You are here: Home Experiment Information US ATLAS Grid Development GUMS Development Activities

GUMS Development Activities

by jhover — last modified Jul 26, 2007 02:07 PM
Contributors: John DeStefano
GUMS is a Java/Tomcat Web Service that maps grid identities (X.509 certficates or proxies) to local UNIX accounts and groups.

Project Overview

Identities on the Grid consist of X.509 SSL certificates, and any proxies created from them. Computing work or transfers to/from a site must take place using some local UNIX account, even if it is shared group account, a pool account, or a temporary account. GUMS (Grid User Management System) sits at the Grid/Site boundary and provides a highly-configurable service which tells what local account a particular proxy should map to on a given host. It is written as a Java J2EE web service, which runs on the Tomcat application server.

GUMS allows each site to specify (via the GUMS configuration) what VOs (Virtual Organizations) the site wants to support. The GUMS administrator also specifies how each VO will be mapped to local UNIX accounts, e.g. all members of a VO may be mapped to a single account, or dynamically mapped to an empty "pool account". If a site uses LDAP for its UNIX account infrastructure, GUMS also allows "fuzzy matching" such that a given proxy can be mapped to that user's real local account, if one exists. Finally, the GUMS administrator can specify different mappings on a host-by-host basis, by defining multiple mappings for VOs (or groups, or roles) and applying them to different hosts.

It is a core part of the OSG authentication and authorization infrastructure. Currently the OSG gatekeeper makes a PRIMA callout to GUMS to perform the local account mapping. It is also slated to be the target of another mapping callout performed by glexec. Glexec will run on all worker nodes and handle job reauthentication, i.e. for pilot job systems, the end user job will be run as a different user than the pilot job itself--glexec will perform the user account switch.

Current Development Goals

Six Month List of Features (December 2006)

Through our association with OSG, BNL is embarking on further efforts to expand and improve GUMS. This is a partial list of significant improvements we hope to make before the next major release of GUMS (version 1.2).

  • Add SSL client-side security to the GUMS LDAP connection.
  • Configuration Management
    1. Edit system configuration from Web GUI
    2. Validate any configuration changes
    3. Increase flexibility/reduce redundancy in configuration file.
    4. Add configuration functionality to command line admin client.
    5. List contents/status of current configuration.
  • Read-only user groups -- this is necessary to support glexec on worker nodes without host certificates. A service DN would be added to the read-only group. This service proxy would be used to make the mapping callout from glExec.
  • Much better error handling/reporting. No exception stack traces should ever reach the Tomcat layer from the Web GUI--they should all be caught, analyzed, and generate an informative error message.

GUMS 1.2 Release to VDT (June 2007)

As of a GUMS release version 1.2 to VDT in June 2007, these additional features were included.

  • Completion and documentation of the LDAP persistence factory: Instead of using a local database to store info, GUMS can now store it directly in a site LDAP system.
  • Added flexibility to the LDAPAccountMapper to allow (among other things) sites to customize what tree in LDAP gets used.
  • Diagnostic Summary page to assist in configuration and troubleshooting.
  • Backup history of configurations. Old configurations can be re-loaded.
  • Additional type of gridmap-file generation oriented toward import into dCache.

Development Team

BNL is the primary development group, with input from members of the Privilege Project working at Fermi National Accelorator Laboratory. Current active development team members include:

  • John Hover (BNL)
  • Jay Packard (BNL)

Hacking on GUMS

Getting set up to make changes to GUMS code is a bit involved. Here is a high-level description of the setup we use.

  • Install MySQL.
  • Set up and install support for the JPackage YUM repository. See GridDevHowTo.
  • Install tomcat5 maven2. Do yum install tomcat5 tomcat5-admin-webapps maven2
  • Install and set up the EGEE gLite Trustmanager. We have created an RPM for this: tomcat5-glite-trustmanager-1.6.3-1.noarch.rpm
  • Check out GUMS code from Subversion. Instructions for accessing the GUMS code is at Using BNL Subversion.
  • Create the default GUMS database in MySQL.
  • Set up your personal maven environment.
  • cd into gums-core and run mvn package, mvn install
  • cd into gums-service and run mvn package, mvn cargo:deployer-deploy
Document Actions
Filed under: ,