Grid User Management System
The current system has been in production since May 2004. It has been upgraded and refined since, but the overall use is the same.
The server component of GUMS consists of a MySQL database and a series of command line tools. The server contains all the configuration files, including a single XML policy for the site. The policy defines how all the gatekeepers in the facilities should map Grid users to the local accounts.
A cron job every nights refreshes the local copy of the VO memberships. It also generates the grid-mapfiles for all the gatekeepers and stores them in the MySQL database.
The client component is installed on all the gatekeepers managed by GUMS. It consists of a series of command line tools. There is also a configuration file which indicate to which MySQL server to connect.
A cron job every 6 hours retrieves the grid-mapfile for the gatekeeper and saves it in /etc/grid-security/grid-mapfile. This allows for the admin to change the configuration during the day, and give him enough time to test that everything is working.
BNL serves different experiments and participates in different grid activities. It is now August 18 2004, and we have more than 15 gatekeepers. Different mappings are required because of different experiments (ATLAS, STAR and PHENIX), because of different use (testing, evaluation or production) and because of different user base (Grid3, USATLAS, ...). Having a single central policy simplify the management of the mappings.
Some of the mappings require mapping Grid users to their local accounts. GUMS allows us to do it in a semi-automatic way: GUMS is able to query the NIS server and provide a likely match. The administrator still has to supervise the process and intervene in case of missed/incorrect match.
We expect this system to be in production for February 2005. Many functionalities will come out of the Privilege Project, a joint project between USATLAS and USCMS.
The server component will consist of a grid service, based on GT3/4 AuthZ interfaces. The command line tools will become clients of that service. There will also be a web interface for most administrative tasks. The database will be no more accessible from outside the server
The server will map user also based on extended proxy credentials provided by VOMS.