HOWTO16 How to enable a Virtual Organisation on a EGI Federated Cloud
Main | EGI.eu operations services | Support | Documentation | Tools | Activities | Performance | Technology | Catch-all Services | Resource Allocation | Security |
Documentation menu: | Home • | Manuals • | Procedures • | Training • | Other • | Contact ► | For: | VO managers • | Administrators |
Support a new Virtual Organisation in the EGI Federated Cloud
This process is for user communities without an existing Virtual Organization, if you already have a VO, see Support an already existing Virtual Organisation in the EGI Federated Cloud.
In order to register a new Virtual Organization in the EGI Federated Cloud, you need to gather the following information:
- Name of the new VO
- Contact information for the VO manager (full name and an e-mail address)
- Brief description of the VO and its user community
and open a GGUS ticket for the EGI Federated Cloud SU with the subject
New VO Registration Request - VO_NAME
where VO_NAME represents the VO name of your choice in compliance with EGI's guidelines.
The Support Team will inform you on how and when to register the new VO with the EGI Operations Portal.
Support an already existing Virtual Organisation in the EGI Federated Cloud
This process is for user communities with an existing Virtual Organization, if you do not have a VO, see Support a new Virtual Organisation in the EGI Federated Cloud.
In order to register an existing Virtual Organization in the EGI Federated Cloud, you need to provide the following information:
- Name of the VO (as registered in the EGI Operations Portal)
and open a GGUS ticket for the EGI Federated Cloud SU with the subject
Existing VO Registration Request - VO_NAME
where VO_NAME represents the VO name registered with the EGI.
The Support Team will contact you and guide you through the rest of the process.
Enable a Virtual Organisation on a EGI Federated Cloud site using OpenNebula
Assuming that you are using OpenNebula v4.x, rOCCI-server v1.0.x and Integration with Perun, you have to perform the following steps to support a new Virtual Organization:
- Configure VOMS/GridSite
- Create a new group in OpenNebula
VOMS/GridSite
For each allowed VO, you need a subdirectory in /etc/grid-security/vomsdir/ that contains the lsc files of all truted VOMS servers for the given VO. The lsc files must be named as the fully qualified host name of the VOMS server with an lsc extension and must contain:
- First line: subject DN of the VOMS server host certificate
- Second line: subject DN of the CA that issued the VOMS server host certificate
For example, for the fedcloud.egi.eu VO, these would be:
$ cat /etc/grid-security/vomsdir/fedcloud.egi.eu/voms1.egee.cesnet.cz.lsc /DC=org/DC=terena/DC=tcs/OU=Domain Control Validated/CN=voms1.egee.cesnet.cz /C=NL/O=TERENA/CN=TERENA eScience SSL CA $ cat /etc/grid-security/vomsdir/fedcloud.egi.eu/voms2.grid.cesnet.cz.lsc /DC=org/DC=terena/DC=tcs/OU=Domain Control Validated/CN=voms2.grid.cesnet.cz /C=NL/O=TERENA/CN=TERENA eScience SSL CA
OpenNebula
For each allowed VO, you need to create a group in OpenNebula with a matching name. All groups with names matching known VOs are automatically populated and managed by Perun, see Integration with Perun for details.
For example, for the fedcloud.egi.eu VO, the command to create the appropriate group would be:
# the OpenNebula front-end $ onegroup create fedcloud.egi.eu
Enable a Virtual Organisation on a EGI Federated Cloud site using OpenStack
Assuming that you are using the Keystone VOMS module the steps needed are listed in the VOMS module documentation.
Keystone V2
The configuration for the Keystone V2 authentitaion is as follows:
- Configure your LSC files according to the VOMS documentation
- Create a tenant for your new VO:
$ keystone tenant-create --name <tenant_name> --description "Tenant for VO <vo>"
- Add the mapping to your
voms.json
mapping. It must be proper JSON (you can check its correctness with online or withpython -mjson.tool /etc/keystone/voms.json
). Edit the file, and add an entry like this:
{ "voname|FQAN": { "tenant": "tenant_name" } }
- Note that you can use the FQAN from the incoming proxy, so you can map a group within a VO into a tenant, like this:
{ "dteam": { "tenant": "dteam" }, "/dteam/NGI_IBERGRID": { "tenant": "dteam_ibergrid" } }
- Restart the Apache server, and it's done.