This is a summary of how GUMS is used at BNL and how BNL benefits from it.

Present deployment

The current system has been in production since May 2004. It has been upgraded and refined since, but the overall use is the same.

Server component

The server component of GUMS consists of a MySQL database and a series of command line tools. The server contains all the configuration files, including a single XML policy for the site. The policy defines how all the gatekeepers in the facilities should map Grid users to the local accounts.

A cron job every nights refreshes the local copy of the VO memberships. It also generates the grid-mapfiles for all the gatekeepers and stores them in the MySQL database.

Client component

The client component is installed on all the gatekeepers managed by GUMS. It consists of a series of command line tools. There is also a configuration file which indicate to which MySQL server to connect.

A cron job every 6 hours retrieves the grid-mapfile for the gatekeeper and saves it in /etc/grid-security/grid-mapfile. This allows for the admin to change the configuration during the day, and give him enough time to test that everything is working.


BNL serves different experiments and participates in different grid activities. It is now August 18 2004, and we have more than 15 gatekeepers. Different mappings are required because of different experiments (ATLAS, STAR and PHENIX), because of different use (testing, evaluation or production) and because of different user base (Grid3, USATLAS, ...). Having a single central policy simplify the management of the mappings.

Some of the mappings require mapping Grid users to their local accounts. GUMS allows us to do it in a semi-automatic way: GUMS is able to query the NIS server and provide a likely match. The administrator still has to supervise the process and intervene in case of missed/incorrect match.

Future deployment

We expect this system to be in production for February 2005. Many functionalities will come out of the Privilege Project, a joint project between USATLAS and USCMS.

Server component

The server component will consist of a grid service, based on GT3/4 AuthZ interfaces. The command line tools will become clients of that service. There will also be a web interface for most administrative tasks. The database will be no more accessible from outside the server

The server will map user also based on extended proxy credentials provided by VOMS.

Client component

The client will consist of command line tools that call the grid service to either retrieve the full grid-mapfile, or to map a single user. A client that interfaces with the Globus callout will be provided, which will contact the web service.