Difference between revisions of "Dteam vo"

From EGIWiki
Jump to: navigation, search
(Proposed responsibilities)
Line 1: Line 1:
{{Template:Op menubar}}
+
{{Template:Op menubar}} {{Template:Doc_menubar}} {{TOC_right}}  
{{Template:Doc_menubar}}
 
{{TOC_right}}
 
  
=General Information =
+
= General Information =
The DTEAM VO is an infrastructure VO that MUST be enabled by all EGI Resource Centres that support the VO concept for user autentication, as stated in the [https://documents.egi.eu/document/31 Resource Centre Operational Level Agreement]. It is meant for testing and troubleshooting of grid capabilities across EGI Resource Centres. Usage of the DTEAM VO is subject to the EGI [[SPG:Documents| Security Policies]].
 
* [http://operations-portal.egi.eu/vo/downloadAUP/file/dteam-AcceptableUsePolicy-20110926-1316993681969.txt DTEAM AUP].
 
* '''Get support''': in order to get support about the DTEAM VO please [http://helpdesk.egi.eu/ open a ticket], select type ''Operations'', and set ''concerned VO'' to ''dteam''. If you have privileges, assign it to the Support Unit ''VOsupport unit''.
 
  
=Recipes for VO/ROC/NGI/Site managers=
+
The DTEAM VO is an infrastructure VO that MUST be enabled by all EGI Resource Centres that support the VO concept for user authentication, as stated in the [https://documents.egi.eu/document/31 Resource Centre Operational Level Agreement]. It is meant for testing and troubleshooting of grid capabilities across EGI Resource Centres. Usage of the DTEAM VO is subject to the EGI [[SPG:Documents|Security Policies]].
  
==What users filling the '''dteam''' VO Registration form should do==
+
*[http://operations-portal.egi.eu/vo/downloadAUP/file/dteam-AcceptableUsePolicy-20110926-1316993681969.txt DTEAM AUP].
 +
*'''Get support''': in order to get support about the DTEAM VO please [http://helpdesk.egi.eu/ open a ticket], select type ''Operations'', and set ''concerned VO'' to ''dteam''. If you have privileges, assign it to the Support Unit ''VOsupport unit''.
  
Select the appropriate '''Representative''' and '''Group''' for themselves. The Representative corresponding to their region is offered in a drop-down menu. Example: dteam users from Greece should select Kostas Koumantaros or Ioannis Lambiotis as their Representative and /dteam/NGI_GRNET as their Group.
+
= Recipes for VO/ROC/NGI/Site managers =
Everybody is automatically registered under the root group /dteam in addition to any Group they might select. Nobody can de-assign them from this "root group" unless they get "Denied", in the first place or, later on, "Suspended", by the VO-Admin, in which case they can't run any Grid jobs and they get deleted from the VOMS database.
 
When users select additional Groups, the GroupOwners have nothing to do, if they have no objection.
 
Users may select GroupRoles within a given Group as well.
 
  
==What the VO-Admin can do==
+
== What users filling the '''dteam''' VO Registration form should do ==
  
Everything including VO member suspension/removal that nobody else can do!
+
Select the appropriate '''Representative''' and '''Group''' for themselves. The Representative corresponding to their region is offered in a drop-down menu.  
'''NB!!!'''If you try to remove a member and the box-to-tick is grey, this means that the member has some authority (GroupOwner/Manager or Representative). You 'll have to remove that funtion first from him/her via "Manage VO Admin Roles". To remove the GroupOwner/Manager autority, use control/click on the relevant Group/Role (it will be blue)!
 
  
==What the Representative can do==
+
''Example: dteam users from Greece should select Kostas Koumantaros or Ioannis Liabotis as their Representative and /dteam/NGI_GRNET as their Group.''
  
Approve Candidates during the initial registration and handle Expired users. To do this, the Representative should either click on the link (s)he got in the email notification or go to the web interface, open the "Members" sub-menu, click on "Set status", search for "New" candidates and approve those assigned to him/her.
+
Everybody is automatically registered under the root group /dteam in addition to any Group they might select. Nobody can de-assign them from this "root group" unless they get "Denied", in the first place or, later on, "Suspended", by the VO-Admin, in which case they can't run any Grid jobs and they get deleted from the VOMS database.  
  
The Representative selected by the user can assign another Representative before approving, as appropriate. Example: a DTEAM VO Candidate from a Russian LCG Site selected the SWE ROC manager as Representative. Gonzalo (SWE) can replace himself with Alexander (RDIG).
+
When users select additional Groups, the GroupOwners have nothing to do, if they have no objection. Users may select GroupRoles within a given Group as well.  
  
==What the GroupOwners can do==
+
== What the VO-Admin can do ==
Group Owners can create groups/group roles and assign new Group Owner/Manager roles to member within the subgroups. If they decided that the user doesn't belong to their group(s) they can de-assign him/her at any time. Example: If Sven from DECH selects additional group /dteam/see, Kostas can move him out.
 
  
==What the GroupManagers can do==
+
Everything including VO member suspension/removal that nobody else can do!
They can deassign users from their group at any time.
 
  
http://cern.ch/dimou/lcg/vomrs/Groups-Roles.doc contains EGEE era implementation details and plans on Groups/Roles. As VOMRS fuctionality will be implemented in VOMS this document is becoming obsolete.
+
If you try to remove a member and the box-to-tick is grey, this means that the member has some authority (GroupOwner/Manager or Representative). You 'll have to remove that funtion first from him/her via "Manage VO Admin Roles".
 +
 
 +
To remove the GroupOwner/Manager autority, use control/click on the relevant Group/Role (it will be blue)!
 +
 
 +
== What the Representative can do ==
 +
 
 +
Approve Candidates during the initial registration and handle Expired users.
 +
 
 +
To do this, the Representative should either click on the link (s)he got in the email notification or go to the web interface, open the "Members" sub-menu, click on "Set status", search for "New" candidates and approve those assigned to him/her.
 +
 
 +
The Representative selected by the user can assign another Representative before approving, as appropriate.
 +
 
 +
''Example: a DTEAM VO Candidate from a Russian LCG Site selected the SWE ROC manager as Representative. Gonzalo (SWE) can replace himself with Alexander (RDIG).''
 +
 
 +
== What the GroupOwners can do ==
 +
 
 +
Group Owners can create groups/group roles and assign new Group Owner/Manager roles to member within the subgroups. If they decided that the user doesn't belong to their group(s) they can de-assign him/her at any time.
 +
 
 +
''Example: If Sven from DECH selects additional group /dteam/see, Kostas can move him out.''
 +
 
 +
== What the GroupManagers can do ==
 +
 
 +
They can deassign users from their group at any time.
 +
 
 +
http://cern.ch/dimou/lcg/vomrs/Groups-Roles.doc contains EGEE era implementation details and plans on Groups/Roles. As VOMRS fuctionality will be implemented in VOMS this document is becoming obsolete.  
 +
 
 +
== Proposed distribution of responsibilities ==
  
==Proposed distribution of responsibilities==
 
 
{| border="1"
 
{| border="1"
! Operations manager and deputy
+
|-
! Operations centre staff
+
! Operations manager and deputy  
 +
! Operations centre staff  
 
! Site staff
 
! Site staff
 
|-
 
|-
|GroupOwner,GroupManager, VO Representative
+
| GroupOwner,GroupManager, VO Representative  
|GroupManager
+
| GroupManager  
|Group Member
+
| Group Member
|-
 
 
|}
 
|}
  
=Mini How-To=
+
= Mini How-To =
  
* To (De)Assign someone as Representative go to "Manage VO Admin Roles".
+
*To (De)Assign someone as Representative go to "Manage VO Admin Roles".  
* To (De)Assign someone as GroupOwner go to "Manage VO Admin Roles", search for the VO member and select the Group (s)he should own.
+
*To (De)Assign someone as GroupOwner go to "Manage VO Admin Roles", search for the VO member and select the Group (s)he should own.  
* To Change Representative for all members go to "Change Representative", Select the right DN from the drop dowm menu, click on each member.
+
*To Change Representative for all members go to "Change Representative", Select the right DN from the drop dowm menu, click on each member.  
* To receive email notification for actions you need to take go to "Subscription" and select what you wish to be notified about.
+
*To receive email notification for actions you need to take go to "Subscription" and select what you wish to be notified about.
  
 
{| border="1"
 
{| border="1"
 +
|-
 
!  
 
!  
! VO Admin
+
! VO Admin  
! Representative
+
! Representative  
! GroupOwner
+
! GroupOwner  
 
! GroupManager
 
! GroupManager
 
|-
 
|-
|Candidate
+
| Candidate  
|remove  
+
| remove  
|
+
|  
|
+
|  
|
+
|  
 
|-
 
|-
|Applicant
+
| Applicant  
|Remove/approve/deny Assign/deassign to/from group and group role
+
| Remove/approve/deny Assign/deassign to/from group and group role  
|Remove/approve/suspend/expire
+
| Remove/approve/suspend/expire  
|Assign/deassign to/from group and group role
+
| Assign/deassign to/from group and group role
 
|-
 
|-
|Member
+
| Member  
|Remove/approve/suspend/expire Assign/deassign to/from group and group role
+
| Remove/approve/suspend/expire Assign/deassign to/from group and group role  
|expire from Institute but not from the VO
+
| expire from Institute but not from the VO  
|assign/deassign to/from group and group role
+
| assign/deassign to/from group and group role  
|assign/deassign to/from group and group role
+
| assign/deassign to/from group and group role
|-
 
|Member’s certificate
 
|Remove/approve/deny/suspend
 
|
 
|assign/deassign to/from group and group role
 
|assign/deassign to/from group and group role
 
 
|-
 
|-
 +
| Member’s certificate
 +
| Remove/approve/deny/suspend
 +
|
 +
| assign/deassign to/from group and group role
 +
| assign/deassign to/from group and group role
 
|}
 
|}
  
=Migration of the dteam VO from CERN VOMS server to EGI VOMS (AUTH/NGI_GRNET)=
+
= Resources  =
# Sync dteam Greece with dteam CERN.
 
# Advise sites to add the new VOMS server to their configuration. They need to be told new site-info.def definitions to replace these:
 
<pre>
 
VO_DTEAM_VOMS_SERVERS='vomss://voms.cern.ch:8443/voms/dteam?/dteam/'
 
  
VO_DTEAM_VOMSES="\
+
*VOMRS Tutorials: http://www.uscms.org/SoftwareComputing/Grid/VO/tutorials.html
'dteam lcg-voms.cern.ch 15004 \
+
*VOMRS Online Documentation: http://computing.fnal.gov/docs/products/vomrs/
/DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch dteam 24' \
 
'dteam voms.cern.ch 15004 \
 
/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch dteam 24'" </pre>
 
and
 
<pre>
 
VO_DTEAM_VOMS_CA_DN="\
 
'/DC=ch/DC=cern/CN=CERN Trusted Certification Authority' \
 
'/DC=ch/DC=cern/CN=CERN Trusted Certification Authority'"
 
</pre>
 
with these:
 
<pre>
 
VO_DTEAM_VOMS_SERVERS='vomss://voms.hellasgrid.gr:8443/voms/dteam?/dteam/'
 
  
VO_DTEAM_VOMSES="\
+
= Acknowledgements  =
'dteam voms.hellasgrid.gr 15004 \
 
/C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms.hellasgrid.gr dteam 24' \
 
'dteam voms2.hellasgrid.gr 15004 \
 
/C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms2.hellasgrid.gr dteam 24'" </pre>
 
and
 
<pre>
 
VO_DTEAM_VOMS_CA_DN="\
 
'/C=GR/O=HellasGrid/OU=Certification Authorities/CN=HellasGrid CA 2006' \
 
'/C=GR/O=HellasGrid/OU=Certification Authorities/CN=HellasGrid CA 2006'"
 
</pre>
 
'''Run yaim after changing site-info.def'''.The new "lsc" files should be '''voms.hellasgrid.gr.lsc''' and '''voms2.hellasgrid.gr.lsc''' with the following contents, respectively:
 
<pre>
 
/C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms.hellasgrid.gr
 
/C=GR/O=HellasGrid/OU=Certification Authorities/CN=HellasGrid CA 2006
 
</pre>
 
<pre>
 
/C=GR/O=HellasGrid/OU=hellasgrid.gr/CN=voms2.hellasgrid.gr
 
/C=GR/O=HellasGrid/OU=Certification Authorities/CN=HellasGrid CA 2006
 
</pre>
 
<ol start="3">
 
<li> Sites also need an rpm containing the host cert(s) of the new VOMS server(s) at least for the WMS, while it still requires the certs of supported VOs. We could add those certs to lcg-vomscerts to smoothen the transition, but it may be better for EGI to control its own rpm. 11/10/2010 lcg-vomscerts has been already updated. Version 6.1.0 and later contains the new certs. Latest[http://etics-repository.cern.ch/repository/download/registered/org.glite/lcg-vomscerts/6.2.0/noarch/lcg-vomscerts-6.2.0-1.noarch.rpm] as of 11/11/2010.
 
</ol>
 
<ol start="4">
 
<li> Wait a bit (1 month sounds reasonable).
 
</ol>
 
<ol start="5">
 
<li> Close registrations at CERN. service stop vomrs should do.
 
</ol>
 
<ol start="6">
 
<li> Sync dteam Greece with dteam CERN.
 
</ol>
 
<ol start="7">
 
<li> Advise new users to register with Greece. https://voms.hellasgrid.gr:8443/vo/dteam/vomrs
 
</ol>
 
<ol start="8">
 
<li> Remove CERN dteam. '''This will take place on Wednesday January 26'''.
 
</ol>
 
<ol start="9">
 
<li> Advise sites to drop CERN dteam configuration.
 
</ol>
 
 
 
= Resources =
 
*VOMRS Tutorials: http://www.uscms.org/SoftwareComputing/Grid/VO/tutorials.html
 
*VOMRS Online Documentation: http://computing.fnal.gov/docs/products/vomrs/
 
  
= Acknowledgements =
 
 
Information provided in this page was collected from M. Dimou's VOMRS [http://dimou.web.cern.ch/dimou/lcg/registrar/TF/vomrs-tips.html tips page], with material provided by Tanya Levshina (VOMRS Project Leader and developer).
 
Information provided in this page was collected from M. Dimou's VOMRS [http://dimou.web.cern.ch/dimou/lcg/registrar/TF/vomrs-tips.html tips page], with material provided by Tanya Levshina (VOMRS Project Leader and developer).

Revision as of 14:33, 17 October 2011

Main EGI.eu operations services Support Documentation Tools Activities Performance Technology Catch-all Services Resource Allocation Security


Documentation menu: Home Manuals Procedures Training Other Contact For: VO managers Administrators



General Information

The DTEAM VO is an infrastructure VO that MUST be enabled by all EGI Resource Centres that support the VO concept for user authentication, as stated in the Resource Centre Operational Level Agreement. It is meant for testing and troubleshooting of grid capabilities across EGI Resource Centres. Usage of the DTEAM VO is subject to the EGI Security Policies.

  • DTEAM AUP.
  • Get support: in order to get support about the DTEAM VO please open a ticket, select type Operations, and set concerned VO to dteam. If you have privileges, assign it to the Support Unit VOsupport unit.

Recipes for VO/ROC/NGI/Site managers

What users filling the dteam VO Registration form should do

Select the appropriate Representative and Group for themselves. The Representative corresponding to their region is offered in a drop-down menu.

Example: dteam users from Greece should select Kostas Koumantaros or Ioannis Liabotis as their Representative and /dteam/NGI_GRNET as their Group.

Everybody is automatically registered under the root group /dteam in addition to any Group they might select. Nobody can de-assign them from this "root group" unless they get "Denied", in the first place or, later on, "Suspended", by the VO-Admin, in which case they can't run any Grid jobs and they get deleted from the VOMS database.

When users select additional Groups, the GroupOwners have nothing to do, if they have no objection. Users may select GroupRoles within a given Group as well.

What the VO-Admin can do

Everything including VO member suspension/removal that nobody else can do!

If you try to remove a member and the box-to-tick is grey, this means that the member has some authority (GroupOwner/Manager or Representative). You 'll have to remove that funtion first from him/her via "Manage VO Admin Roles".

To remove the GroupOwner/Manager autority, use control/click on the relevant Group/Role (it will be blue)!

What the Representative can do

Approve Candidates during the initial registration and handle Expired users.

To do this, the Representative should either click on the link (s)he got in the email notification or go to the web interface, open the "Members" sub-menu, click on "Set status", search for "New" candidates and approve those assigned to him/her.

The Representative selected by the user can assign another Representative before approving, as appropriate.

Example: a DTEAM VO Candidate from a Russian LCG Site selected the SWE ROC manager as Representative. Gonzalo (SWE) can replace himself with Alexander (RDIG).

What the GroupOwners can do

Group Owners can create groups/group roles and assign new Group Owner/Manager roles to member within the subgroups. If they decided that the user doesn't belong to their group(s) they can de-assign him/her at any time.

Example: If Sven from DECH selects additional group /dteam/see, Kostas can move him out.

What the GroupManagers can do

They can deassign users from their group at any time.

http://cern.ch/dimou/lcg/vomrs/Groups-Roles.doc contains EGEE era implementation details and plans on Groups/Roles. As VOMRS fuctionality will be implemented in VOMS this document is becoming obsolete.

Proposed distribution of responsibilities

Operations manager and deputy Operations centre staff Site staff
GroupOwner,GroupManager, VO Representative GroupManager Group Member

Mini How-To

  • To (De)Assign someone as Representative go to "Manage VO Admin Roles".
  • To (De)Assign someone as GroupOwner go to "Manage VO Admin Roles", search for the VO member and select the Group (s)he should own.
  • To Change Representative for all members go to "Change Representative", Select the right DN from the drop dowm menu, click on each member.
  • To receive email notification for actions you need to take go to "Subscription" and select what you wish to be notified about.
VO Admin Representative GroupOwner GroupManager
Candidate remove
Applicant Remove/approve/deny Assign/deassign to/from group and group role Remove/approve/suspend/expire Assign/deassign to/from group and group role
Member Remove/approve/suspend/expire Assign/deassign to/from group and group role expire from Institute but not from the VO assign/deassign to/from group and group role assign/deassign to/from group and group role
Member’s certificate Remove/approve/deny/suspend assign/deassign to/from group and group role assign/deassign to/from group and group role

Resources

Acknowledgements

Information provided in this page was collected from M. Dimou's VOMRS tips page, with material provided by Tanya Levshina (VOMRS Project Leader and developer).