Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "GGUS:VOMS Interface FAQ"

From EGIWiki
Jump to navigation Jump to search
m
 
(3 intermediate revisions by 2 users not shown)
Line 4: Line 4:
[[Category:FAQ Interfaces (GGUS)]]
[[Category:FAQ Interfaces (GGUS)]]
<hr />'''FAQ for the Interface between GGUS and VOMS'''
<hr />'''FAQ for the Interface between GGUS and VOMS'''
; Updated: 2011-10-12


===Purpose===
===Purpose===
Line 10: Line 9:
The VOMS–GGUS interface is used for synchronizing the GGUS user database with the CERN VOMS server. In CERN VOMS server the alarm and team permissions for the LHC VOs are kept.  
The VOMS–GGUS interface is used for synchronizing the GGUS user database with the CERN VOMS server. In CERN VOMS server the alarm and team permissions for the LHC VOs are kept.  
===Tools, Applications, Systems===
===Tools, Applications, Systems===
The VOMS–GGUS interface is based on scripts which retrieve the data from VOMS server using an API call. The scripts are
The VOMS–GGUS interface is based on scripts which retrieve the data from VOMS server using an API call. The scripts which are involved are:
* voms2list.pl and
* voms2list.pl
* alarm_team.sh.
* voms_sync.php
They are located on machine “automatix” in directory /home/ggus/voms. Both scripts are executed every night via cron.
* Syncr.php
Access to “automatix” is only possible via “Carl/Carla” setting up an ssh connection for ggus to “automatix”.
*DB.php
===Work flows===
 
They are located on the front end machines (prod-cn/prod-cs) in directory /usr/local/bin.  
Both scripts are executed every night via cron.  
* fetch_voms.sh is stored as cronjob under /etc/cron.daily/fetch_voms
 
===Workflow===
====Retrieving data from VOMS server====
====Retrieving data from VOMS server====
The script voms2list.pl retrieves the complete data set from VOMS server and saves it as csv file at /home/ggus/voms/$vo/$vo$role.csv. This script is executed once per VO and role.
The script voms2list.pl retrieves daily the data about VOMS membership of the groups/roles team and alarm.
The script alarm_team.sh reads the csv file, sorts the data by certificate DN and compares the retrieved data with the data in a base file /home/ggus/voms/$vo/$vo$role_base_sort.csv. Differences are saved in a file /home/ggus/voms/$vo/$vo$role_temp.csv and an email notification is sent to the GGUS developers. Additionally the file with the retrieved data is used as new base file.
====Updating GGUS user database====
====Updating GGUS user database====
Via cfengine the *_temp.csv are copied to the GGUS production (and training) servers at the time when they are created. Coincidentally the php script voms_sync.php gets started.
The script voms_sync.php establishes a connection to the GGUS database and starts the VOMS synchronization through the Syncr.php script. The first step of the synchronization process is to delete all old alarm and team roles stored in the database. Then the script reads the content of each .csv files where the usernames/dn/emails are temporarily stored for each VO and each role (team/alarm) and updates the user accounts according to the latest VOMS version. If the user has already an account in the database only the new role will be assigned to him/her (the user account is not affected by the synchronization), otherwise a new account will be created together with the given role.
This script communicates with the GGUS user database and creates, deletes or updates user accounts according to the content of the csv files.
Attributes covered by the synchronization process are:
Attributes covered by the synchronization process are
 
* VOMS role (team, alarm)
* VOMS role (team, alarm)
* Certificate DN
* Certificate DN
* Email
* Email
* User name
* User name
===What happens if the nightly voms-ggus sync fails?===
When the procedure fails new roles/users will be not updated/added - but no user account will be deleted, only previous roles. With the next proper execution of the synchronisation procedure the data will be up-to-date again.
==  What if I have questions which are not dealt with by this FAQ? ==  
==  What if I have questions which are not dealt with by this FAQ? ==  
Open a {{GGUS ticket}} indicating that it should be directed at the GGUS team.
Open a {{GGUS ticket}} indicating that it should be directed at the GGUS team.
{{GGUS search}}
{{GGUS search}}

Latest revision as of 07:17, 25 September 2014

GGUS-logo.jpg


GGUS wiki / GGUS FAQ / GGUS Documentation / GGUS Helpdesk


FAQ for the Interface between GGUS and VOMS

Purpose

This document describes the VOMS–GGUS interface. The VOMS–GGUS interface is used for synchronizing the GGUS user database with the CERN VOMS server. In CERN VOMS server the alarm and team permissions for the LHC VOs are kept.

Tools, Applications, Systems

The VOMS–GGUS interface is based on scripts which retrieve the data from VOMS server using an API call. The scripts which are involved are:

  • voms2list.pl
  • voms_sync.php
  • Syncr.php
  • DB.php

They are located on the front end machines (prod-cn/prod-cs) in directory /usr/local/bin. Both scripts are executed every night via cron.

  • fetch_voms.sh is stored as cronjob under /etc/cron.daily/fetch_voms

Workflow

Retrieving data from VOMS server

The script voms2list.pl retrieves daily the data about VOMS membership of the groups/roles team and alarm.

Updating GGUS user database

The script voms_sync.php establishes a connection to the GGUS database and starts the VOMS synchronization through the Syncr.php script. The first step of the synchronization process is to delete all old alarm and team roles stored in the database. Then the script reads the content of each .csv files where the usernames/dn/emails are temporarily stored for each VO and each role (team/alarm) and updates the user accounts according to the latest VOMS version. If the user has already an account in the database only the new role will be assigned to him/her (the user account is not affected by the synchronization), otherwise a new account will be created together with the given role. Attributes covered by the synchronization process are:

  • VOMS role (team, alarm)
  • Certificate DN
  • Email
  • User name

What happens if the nightly voms-ggus sync fails?

When the procedure fails new roles/users will be not updated/added - but no user account will be deleted, only previous roles. With the next proper execution of the synchronisation procedure the data will be up-to-date again.

What if I have questions which are not dealt with by this FAQ?

Open a GGUS ticket

indicating that it should be directed at the GGUS team.

Search