Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "Dteam vo"

From EGIWiki
Jump to navigation Jump to search
 
(42 intermediate revisions by 8 users not shown)
Line 1: Line 1:
{{Template:Op menubar}}
{{Template:Op menubar}}  
{{Template:Doc_menubar}}
{{Template:Doc_menubar}}  
{{TOC_right}}
{{TOC_right}}  


==Migration of the dteam VO from CERN to EGI VOMS (AUTH/NGI_GRNET)==
[[Category:Catch All Grid Core Services]]
# Sync dteam Greece with dteam CERN.
# Advise sites to add the new VOMS server to their configuration. They need to be told new site-info.def definitions to replace these:  
<pre>
VO_DTEAM_VOMS_SERVERS='vomss://voms.cern.ch:8443/voms/dteam?/dteam/'


VO_DTEAM_VOMSES="\
= General Information  =
'dteam lcg-voms.cern.ch 15004 \
/DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch dteam 24' \
'dteam voms.cern.ch 15004 \
/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch dteam 24'" </pre>
and
<pre>
VO_DTEAM_VOMS_CA_DN="\
'/DC=ch/DC=cern/CN=CERN Trusted Certification Authority' \
'/DC=ch/DC=cern/CN=CERN Trusted Certification Authority'"
</pre>
with these:
<pre>
VO_DTEAM_VOMS_SERVERS='vomss://voms.hellasgrid.gr:8443/voms/dteam?/dteam/'


VO_DTEAM_VOMSES="\
The DTEAM VO is an infrastructure VO that MUST be enabled by all EGI Resource Centres that support the VO concept for user authentication, as stated in the [https://documents.egi.eu/document/31 Resource Centre Operational Level Agreement]. It is meant for testing and troubleshooting of capabilities across EGI Resource Centres. Usage of the DTEAM VO is subject to the EGI [[SPG:Documents|Security Policies]].  
'dteam voms.hellasgrid.gr 15004 \
/C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms.hellasgrid.gr dteam 24' \
'dteam voms2.hellasgrid.gr 15004 \
/C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms2.hellasgrid.gr dteam 24'" </pre>
and
<pre>
VO_DTEAM_VOMS_CA_DN="\
'/C=GR/O=HellasGrid/OU=Certification Authorities/CN=HellasGrid CA 2006' \
'/C=GR/O=HellasGrid/OU=Certification Authorities/CN=HellasGrid CA 2006'"
</pre>
'''Run yaim after changing site-info.def'''.The new "lsc" files should be '''voms.hellasgrid.gr.lsc''' and '''voms2.hellasgrid.gr.lsc''' with the following contents, respectively:
<pre>
/C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms.hellasgrid.gr
/C=GR/O=HellasGrid/OU=Certification Authorities/CN=HellasGrid CA 2006
</pre>
<pre>
/C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms2.hellasgrid.gr
/C=GR/O=HellasGrid/OU=Certification Authorities/CN=HellasGrid CA 2006
</pre>
<ol start="3">
<li> Sites also need an rpm containing the host cert(s) of the new VOMS server(s) at least for the WMS, while it still requires the certs of supported VOs. We could add those certs to lcg-vomscerts to smoothen the transition, but it may be better for EGI to control its own rpm. 11/10/2010 lcg-vomscerts has been already updated. Version 6.1.0 and later contains the new certs. Latest[http://etics-repository.cern.ch/repository/download/registered/org.glite/lcg-vomscerts/6.2.0/noarch/lcg-vomscerts-6.2.0-1.noarch.rpm] as of 11/11/2010.
</ol>
<ol start="4">
<li> Wait a bit (1 month sounds reasonable).
</ol>
<ol start="5">
<li> Close registrations at CERN. service stop vomrs should do.
</ol>
<ol start="6">
<li> Sync dteam Greece with dteam CERN.
</ol>
<ol start="7">
<li> Advise new users to register with Greece. https://voms.hellasgrid.gr:8443/vo/dteam/vomrs
</ol>
<ol start="8">
<li> Remove CERN dteam. '''This will take place on Wednesday January 26'''.
</ol>
<ol start="9">
<li> Advise sites to drop CERN dteam configuration.
</ol>


==General information about the VO==
* DTEAM AUP: Find on the VO page in the Operation Portal: https://operations-portal.egi.eu/vo/view/voname/dteam
The dteam VO started in EGEE as a VO for operations. '''General Grid security policies''' as defined the the documents at [https://wiki.egi.eu/wiki/SPG:Documents] are applicable. Currently the '''AUP''' [http://cic.egi.eu/common/all/documents/AUP/dteam-AcceptableUsePolicy-20060830-144906.aup] (which needs update for EGI terminology) states:
*'''Get support''': in order to get support about the DTEAM VO please [http://helpdesk.egi.eu/ open a ticket], select type ''Operations'', and set ''concerned VO'' to ''dteam''. If you have privileges, assign it to the Support Unit ''VOsupport unit''.


This acceptable Use Policy applies to all members of the DTEAM Virtual
= Become a member =
Organization, hereafter referred to as the VO, with reference to use of
the LCG/EGEE Grid infrastructure, hereafter referred to as the Grid. The
ROC managers' coordination committee is the body that owns and gives
authority to this policy.


The goal of the VO is to facilitate the deployment of a stable production
Open the following link
Grid infrastructure. To this end, members of this VO -who have to be
associated with a registered site and be involved in its operation- are
allowed to run tests which validate the correct configuration of their
site.  Site performance evaluation and/or monitoring programs may also be
run under the DTEAM VO with the approval of the Site Manager, subject to
the agreement of the affected sites' management.


During all times at which they are utilising Grid resources, in testing or
*[https://voms2.hellasgrid.gr:8443/voms/dteam DTEAM VOMS-Admin]
performing productions for validation, the Members and Managers of the VO
agree to be bound by the Grid Acceptable Usage Rules, VO Security Policy
and other relevant Grid Policies, and to use the Grid only in the
furtherance of the stated goals of the VO.


==How to get support==
fill in the requested information and after reading the dteam AUP confirm that you abide to this policy and press the submit button.


Open a GGUS ticket, '''select Operations as type''', and '''set concerned VO to dteam'''. If you have privileges, assign it to the '''VOsupport unit'''.
In order to verify your email address an email will be sent to you (if you cannot find the verification email in your inbox please make sure to also check your spam folder). By following the link given within the verification email you will have to select the appropriate NGI/Group manager who will handle your request and press the "Continue" button at the bottom of the page. The NGI/Group Manager you selected will be notified of your request and should handle it.


==Recipes for VO/ROC/NGI/Site managers==
== What users filling the '''dteam''' VO Registration form should do  ==


===What users filling the '''dteam''' VO Registration form should do:===
Select the appropriate '''Group Manager''' (depending on NGI origin) for themselves. The Manager corresponding to their NGI/region is offered in a bullet-list menu.


Select the appropriate '''Representative''' and '''Group''' for themselves. The Representative corresponding to their region is offered in a drop-down menu. Example: dteam users from Greece should select Kostas Koumantaros or Ioannis Lambiotis as their Representative and /dteam/NGI_GRNET as their Group.
'''Example:'''  
Everybody is automatically registered under the root group /dteam in addition to any Group they might select. Nobody can de-assign them from this "root group" unless they get "Denied", in the first place or, later on, "Suspended", by the VO-Admin, in which case they can't run any Grid jobs and they get deleted from the VOMS database.
<blockquote style="background-color: lightgrey; border: solid thin grey; padding: 5px;">dteam users from Greece should select Kostas Koumantaros as their Group Manager</blockquote>
When users select additional Groups, the GroupOwners have nothing to do, if they have no objection.
Users may select GroupRoles within a given Group as well.


===What the VO-Admin can do:===
Everybody is automatically registered under the root group /dteam. Nobody can de-assign them from this "root group" unless they get "Denied", in the first place or, later on, "Suspended", by the VO-Admin, in which case they can't run any Grid jobs and they get deleted from the VOMS database.


Everything including VO member suspension/removal that nobody else can do!
Users may select additional Groups, SubGroups and Roles within their NGI Group from their [https://voms2.hellasgrid.gr:8443/voms/dteam/user/home.action VO Home page].
'''NB!!!'''If you try to remove a member and the box-to-tick is grey, this means that the member has some authority (GroupOwner/Manager or Representative). You 'll have to remove that funtion first from him/her via "Manage VO Admin Roles". To remove the GroupOwner/Manager autority, use control/click on the relevant Group/Role (it will be blue)!


===What the Representative can do:===
'''Examples:'''
<blockquote style="background-color: lightgrey; border: solid thin grey; padding: 5px;">dteam users from Greece should select to be added to /dteam/NGI_GRNET Group</blockquote>
<blockquote style="background-color: lightgrey; border: solid thin grey; padding: 5px;">dteam users from Greece who want Production Role should request the/dteam/NGI_GRNET/Role=production role</blockquote>


Approve Candidates during the initial registration and handle Expired users. To do this, the Representative should either click on the link (s)he got in the email notification or go to the web interface, open the "Members" sub-menu, click on "Set status", search for "New" candidates and approve those assigned to him/her.
= Recipes for VO/ROC/NGI/Group/Site managers  =


The Representative selected by the user can assign another Representative before approving, as appropriate. Example: a DTEAM VO Candidate from a Russian LCG Site selected the SWE ROC manager as Representative. Gonzalo (SWE) can replace himself with Alexander (RDIG).
== What the VO-Admin can do ==


===What the GroupOwners can do:===
Everything including VO member suspension/removal and ACLs configuration that nobody else can do!


Group Owners can create groups/group roles and assign new Group Owner/Manager roles to member within the subgroups. If they decided that the user doesn't belong to their group(s) they can de-assign him/her at any time. Example: If Sven from DECH selects additional group /dteam/see, Kostas can move him out.
== What the NGI/Group Manager can do  ==


* Approve Candidates during the initial registration.


===What the GroupManagers can do:===
<blockquote style="background-color: white; border: solid thin grey; padding: 5px; color: red;">
They can deassign users from their group at any time.
NOTE: Once an NGI/Group Manager approves a user request he/she should make sure to add this person to the corresponding group he/she manages, plus any other subgroups as applicable.  
</blockquote>


http://cern.ch/dimou/lcg/vomrs/Groups-Roles.doc contains EGEE era implementation details and plans on Groups/Roles. As VOMRS fuctionality will be implemented in VOMS this document is becoming obsolete.
* Add/remove members to specific NGI/Group he/she is in charge of.
 
===Mini How-To:===
 
* To (De)Assign someone as Representative go to "Manage VO Admin Roles".
* To (De)Assign someone as GroupOwner go to "Manage VO Admin Roles", search for the VO member and select the Group (s)he should own.
* To Change Representative for all members go to "Change Representative", Select the right DN from the drop dowm menu, click on each member.
* To receive email notification for actions you need to take go to "Subscription" and select what you wish to be notified about.
 
VOMRS Tutorials: http://www.uscms.org/SoftwareComputing/Grid/VO/tutorials.html
 
VOMRS Online Documentation: http://computing.fnal.gov/docs/products/vomrs/
 
{| border="1"
!
! VO Admin
! Representative
! GroupOwner
! GroupManager
|-
|Candidate
|remove  
|
|
|
|-
|Applicant
|Remove/approve/deny Assign/deassign  to/from group and group role
|Remove/approve/suspend/expire
|Assign/deassign  to/from group and  group role
|-
|Member
|Remove/approve/suspend/expire Assign/deassign  to/from group and  group role
|expire from Institute but not from the VO
|assign/deassign to/from group and group role
|assign/deassign to/from group and group role
|-
|Member’s certificate
|Remove/approve/deny/suspend
|
|assign/deassign to/from group and group role
|assign/deassign to/from group and group role
|-
|}
 
'''Info obtained from Maria Dimou VOMRS tips page http://dimou.web.cern.ch/dimou/lcg/registrar/TF/vomrs-tips.html, with material provided by Tanya Levshina (VOMRS Project Leader and developer)'''

Latest revision as of 14:15, 13 March 2018

Main EGI.eu operations services Support Documentation Tools Activities Performance Technology Catch-all Services Resource Allocation Security


Documentation menu: Home Manuals Procedures Training Other Contact For: VO managers Administrators


General Information

The DTEAM VO is an infrastructure VO that MUST be enabled by all EGI Resource Centres that support the VO concept for user authentication, as stated in the Resource Centre Operational Level Agreement. It is meant for testing and troubleshooting of capabilities across EGI Resource Centres. Usage of the DTEAM VO is subject to the EGI Security Policies.

Become a member

Open the following link

fill in the requested information and after reading the dteam AUP confirm that you abide to this policy and press the submit button.

In order to verify your email address an email will be sent to you (if you cannot find the verification email in your inbox please make sure to also check your spam folder). By following the link given within the verification email you will have to select the appropriate NGI/Group manager who will handle your request and press the "Continue" button at the bottom of the page. The NGI/Group Manager you selected will be notified of your request and should handle it.

What users filling the dteam VO Registration form should do

Select the appropriate Group Manager (depending on NGI origin) for themselves. The Manager corresponding to their NGI/region is offered in a bullet-list menu.

Example:

dteam users from Greece should select Kostas Koumantaros as their Group Manager

Everybody is automatically registered under the root group /dteam. Nobody can de-assign them from this "root group" unless they get "Denied", in the first place or, later on, "Suspended", by the VO-Admin, in which case they can't run any Grid jobs and they get deleted from the VOMS database.

Users may select additional Groups, SubGroups and Roles within their NGI Group from their VO Home page.

Examples:

dteam users from Greece should select to be added to /dteam/NGI_GRNET Group

dteam users from Greece who want Production Role should request the/dteam/NGI_GRNET/Role=production role

Recipes for VO/ROC/NGI/Group/Site managers

What the VO-Admin can do

Everything including VO member suspension/removal and ACLs configuration that nobody else can do!

What the NGI/Group Manager can do

  • Approve Candidates during the initial registration.

NOTE: Once an NGI/Group Manager approves a user request he/she should make sure to add this person to the corresponding group he/she manages, plus any other subgroups as applicable.

  • Add/remove members to specific NGI/Group he/she is in charge of.