The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "HOWTO16 How to enable a Virtual Organisation on a EGI Federated Cloud"
| Line 4: | Line 4: | ||
= Enable a Virtual Organisation on a EGI Federated Cloud site using OpenNebula = | = Enable a Virtual Organisation on a EGI Federated Cloud site using OpenNebula = | ||
For each allowed VO, you need a subdirectory in /etc/grid-security/vomsdir/ that contains the ''lsc'' files of all truted VOMS servers for the given VO. The ''lsc'' files must be named as the fully qualified host name of the VOMS server with an ''lsc'' extension and must contain: | |||
* First line: subject DN of the VOMS server host certificate | |||
* Second line: subject DN of the CA that issued the VOMS server host certificate | |||
For example, for the ''fedcloud.egi.eu'' VO, these would be: | |||
<pre> | |||
$ cat /etc/grid-security/vomsdir/fedcloud.egi.eu/voms1.egee.cesnet.cz.lsc | |||
/DC=org/DC=terena/DC=tcs/OU=Domain Control Validated/CN=voms1.egee.cesnet.cz | |||
/C=NL/O=TERENA/CN=TERENA eScience SSL CA | |||
$ cat /etc/grid-security/vomsdir/fedcloud.egi.eu/voms2.grid.cesnet.cz.lsc | |||
/DC=org/DC=terena/DC=tcs/OU=Domain Control Validated/CN=voms2.grid.cesnet.cz | |||
/C=NL/O=TERENA/CN=TERENA eScience SSL CA | |||
</pre> | |||
= Enable a Virtual Organisation on a EGI Federated Cloud site using OpenStack = | = Enable a Virtual Organisation on a EGI Federated Cloud site using OpenStack = | ||
Revision as of 13:55, 23 April 2014
Support a new Virtual Organisation in the EGI Federated Cloud
Support an already existing Virtual Organisation in the EGI Federated Cloud
Enable a Virtual Organisation on a EGI Federated Cloud site using OpenNebula
For each allowed VO, you need a subdirectory in /etc/grid-security/vomsdir/ that contains the lsc files of all truted VOMS servers for the given VO. The lsc files must be named as the fully qualified host name of the VOMS server with an lsc extension and must contain:
- First line: subject DN of the VOMS server host certificate
- Second line: subject DN of the CA that issued the VOMS server host certificate
For example, for the fedcloud.egi.eu VO, these would be:
$ cat /etc/grid-security/vomsdir/fedcloud.egi.eu/voms1.egee.cesnet.cz.lsc /DC=org/DC=terena/DC=tcs/OU=Domain Control Validated/CN=voms1.egee.cesnet.cz /C=NL/O=TERENA/CN=TERENA eScience SSL CA $ cat /etc/grid-security/vomsdir/fedcloud.egi.eu/voms2.grid.cesnet.cz.lsc /DC=org/DC=terena/DC=tcs/OU=Domain Control Validated/CN=voms2.grid.cesnet.cz /C=NL/O=TERENA/CN=TERENA eScience SSL CA
Enable a Virtual Organisation on a EGI Federated Cloud site using OpenStack
Assuming that you are using the Keystone VOMS module the steps needed are listed in the VOMS module documentation.
Keystone V2
The configuration for the Keystone V2 authentitaion is as follows:
- Configure your LSC files according to the VOMS documentation
- Create a tenant for your new VO:
$ keystone tenant-create --name <tenant_name> --description "Tenant for VO <vo>"
- Add the mapping to your
voms.jsonmapping. It must be proper JSON (you can check its correctness with online or withpython -mjson.tool /etc/keystone/voms.json). Edit the file, and add an entry like this:
{
"voname|FQAN": {
"tenant": "tenant_name"
}
}
- Note that you can use the FQAN from the incoming proxy, so you can map a group within a VO into a tenant, like this:
{
"dteam": {
"tenant": "dteam"
},
"/dteam/NGI_IBERGRID": {
"tenant": "dteam_ibergrid"
}
}
- Restart the Apache server, and it's done.