. The EGEE SSL is essentially standard SSL with the addition of Grid proxies. You can find more information about it if you look for "glite trustmanager". The bundled tomcat is modified in the following way:
<Connector port="8443"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
sSLImplementation="org.glite.security.trustmanager.tomcat.TMSSLImplementation"
sslCAFiles="/etc/grid-security/certificates/*.0"
crlFiles="/etc/grid-security/certificates/*.r0"
sslCertFile="/etc/grid-security/hostcert.pem"
sslKey="/etc/tomcat/hostkey.pem"
log4jConfFile="/opt/tomcat-5.0.28-egeesec/conf/log4j-trustmanager.properties"
clientAuth="true" sslProtocol="TLS" />
This makes Tomcat listen on port 8443 for https, using the EGEE security. You will notice all the parameters for a Grid connection, and the configuration file that was added for EGEE security logging. The part declaring the port 8080 on http was closed.
Essentially, this is what is needed to setup EGEE security.
The tar of the service contains the web application in ./var/war, and the configuration files are for kept in the ./var/war/WEB-INF/classes directory. Tomcat will need to refer to this war directory: the easiest way is to make a link to it from the Tomcat webapps directory. The service tar also contain a couple of scripts to setup the database, which you have seen before.
The configuration files are 2:
You can refer to the full documentation of the configuration files for the details.
Once you have setup the server and the web application, you can use your browser with your grid credential to connect to the WebUI and run a couple of commands.
The client tools come packaged in an rpm. The default location is /opt/gums, but the destination can be changed. Once you install it, you will see 4 directories:
There are two main tools: gums and gums-host. The first one runs with the user credentials (proxy) and allows an admin to perform all the operations. The second runs with the host credentials (/etc/grid-security/host*.pem), and allows the host to retrieve the maps (grid-mapfiles and the OSG accounting map).
You can use ./bin/gums to:
You can use ./bin/gums-host to: