HOWTO16 How to enable a Virtual Organisation on a EGI Federated Cloud
Support a new Virtual Organisation in the EGI Federated Cloud
Support an already existing Virtual Organisation in the EGI Federated Cloud
Enable a Virtual Organisation on a EGI Federated Cloud site using OpenNebula
Assuming that you are using OpenNebula v4.x, rOCCI-server v1.0.x and integration with Perun Fedcloud-tf:ResourceProviders:OpenNebula#Integration_with_Perun, you have to perform the following steps to support a new Virtual Organization:
- Configure VOMS/GridSite
- Create a new group in OpenNebula
VOMS/GridSite
For each allowed VO, you need a subdirectory in /etc/grid-security/vomsdir/ that contains the lsc files of all truted VOMS servers for the given VO. The lsc files must be named as the fully qualified host name of the VOMS server with an lsc extension and must contain:
- First line: subject DN of the VOMS server host certificate
- Second line: subject DN of the CA that issued the VOMS server host certificate
For example, for the fedcloud.egi.eu VO, these would be:
$ cat /etc/grid-security/vomsdir/fedcloud.egi.eu/voms1.egee.cesnet.cz.lsc /DC=org/DC=terena/DC=tcs/OU=Domain Control Validated/CN=voms1.egee.cesnet.cz /C=NL/O=TERENA/CN=TERENA eScience SSL CA $ cat /etc/grid-security/vomsdir/fedcloud.egi.eu/voms2.grid.cesnet.cz.lsc /DC=org/DC=terena/DC=tcs/OU=Domain Control Validated/CN=voms2.grid.cesnet.cz /C=NL/O=TERENA/CN=TERENA eScience SSL CA
OpenNebula
For each allowed VO, you need to create a group in OpenNebula with a matching name. All groups with names matching known VOs are automatically populated and managed by Perun, see Fedcloud-tf:ResourceProviders:OpenNebula#Integration_with_Perun for details.
For example, for the fedcloud.egi.eu VO, the command to create the appropriate group would be:
# the OpenNebula front-end $ onegroup create fedcloud.egi.eu
Enable a Virtual Organisation on a EGI Federated Cloud site using OpenStack
Assuming that you are using the Keystone VOMS module the steps needed are listed in the VOMS module documentation.
Keystone V2
The configuration for the Keystone V2 authentitaion is as follows:
- Configure your LSC files according to the VOMS documentation
- Create a tenant for your new VO:
$ keystone tenant-create --name <tenant_name> --description "Tenant for VO <vo>"
- Add the mapping to your
voms.json
mapping. It must be proper JSON (you can check its correctness with online or withpython -mjson.tool /etc/keystone/voms.json
). Edit the file, and add an entry like this:
{ "voname|FQAN": { "tenant": "tenant_name" } }
- Note that you can use the FQAN from the incoming proxy, so you can map a group within a VO into a tenant, like this:
{ "dteam": { "tenant": "dteam" }, "/dteam/NGI_IBERGRID": { "tenant": "dteam_ibergrid" } }
- Restart the Apache server, and it's done.