php voms-admin 0.6.7 operation...

DRAFT-026292-PVA

Lang: english

Compiled: 2/1/2013

PHP VOMS-Admin version 0.6.7Operation Manual

Andrii Salnikov∗

∗[email protected]

Contents

1 Introduction 5

2 Getting started with PVA-based VOMS server 7

2.1 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.2 Basic configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.2.1 Review PVA web-interface configuration . . . . . . . . . . . . . . . . . . . . . . . . 9

2.2.2 Review pva-addvo configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.3 Add new VO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.4 Review VO settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.5 Migrate VO database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.6 Adding external VOMSes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.7 Confiugure VO Groups view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

3 Using web-interface 15

3.1 General operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.1.1 List VOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.1.2 Contact VOMS Server Admin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3.1.3 Request VOMS resources for new VO . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.2 VO operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

3.2.1 New member registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

3.2.1.1 Filling registration form . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

3.2.1.2 Confirming your registration request . . . . . . . . . . . . . . . . . . . . . 21

3.2.1.3 Receiving membership approval . . . . . . . . . . . . . . . . . . . . . . . 22

3.2.2 VO management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.2.2.1 Manage Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.2.2.1.1 User details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.2.2.1.2 Membership details . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.2.2.1.3 Generic attributes management . . . . . . . . . . . . . . . . . . 26

3.2.2.2 Manage Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

3.2.2.2.1 ACL Management . . . . . . . . . . . . . . . . . . . . . . . . . . 28



3.2.2.3 Manage Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

3

4 CONTENTS



3.2.2.4 Manage Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

3.2.3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

3.2.4 Subscriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

3.2.4.1 Pending requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

3.2.4.2 Processed requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3.2.5 Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3.2.5.1 Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3.2.5.2 Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3.2.5.3 Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

3.2.5.3.1 Overview replication details . . . . . . . . . . . . . . . . . . . . . 41

3.2.5.3.2 Establishing replication agreement . . . . . . . . . . . . . . . . . 43

3.2.5.3.3 Add more replication agreements . . . . . . . . . . . . . . . . . . 45

3.2.5.4 Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

3.2.6 Other VOs on this server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

4 Using SOAP interfaces 49

4.1 VOMSCompatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

4.2 VOMSAdmin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

4.2.1 Complex types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

4.2.2 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

4.2.3 Obsolete methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

4.3 VOMSACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

4.3.1 Complex types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

4.3.2 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

4.4 VOMSAttributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

4.4.1 Complex types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

4.4.2 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

4.5 VOMSRegistration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

4.5.1 Complex types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

4.5.2 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

5 Brief overview of some PHP VOMS-Admin internals 57

5.1 Multilingual support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

5.2 Replication process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

5.3 Autoincrement problem in multi-master replication process . . . . . . . . . . . . . . . . . 58

6 Acknowledgments 61

Chapter 1

Introduction

PHP VOMS-Admin (PVA) – is a web-interface to control virtual organization (VO) membership param-eters written in PHP.

I have started to work on PHP VOMS-Admin because of lack of scalability of traditional JAVA-basedEDG VOMS-Admin solution for Apache Tomcat. Ukrainian grid deployment on top of Nordugrid ARCmiddleware requires more and more VOs to be served by the single server. Java consumes a lot of memory,in case of EDG VOMS-Admin memory usage is about 600MB for every VO. This limit a number of VOsdramatically. So idea to create lightweight solution was born and PHP looks like suitable web-technologythat provide desired stability and resource usage.

Instead of using different instances of VOMS-Admin for each VO, PVA interpretate the same code mini-mizing memory and CPU usage many times. Resulting memory consumption is in tens of megabytes forall VOs. Another advantage of PVA – it has about 100 times faster responce times especially in concur-rent simultaneous connections. And of cause you does not need insane numbers of “gLite-dependencies”to install PVA :-)

The functions of PHP VOMS-Admin in first implementation was the same as in traditional JAVA-basedVOMS-Admin (v.2.0.18). In further PVA development new functions have been implemented. Majorhighlights are:

• multilingual support (english, ukrainian and russian translations are available)

• transaction log viewer

• database multi-master replication

• error notification for deferred operations

• per-VO preferences

• interface enhancements

PVA is a fully compatible with credentials signing (vomsd) backend, and use the same MySQL databaseas JAVA-based VOMS-Admin with the same ACL rules for easy migration. Additional database tablesfor PVA-only functions created automatically and does not affect basic operation.

PVA development held at Parallel Computing Lab of Information and Computer Centre of Kyiv NationalTaras Schevchenko University. You can find latest production version in-work as many ukrainian grid-segment VO’s VOMS-admin server here: https://voms.grid.org.ua/voms

You are free to use PHP VOMS-Admin under the terms of Apache 2 License (http://www.apache.org/licenses/LICENSE-2.0).

More details can be found on project web-site: http://grid.org.ua/development/pva/.

This guide is point to web-interface description to show how to use and configure PVA features for bothusers and VO administrators.

I hope you enjoy PVA operation, with best regardsAndrii Salnikov

5

https://voms.grid.org.ua/voms

http://www.apache.org/licenses/LICENSE-2.0


http://grid.org.ua/development/pva/

6 CHAPTER 1. INTRODUCTION

Chapter 2

Getting started with PVA-basedVOMS server

This chapter describes VOMS server administrator actions to proceed with installation and configurationof the new PHP VOMS-Admin instance on top of the Linux server. If you are general VO member orVO administrator, you can skip this section following to the chapter 3.

2.1 Installation

The most easiest and recommended way of PHP VOMS-Admin installation – using out of box packages.For RedHat-based systems you can simply use yum to install packages from Fedora/EPEL repositories:

yum install php-voms-admin

PVA development web site also provides RPM and DEB packages:http://grid.org.ua/development/pva/?act=download.

Packages implicate Apache web-server usage, and use the following files and directories location:∗

%{_sysconfdir}/httpd/conf.d/pva.conf%{_sysconfdir}/pva/%{_sysconfdir}/pva/vomses/%{_sbindir}/pva-addvo%{_sbindir}/pva-dbschema-update%{_datadir}/doc/php-voms-admin-0.6.7%{_mandir}/man1/pva-addvo.1.gz%{_mandir}/man1/pva-dbschema-update.1.gz%{_mandir}/man5/addvo.conf.5.gz%{_mandir}/man5/pva-config.5.gz%{_datadir}/pva%{_localstatedir}/www/pva/mail-copies

Direct sources download is available via Nordugrid SVN:

svn co http://svn.nordugrid.org/repos/nordugrid/contrib/pva/tags/pva-0.6.7 pva-0.6.7

∗Debian use /etc/apache2 instead of /etc/httpd

7

http://grid.org.ua/development/pva/?act=download

8 CHAPTER 2. GETTING STARTED WITH PVA-BASED VOMS SERVER

Source code distribution contains the following structure:

pva-0.6.7|--conf <-- PVA configuration files| |--vomses <-- per-VO configuration files|--debian <-- required for .deb packaging|--interfaces <-- web-interface interface scripts|--js <-- web-interface dynamic JavaScript|--kcaptcha <-- kaptcha generator files|--lang <-- multilingual translation files|--mail_copies <-- empty directory for PVA mail local store|--modules <-- server script files|--pics <-- web-interface graphics|--styles <-- web-interface CSS|--wsdl <-- SOAP WSDL files|.htaccess <-- apache in-place configuration (use pva.conf instead)|addvo <-- add new VO script|addvo.conf <-- add new VO script configuration|index.php <-- web-interface entry point|pva.conf <-- apache server configuration|pva.spec <-- required for .rpm packaging|pva-dbschema-update <-- database schema update script|rpc.php <-- PVA internal RPC interface|VOMSACL.php <-- VOMSACL SOAP interface|VOMSAdmin.php <-- VOMSAdmin SOAP interface|VOMSAttributes.php <-- VOMSAttributes SOAP interface|VOMSCompatibiliy.php <-- VOMSCompatibility SOAP interface (manual XML)|VOMSCompatibiliy2.php <-- VOMSCompatibility SOAP interface (PHP SOAP)|VOMSRegistration.php <-- VOMSRegistration SOAP interface

Recommendations and example configuration for installation on top of Nginx web-server provided inNOTES file included into distribution.

If you have not already done, you need to additionally configure HTTPS protocol following the docu-mentation for web-server used. Ensure that client certificate verification is enabled. For mod_ssl Apacheconfiguration will looks lite the following:

SSLVerifyClient optionalSSLVerifyDepth 10

PHP VOMS-Admin properly handles requests without client certificate authentication, so optional isrecommended setting. But if you want to enforce more security restrictions you are free to specifyrequired value.

You need to put verify client options inside <VirtualHost> for proper operation. Putting it inside<Directory> block in /etc/httpd/conf.d/pva.conf failes with: “Re-negotiation handshake failed: Notaccepted by client!?”

This is really not accepted by clients, because it was discovered that the SSL protocol has a very badman-in-the-middle attack when SSL renegotiation enabled.

2.2. BASIC CONFIGURATION 9

2.2 Basic configuration

2.2.1 Review PVA web-interface configuration

Configuration file /etc/pva/pva-config† contains general PVA interface settings.

$pva_install_path="/usr/share/pva";$ca_certificates_path="/etc/grid-security/certificates";$mail_filecopies_path="/var/www/pva/mail-copies";$items_per_page=10;$lastresort_permissions = 517;

$mail_from = "[email protected]";$mail_from_name = "PHP VOMS Admin";$voms_admin_mail = "[email protected]";

// $default_view = "listvogroups";// $lang_overlay = "/etc/pva/lang-overlay";

You must specify proper values for mail_from, mail_from_name and voms_admin_mail variables toensure e-mail operations.

PVA installation path, CA certificates path and e-mail copies location specified automatically whenPHP VOMS-Admin is installed from package. Value of items_per_page determine how many entries(users, groups, roles, etc) will be shown simultaneously on the same page during PVA output. Value oflastresort_permissions set the default applied permissions, where more specific match is not found(HTTP insecure access is the most common example of lastresort_permissions appliance). Moredetails on setting permissions can be found in ACL configuration section(3.2.2.2.1).

Optionaly you can uncomment default_view (see 3.1.1) and lang_overlay (see 5.1) variables to cus-tomize your PVA interface.

2.2.2 Review pva-addvo configuration

Configuration file /etc/pva/addvo.conf ‡ set host-specific parameters for pva-addvo script operation.Several configuration variables might be reviewed:

# Where to find configuration files and voms-server libririesLIBDIR="/usr/lib64"CONFDIR="/etc"

# PHP VOMS-Admin config dirPVACONFDIR="${CONFDIR}/pva/vomses"# PHP VOMS-Admin config ownerPVACONF_OWNER="apache:apache"

# MySQL user used for PHP VOMS-Admin VO databases creationMYSQL_USER="root"# PHP VOMS-Admin per-VO databases access credentials# "voms_VONAME" user with dynamically generated password will be used if not specified#VODBUSER="voms"#VODBPASS="commonpassword"

†config.inc in case of manual installation from SVN is located directly in conf/ directory of PVA tree‡location of addvo.conf in case of manual installation from SVN need to be specified in the addvo script with ADDVOCONF

variable. Generally speaking you can set all host-specific parameters directly in script body, but this way will prevent easyfuture updates.


#VODBHOST="localhost"

# hostname running voms-server#VOHOST="myvomds.host.org"# voms-server config files locationVOMSDDIR="${CONFDIR}/voms"# voms-server certificate and key pathes (on server where vomsd is running)VOMSDCERT="${CONFDIR}/grid-security/hostcert.pem"VOMSDKEY="${CONFDIR}/grid-security/hostkey.pem"# voms-server config files ownerVOMSDCONF_OWNER="voms:voms"

Out of box installation from pacakge set most of variables accordinly to default settings that will workswithout modifications.

You need to change voms-server VOHOST value when running vomsd on separate server (PVA hostnamevalue will be used by default). VODBHOST option allows to specify MySQL database host (in case non-localhost installation used).

If you consider to use common MySQL account for all VOs, uncomment and specify VODBUSER andVODBPASS variables.

Using Nginx web-server you most probably need to change PVACONF_OWNER.

2.3 Add new VO

The pva-addvo§ script can be used to add new VO for serving by PHP VOMS-Admin. It also gener-ates configuration files for voms-server for use in conjunction with PVA. Host-specific configuration file/etc/pva/addvo.conf (section 2.2.2) must be reviewed before adding the first VO.

New VO parameters can be provided via environment variables. Any subset of configuration variablescan be specified in VO config file passed as pva-addvo parameter:

pva-addvo [/path/to/vo_config]

Following environment variables provide information about new VO:

VONAME (required) – The name for a new VO to add. According to EGI documentation, using FQDNis preferred way

ADMDN (required) – Initial VO administrator’s certificate distinguished name

ADMCA (required) – Distinguished name of a certification authority, which signed initial VO admin-istrator’s certificate

ADMMAIL (required) – E-mail address of initial VO administrator

RULES_URL (required) – URL that points to VO usage rules. Every new user must agree and acceptthis rules to proceed

VOPORT (required) – voms-server listen port to issue VOMS ACs

HOMEPAGE (optional) – URL to VO homepage

DESCR (optional) – Short human readable description of the VO

DEFCA (optional) – Default value for DN of certification authority, used when manually adding newusers

§in the SNV – addvo script located at the top of source tree

2.4. REVIEW VO SETTINGS 11

When Request VOMS resources for new VO form (section 3.1.3) via PVA web-interface is filled andsubmitted by VO admin, PVA will automatically send an e-mail to server administrator formatted asconfiguration file to use with pva-addvo. VOPORT is not included in mail body and must be set manually.

[root@pva-server ~]# VOPORT=15110 pva-addvo /var/www/pva/mail-copies/new_VO_requestINFO: Using default hostname "pva.example.org" for VOHOST value.INFO: Generating CA list from /etc/grid-security/certificates... Done.INFO: Creating database and credentials...Enter password: *********INFO: Writting vomsd conf at: /etc/voms/test.pva.vo/voms.confINFO: Writting PHP VOMS-Admin conf at: /etc/pva/vomses/test.pva.vo.confINFO: Please restart vomsd to begin serving voms-extension requests for VO test.pva.vo

You can also read pva-addvo man page to get on-line information about available options.

2.4 Review VO settings

PHP VOMS-Admin VO configuration stored to /etc/pva/vomses/{vo_name}.conf file. File containseveral configuration variables:

$dbhost="localhost";$dbname="voms_test_pva_vo";$dbuser="voms_test_pva_vo";$dbpasswd="EBD2pPytpmcYBfBjfGLzBVFTf3hEaxOM";$vo_port="15110";$vo_host="pva.example.org";$vo_cert="/etc/grid-security/hostcert.pem";$vo_rules_link="http://www.apache.org/licenses/LICENSE-2.0";$defaultca="/DC=org/DC=ugrid/CN=UGRID CA";$vo_description="PVA testing VO";$vo_mainurl="http://grid.org.ua/development/pva";

Variables store the same parameters pushed on VO creation with pva-addvo script.

Since version 0.6 in-file changing the variable values will affect only database operations(dbhost, dbname, dbuser and dbpasswd)! All changes to VO configuration now stored inVO database due to common replication interface and any changes in configuration filewill be ignored.

2.5 Migrate VO database

Instead of VO creation from scratch you can migrate an existent VO, previously served by another solution(Java VOMS-Admin or previous versions of PHP VOMS-Admin ).

When updating PVA package this step is not required for already served VOs. All required changeswill be performed authomatically on package post-install.

The first thing that you sould do – create PHP VOMS-Admin VO configuration file to instruct PVA whereis VO database located. Please refer section 2.4 to find config file options available. You need to specifydatabase contact information only.


Second, you need to ensure that VO database schema contains all necessary PVA extra tables. Untildatabase schema version updated PHP VOMS-Admin works in read-only mode for safety.

To authomate database schema update process PVA ships pva-dbschema-update script, that performsall required checks and create missed tables. You should pass database contact parameters to script viacommand line options:

pva-dbschema-update [-f] [-h <host>] -d <database> -u <user> -p <password>

Default host is localhost. Option -f will force script to perform checks even if database schema versionis up to date. You can find detailed options description in the script manual page.

2.6 Adding external VOMSes

External VOMS servers can be specified in /etc/pva/vomses/external file. External VOs informationmust be written to external_vos array in the following format:

$external_vos = array ("some.external.vo.name" => array (

"vomsurl" => "https://voms.example.org/voms/some.external.vo.name","description" => "Some External VO","mainurl" => "http://info.example.org/vo.name/"

));

In the example above, some.external.vo.name is the name of external VO, vomsurl – link to VOoperations page on external VOMS, description – short human readable description of the externalVO, mainurl – URL to VO homepage.

If name of external VO equal to one of the VO names served by this PVA instance – “external” iconwill be shown along with VO description in List of VOs configured on this server section, instead of newrecord in List of VOs configured on external servers.

2.7 Confiugure VO Groups view

Using PHP VOMS-Admin you can arrange all supported and external VOs to groups. VO groups willbe shown on a “VO Groups” view (see section 3.1.1) and will be useful at operation level (like separatingtesting and production VOs).

VO groups can be specified in the /etc/pva/vomses/vogroups file. VO groups names and member VOsmust be specified in vogroups array:

$vogroups = array ("Certified VOs" => array (

"testbed.vo1","testbed.vo2"

),"Testing VOs" => array (

"testbed.vo3)

);

2.7. CONFIUGURE VO GROUPS VIEW 13

$vogroups_default = "Uncertified VOs";

$vogroups_l10n = array ("Certified VOs" => array (

"uk" => "<ukrainian name>","ru" => "<russian name>"

));

VO groups names in english and member VO names are explicitely configured in vogroups array. AnyVO that is not specified as a member of defined VO groups treated as a member of vogroups_defaultgroup.

Translation of groups english names to another languages performed via vogroups_l10n array.

Chapter 3

Using web-interface

Interface elements availability depend on permissions granted by access lists. Conditions of web-interfaceelements availability provided in element description with ACL specification, like Membership:Read orPreferences:Write. Prepending “Group” to permissions (e.g. Group:Container:Read) means thatchild group permissions considered to make access deceision in contrast root group permissions only.

Existing of conditions means that you must be granted with specified permissions by corresponding ACL(see section 3.2.2.2.1) for this action.

3.1 General operations

Following PHP VOMS-Admin base URL (for example http://example.org/voms) you get access togeneral operations interface.

3.1.1 List VOs

Default general operation applied accessing the PVA is List VOs. There are two views for listing VOscurrently available. By default “Served VOs” view is used. Interface display all VOs configured on thisinstance of PVA , VOs configured on external servers and links to replication servers for each VOs.General VO preferences (name, description, homepage) are also displayed.

When there is no VO configured, PVA shown corresponding message (Fig. 3.1)

List VOs Contact VOMS Server Admin Request VOMS resources for new VO

List of VOs configured on this server

There is no VOs currently served

PHP VOMS-Admin version 0.6.7

Figure 3.1: List served VOs (empty)

If VO configuration exists, in “Served VOs” view List of VOs configured on this server displayed first.Then List of VOs configured on external servers are displayed if any. Figure 3.2 shown an example ofList VOs “Served VOs” view output for current configuration of http://voms.grid.org.ua/voms PHPVOMS-Admin server.

If VO Groups are configured on the server, in the top right corner of the interface you can find a link VOgroups. Clicking on the link will switch List VOs view to the “VO Groups” (Figure 3.3). The link ServedVOs allows to swith the view back. To use “VO Groups” as the default view for List VOs you need tospecify listvogroups as the default_view value in the main PVA configuration file.

15

http://example.org/voms

http://voms.grid.org.ua/voms

16 CHAPTER 3. USING WEB-INTERFACE


List of VOs configured on this server

academia National University of Kyiv-Mohyla Academy

compuchemgridua Computational chemistry and related fields

crimeaeco Crimean ecology VO

cslabgrid Bioinformatics, Biophysics and Computational Biology for Cytoskeleton Research

eegm Environmental Emergency GRID Modeling

eo-grid.ikd.kiev.ua Earth Observation Grid

geopard Паралельні розрахунки великих дослідницьких задач геофізики

gridik

hep.org.ua High Energy Physics

matmoden Математичне моделювання задач енергетики

medgrid Ukrainian Medical Grid applications

moldyngrid MolDynGrid Virtual Laboratory

msamВирішення проблем розробки та впровадження новітніх перспективнихматеріалів

multiscale Computer simulation laboratory

networkdynamics Mathematical modeling of nonlinear processes

sysbio Reverse-engineering gene regulatory networks

telemed Grid technologies in telemedicine

testbed.univ.kiev.ua KNU testing and learning puproses

ung.infrastructure UNG site administrators

ung.seed Seed VO for independent researches in UNG

virgo.ua Cosmological simulations and astrophysical data analysis

List of VOs configured on external servers

UATest UNG regular site-functional tests

bitpedu Educational grid infrastructure (BITP)

kpiedu Educational grid infrastructure (KPI)

medgrid.immsp.kiev.ua Telemedical Grid, Ukrainian Medical Grid applications

VO groups

PHP VOMS-Admin version 0.6.5 @ Parallel Computing Lab ICC KNU 2013

Figure 3.2: List served VOs (voms.grid.org.ua)

Both views show information about all VOs configured in the table. All rows sorted alphabetically byfirst column value that contains VO name. VO name is clickable, link follows to the VO managementinterface. Second column contains VO description if specified in the configuration.

Several icons can be shown along with VO description:

– VO home page URL

– URL of external standalone VOMS server that also serve this VO

– URL of another PVA instance in replication with this one

– URL of another PVA instance in replication with this one (connectivity problems)

All icons are clickable, except replication connectivity problem icon. Click open an URL correspondingto each icon.

3.1. GENERAL OPERATIONS 17


VOs registered in UNG

compuchemgridua Computational chemistry and related fields

cslabgrid Bioinformatics, Biophysics and Computational Biology for Cytoskeleton Research

eegm Environmental Emergency GRID Modeling

eo-grid.ikd.kiev.ua Earth Observation Grid

gridik

matmoden Математичне моделювання задач енергетики

medgrid Ukrainian Medical Grid applications

moldyngrid MolDynGrid Virtual Laboratory

multiscale Computer simulation laboratory

sysbio Reverse-engineering gene regulatory networks

ung.infrastructure UNG site administrators

virgo.ua Cosmological simulations and astrophysical data analysis

Study and testing VOs

UATest UNG regular site-functional tests

academia National University of Kyiv-Mohyla Academy

bitpedu Educational grid infrastructure (BITP)

kpiedu Educational grid infrastructure (KPI)

testbed.univ.kiev.ua KNU testing and learning puproses

Other VOs

crimeaeco Crimean ecology VO

geopard Паралельні розрахунки великих дослідницьких задач геофізики

hep.org.ua High Energy Physics

medgrid.immsp.kiev.ua Telemedical Grid, Ukrainian Medical Grid applications

msamВирішення проблем розробки та впровадження новітніх перспективнихматеріалів

networkdynamics Mathematical modeling of nonlinear processes

telemed Grid technologies in telemedicine

ung.seed Seed VO for independent researches in UNG

Served VOs


Figure 3.3: List VO Groups (voms.grid.org.ua)

3.1.2 Contact VOMS Server Admin

Clicking on Contact VOMS Server Admin link you get redirected to feedback form with VOMS ad-ministrator. Form can be accessed either via HTTP without authentication or via HTTPS with clientcertificate authentication. Accessing via HTTP useful when HTTPS problems exists and user want toreport about this problems.

When HTTPS client certificate authentication performed, you name will be captured automatically fromyou certificate (Fig. 3.4). You need to enter e-mail address to proceed. E-mail address used for mailsending and allows VOMS server administrator reply to your request.

Just enter the message text into corresponding field and press Send e-mail button.



Sender name:

E-mail for reply:

Message text:

Send e-mail

Contact VOMS server administrator

Using this form you can send e-mail to VOMS server administrator to ask questions or report problems devoted to serveroperation. Please specify correct e-mail address to receive an answer for you e-mail.

Andrii Salnikov


Figure 3.4: Contact VOMS Server Admin (accessing via HTTPS)


Sender name:

E-mail for reply:

Message text:

Enter text on the picture:

Send e-mail

Contact VOMS server administrator

Using this form you can send e-mail to VOMS server administrator to ask questions or report problems devoted to serveroperation. Please specify correct e-mail address to receive an answer for you e-mail.

PHP VOMS-Admin version 0.6.7Figure 3.5: Contact VOMS Server Admin (accessing via HTTP)

3.1. GENERAL OPERATIONS 19

When form accessed via HTTP (Fig. 3.5) you need additionally enter you name directly, recognize andenter text printed on captcha picture. Captcha is required to prevent VOMS server administrator fromgetting SPAM through PHP VOMS-Admin .

3.1.3 Request VOMS resources for new VO

Clicking on Request VOMS resources for new VO link you enter resources request page. Request can besent by VO administrator and HTTPS client certificate authentication is required to prove the identity.


Request VOMS server resources to serve your VO

Filling the form below, you can send a request to VOMS server administrator for providing resources to serve your own VO.You must be VO Administrator and use HTTPS connection to server with authentication by you personal user certificate. Thesame authentication method will be provided for VO administration in the future.

You must use HTTPS connection to the VOMS server to proceed.


Figure 3.6: Request VOMS resources for new VO (accessing via HTTP)

When Request VOMS resources for new VO page accessed via HTTP, warning said that HTTPS con-nection to the VOMS server must be used will be shown (Fig. 3.6).


VO name*:

VO Admin DN:

VO Admin CA:

VO Admin e-mail*:

VO default CA:

VO description:

VO homepage:

VO rules of usage URL*:

Send request

Request VOMS server resources to serve your VO

Filling the form below, you can send a request to VOMS server administrator for providing resources to serve your own VO.You must be VO Administrator and use HTTPS connection to server with authentication by you personal user certificate. Thesame authentication method will be provided for VO administration in the future.

/DC=org/DC=ugrid/O=people/O=KNU/CN=Andrii Salnikov

/DC=org/DC=ugrid/CN=UGRID CA



Figure 3.7: Request VOMS resources for new VO form

When proper HTTPS connection is used you can see request form displayed on figure 3.7. Filling theform, as VO admin you can send a request to VOMS server administrator asking to provide resources toserve your VO.


Initial VO administrator identity automatically retrieved from provided certificate, filling the VO AdminDN and VO Admin CA fields. VO default CA was guessed equal to VO Admin CA but can be editedor removed completely. The meaning of all form fields correspond to pva-addva script configurationvariables and described in section 2.3.

Clicking on Send request will send request to VOMS administrator.

3.2 VO operations

Clicking on VO name in List served VOs page you get redirected to VO operation page for selectedVO. PHP VOMS-Admin web-interface header will indicate name of the VO selected and your providedidentity (Fig. 3.8).

for VO: test.pva.vo Current user: Andrii Salnikov

VO management Configuration Other VOs on this server

Manage

Users

Groups

Roles

Attributes

Users:

Andrii SalnikovUGRID CA

Andrii SalnikovTestbed CA

1-2 of 2

Search users Leave this VO

PHP VOMS-Admin version 0.6

Figure 3.8: VO operations PHP VOMS-Admin header

If you use HTTP protocol, identity can not be determined, and the Current user field become a link tothe HTTPS server connection (Fig. 3.9)

for VO: test.pva.vo Current user: use HTTPS for authentication


You must use HTTPS connection to the VOMS server to proceed.


Figure 3.9: VO operations accessed via HTTP PVA header

If you are not VO user, there is a link to VO membership registration form (Fig. 3.10) in the top rightcorner.

for VO: test.pva.vo Current user: Andrii SalnikovYou are not a member - Register!


Manage

Users

Groups

Roles

Attributes

No members found

Search users


Figure 3.10: VO operations register link in PVA header

3.2.1 New member registration

3.2.1.1 Filling registration form

Clicking on Register! link (Fig. 3.10) you can see a new user registration form shown on figure 3.11

You should first read and accept VO’s usage rules to become VO member. You can find usage rulesinformation following VO’s Usage Rules link on registration page.

PVA automatically get your identity from client certificate authentication and fill Your distinguishedname (DN) and Your CA.

You must manually fill contact information (e-mail address, institute and phone number) to make availableVO manager to contact you in case of any questions.

You can also fill Comments for the VO admin box, to provide additional information included into yourmembership request.

Setting the You agree on the VO’s usage rules check-box in the bottom of the page you are confirm thatyou agree on the VO’s usage rules. Finally click Register button to proceed with registration request.

3.2. VO OPERATIONS 21



Your distinguished name (DN):

Your CA:

Your email address:

Your institute:

Your phone number:

Comments for the VO admin:

Register

PHP VOMS-Admin membership registration for the test.pva.vo VO.

To access the VO resources, you must agree to the VO's Usage Rules. Please fill out all fields in the form below and click on the register buttonat the bottom of the page.

After you submit this request, you will receive an email with instructions on how to proceed. Your request will not be forwarded to the VOmanagers until you confirm that you have a valid email address by following those instructions.

IMPORTANT:

By submitting this information you agree that it may be distributed to and stored by VO and site administrators. You also agree that action maybe taken to confirm the information you provide is correct, that it may be used for the purpose of controlling access to VO resources and that itmay be used to contact you in relation to this activity.

/C=UA/O=KNU/OU=People/CN=Andrii Salnikov

/C=UA/O=KNU/CN=Testbed CA

You agree on the VO's usage rules.


Figure 3.11: New VO member registration form

3.2.1.2 Confirming your registration request

When you submit registration form, you will be informed about successful submission (Fig. 3.12). Infor-mation say that you receive an e-mail with further instructions on how to proceed.



Confirmation required

An email has been sent to you with instructions on how to proceed with the registration for the test.pva.vo VO.Please follow the instructions withing 24 hours or your request will be ignored by PHP VOMS-Admin.


Figure 3.12: Submitting registration form confirmation

E-mail has the subject: Your membership request for VO test.pva.vo. Body text will looks like thefollowing:

Dear Andrii Salnikov, you have requested to be a member of VO test.pva.vo


In order for the registration to proceed, you should confirm thisrequest by going to the following url:

https://pva.example.org/voms?vo=test.pva.vo&action=confirmation.....

In case you occationally requested the membership in VO test.pva.vo, pleasecancel request going to the following url:

https://pva.example.org/voms?vo=test.pva.vo&action=confirmation.....

Your sincerely,PHP VOMS-Admin registration service for VO test.pva.vo

Your request will not be forwarded to the VO managers until you confirm that you have a valid emailaddress by following e-mail instructions and click to provided URL.



You have allready applied. Confirmation E-mail with instructions was sent to you inbox (check SPAM filer if you can not find it in Inbox). If youstill have a problem contact the VO administrator or wait 24 hours while request is no longer valid.


Figure 3.13: Already applied notification

You need to complete e-mail confirmation within 24 hours or your request will be ignored by PHPVOMS-Admin . You can manually cancel you request, following the second URL in e-mail body.

You can not send registration request once more within 24 hours hold time and will be notified withmessage shown on figure 3.13 when trying to click Register! link after form successful submission.



Membership request confirmation

Your request successfully confirmed. You will receive notification when VO Administrator precess your request.


Figure 3.14: Membership request successful confirmation

Following confirmation link provided in e-mail body, you will see notification about successful requestconfirmation (Fig. 3.14).

If you do not receive confirmation e-mail, first check your SPAM filter and try to finde-mail in SPAM. You can also try to specify another e-mail address after 24-hours holdtime period. If problem still did not solved, please contact your VO manager directlyusing contacts found on VO homepage.

3.2.1.3 Receiving membership approval

After completion of e-mail confirmation your request will be forwarded to VO managers and appeared inSubscriptions administrator menu (see section 3.2.4).


Actions may be taken by VO managers to confirm the information you provide is correct and clarificationof you VO affiliation.

After successful confirmation of you membership request, you will receive an e-mail like following:

Dear Andrii Salnikov, your membership request for VO test.pva.vohas been approved.

Your sincerely,PHP VOMS-Admin registration service for VO test.pva.vo

3.2.2 VO management

VO management is default VO operations action taken when following PVA URL for VO. VO manage-ment is responsible for internal VO structure control: assigning groups, roles and attributes and accessrestrictions. You can return to VO management from other operations clicking VO management link inthe top menu. The default VO management action is Manage Users.

3.2.2.1 Manage Users

With Membership:Read permissions granted (recommended behavior for all authenticated users) youcan see the list of VO members (Fig. 3.15).


VO management Configuration Subscriptions Preferences Other VOs on this server

Manage

Users

Groups

Roles

Attributes

Users:

user1UGRID CA

deleteuser

user2UGRID CA

deleteuser

user3UGRID CA

deleteuser


deleteuser

maggie/grid.org.uaTestbed CA

deleteuser

1-5 of 7 »

Search users Leave this VOCreate a new user


Figure 3.15: Manage users VO membership view

Every user common name (CN) along with certification authority CN displayed line by line. If Mem-bership:Write permissions are granted delete user link on the right of every line. List sorted ascendingby member creation time.

At the bottom of the members list entries numbers displayed with total number of members exists. Whennumber of records per page is less then total number of members navigation links also displayed. Clickingon navigation links you can display next or previous subset of members.

You can also see Search users button along with filter input field on the top of the members list. Enteringmatch template into the input field and pressing Search users lead to displaying only users with CNmatched specified template (Fig. 3.16).




Manage

Users

Groups

Roles

Attributes

Users:

user1UGRID CA

deleteuser

user1Testbed CA

deleteuser

1-2 of 2

user1 Search users Leave this VOCreate a new user


Figure 3.16: Filter the list of VO members

Along with search form Create a new user and Leave this VO links can be displayed. You need to be aVO member for Leave this VO link. Create a new user available when Membership:Write permissionsare granted.



Manage

Users

Groups

Roles

Attributes

DN:

CN:

CA:

E-mail:

Create!

Create a new VO user



Figure 3.17: Manually add new VO member

Clicking on Leave this VO link you can dismiss you own membership directly, without contacting VO ad-ministrator. Pop-up window will appeared on click requesting operation confirmation to prevent eventualunwanted membership dismission. After confirmation, you membership will be removed immediately.

Clicking on Create a new user link you can manually add new VO member as VO administrator (Fig.3.17). You need to enter member DN, member CN displayed in members list, e-mail contact address ofthe member and cheese certification authority signed member certificate from drop-down list. Then, clickon Create! button to confirm member parameters and create member record.

The recommended way to add general users – follow member registration procedure (sec-tion 3.2.1). Consider using manual way to add services and hosts ONLY!

Every member CN in the list (Fig. 3.15) is link that follow to detail member parameters managementinterface (Fig. 3.18).

Interface contains of the three views: User details, Membership details and Generic attributes manage-ment. Every view has minimize/maximize button on the right side of header.




Manage

Users

Groups

Roles

Attributes

User's DN and CA:

User's common name:

User's e-mail address:

Attribute:

Attribute value:

delete this user

/DC=org/DC=ugrid/OU=People/CN=user1


user1

[email protected]

Save changes

/test.pva.vo/group1 Add to group

Group name Roles

/test.pva.vo VO-Admin Assign role

nickname

Set an attribute

Attribute name Attribute value

nickname uuu1 delete

User details

Membership details

Generic attributes management


Figure 3.18: Manage detail member parameters

3.2.2.1.1 User details User details view shown member DN, certificate authority signed membercertificate DN, common name and contact e-mail of the member when Membership:Read permissionsallowed. With Membership:Write permissions granted, you can change member common name andcontact e-mail (confirming changes clicking on Save changes button) and delete member directly fromuser details view clicking on delete this user link.

3.2.2.1.2 Membership details Content of membership details view depend on per-group permis-sions allowed by corresponding ACLs (see section 3.2.2.2.1). The purpose of the view – review andmanage containers for current member or simply said: member enrollment in groups and roles in groups.

More accurate example, that ilustrate different per-group ACLs shown on figure 3.19.

Membership details list contains records for each group user is member of. Each group displayed in listonly when its own Subgroup:Container:Read permissions are allowed for reviewer. For every group listof roles assigned in this group are also displayed in second column. When Subgroup:Container:Writepermissions are granted drop-down box of unassigned groups along with Assign role link displayed toallow assign a selected role on click. Dismiss role link also appeared in third column along with everyalready assigned role to allow dismissing the corresponding role. The last column contains Remove linkto completely remove membership in corresponding group.




Manage

Users

Groups

Roles

Attributes

/test.pva.vo/group2 Add to group

Group name Roles

/test.pva.voproduction

testerDissmiss roleAssign role

/test.pva.vo/group1productiontester

/test.pva.vo/group1/subgroup1VO-Admin

productionDissmiss roleAssign role

Remove

User details

Membership details

Generic attributes management


Figure 3.19: User membership details view per-group ACLs example

Look at the figure 3.19. The following information can be obtained from the output:

• user is a member of at least three groups displayed in first column;

• ACL for groups shown allow Group:Container:Read permissions for reviewer;

• It is possible that user can be a member of another groups, with ACL that DO NOT grantGroup:Container:Read permissions for reviewer;

• User have a role production in the /test.pva.vo group;

• Reviewer is grantedGroup:Container:Write permissions in the group /test.pva.vo, so can dismissproduction role or assing any others;

• Group /test.pva.vo is catch-all root group and cannot be removed even with Container:Writepermissions

• User have roles production and tester in the /test.pva.vo/group1 group;

• Reviewer is NOT granted Group:Container:Write permissions in the /test.pva.vo/group1 group;

• User have a role VO-Admin in the /test.pva.vo/group1/subgroup1 group;

• Reviewer is granted Group:Container:Write permissions in the /test.pva.vo/group1/subgroup1group, so can dismiss VO-Admin role or assign any others; Reviewer also allowed to completelyremove membership in /test.pva.vo/group1/subgroup1 group.

Before list of groups you can also find control to add membership in group. Drop-down box of groups usercan be added by reviewer is shown. User can be added to group if Group:Container:Write permissionsallowed to reviewer. If no unassigned groups grant Group:Container:Write permissions control is notdisplayed. Choosing a group from drop-down list and clicking Add to group button will grant membershipin selected group for reviewed user.

3.2.2.1.3 Generic attributes management Generic attributes management view allow to controlmember assigned attributes (Fig. 3.18).


With Attributes:Manage permissions granted attribute assignment form is displayed first. Form con-tains of drop-down list of defined VO attributes, input field to write attribute value and Set an attributebutton.

Clicking on Set an attribute button applies value to user attribute. If attribute was previously assignedto different value, previous value will be rewritten instead of second same name attribute creation.

With Attributes:List permissions list of assigned VO attributes shown. Each row contains attributename in first column and attribute value in second. If Attributes:Manage permissions also allowedthird column will contains delete link for attribute removal.

3.2.2.2 Manage Groups

Clicking on Groups in the left Manage menu you get redirected to groups management interface (Fig.3.20).



Manage

Users

Groups

Roles

Attributes

Groups:

/test.pva.vo

/test.pva.vo/group1 delete

/test.pva.vo/group1/subgroup1 delete

/test.pva.vo/group1/subgroup2 delete

/test.pva.vo/group2 delete

1-5 of 6 »

Search groups Create a new group


Figure 3.20: Groups management interface

You can see Search groups button along with filter input field on the top of the groups list. Search groupsworks exactly the same as Search users in section 3.2.2.1.



Manage

Users

Groups

Roles

Attributes

Parent group:

Name:

Create!

Create a new VO group

/test.pva.vo/group2


Figure 3.21: Create new group in VO

Along with search form Create a new group link can be displayed when Container:Write permissionsare granted. Clicking on Create a new group link you can browse new group creation form. You need toenter group name and select parent group from drop-down list of previously defined groups. Finally clickon Create! button to finish with new group creation.

List of groups defined for VO displayed when Container:Read permissions granted. Catch-all rootgroup name is equal to VO name can not be removed and displayed first in the list.


Every row in the groups list contains clickable group name along with optional delete link displayedonly when Container:Write permissions are granted. Following delete link you can remove defined VOgroup.



Manage

Users

Groups

Roles

Attributes

Add entry

Add entry

Access control list:

Admin DN & CA

Any Authenticated UserDummy Certificate Authority

r r edit delete


rw rw rwd rw rw rw edit delete

/test.pva.vo/Role=VO-AdminVOMS Role

rw rw r rw rw r edit delete

/test.pva.vo/group1VOMS Group

r r r edit delete

user1UGRID CA

rw r r edit delete

/test.pva.vo/group2VOMS Group

r r r edit delete

Default Access control list:

Admin DN & CA

Any Authenticated UserDummy Certificate Authority

r r edit delete


rw rw rwd rw rw rw edit delete

/test.pva.voVOMS Group

r r r edit delete

ACL management for group /test.pva.vo/group2

Con

tain

er

Mem

bers

hip

AC

L

Att

ribu

tes

Req

uest

s

Pre

fere

nces

Con

tain

er

Mem

bers

hip

AC

L

Att

ribu

tes

Req

uest

s

Pre

fere

nces

Membership details for group /test.pva.vo/group2

Generic attributes management for group /test.pva.vo/group2


Figure 3.22: Manage detail group parameters (ACLs)

Clicking on group name in list you get redirected to detail group parameters management interface (Fig.3.22, 3.25).

Interface contains of the three views: ACL management, Membership details and Generic attributesmanagement. Every view has minimize/maximize button on the right side of header.

3.2.2.2.1 ACL Management ACL Management view provide interface to manage ACLs for selectedgroup. View can be accessed with Group:ACL:List permissions allowed.


For compatibility with EDG Java VOMS-Admin 2.0.x, same two sorts of ACLs implemented:

• general ACLs – used for policy enforcement for every group; apply to the current group and can bepropagated to all child groups during the creation; inherited on child creation when default ACLsis not defined;

• default ACLs – does not enforce any policy; used only for inheritance process on child creation; ifdefined, parent default ACL inherited by new child as general ACL;

In most of VO configurations there is no need to define different ACLs for childs (allgroups have the same ACLs as catch-all root group). Default ACLs are not useful inthis case. Default ACLs only provide an ability to redefine inheritance for complex VOinternal structures with responsibility divisions.

Global permissions (mentioned without Group: prefix in this manual) assigned to catch-all root group.They used to enforce VO general configuration restriction, such as changing global preferences, configurereplication or approve new VO members.

Per-group permissions (mentioned with Group: prefix in this manual) assigned for every defined groupand used to enforce group-specific operations restriction, such as adding to the group or assigning role inthe group.

The following permissions are supported by PHP VOMS-Admin ∗:

Container:Read (1) – view information about groups and roles;

Container:Write (2) – view groups membership and roles assignment;

Membership:Read (4) – list VO users;

Membership:Write (8) – create/modify/delete VO users;

ACL:List (16) – view ACLs permissions;

ACL:Set (32) – define general ACLs permissions;

ACL:Defaults (64) – define default ACLs permissions;

Subscription:List (128) – view membership VO requests;

Subscription:Define (256) – approve/decline membership requests;

Attributes:List (512) – view assigned attributes;

Attributes:Manage (1024) – create/assign attributes;

Preferences:Read (2048) – view VO preferences options;

Preferences:Write (4096) – modify VO preferences options.

For every group ACL management view show general ACLs first, then default ACLs if any. First ACLtable column contains admin distinguished name and CA. Admin in this case means user identity providedfor web-interface usage. Provided identity need to match admin record in ACL table to get grantedcorresponding permissions.

∗permissions numerical decimal values shown in parentheses; adding numerical values for each allowed action resultstotal ACL numeric permissions


Identity check order is the following:

• user DN and CA directly match ACL admin identity;

• role assigned for member user (sorted ascending, roles in root group first);

• group assigned for member user (sorted ascending, root group first);

• any authenticated user (with valid certificate);

• absolutely anyone;

• last resort PVA server permissions;

There are only Container, ACL and Attributes permissions are used to enforcing per-group operations. Other permissions has global scope and meaningful for catch-all rootgroup only.HINT! It may be useful to define default ACL, that allows only affected per-group permis-sions to improve rules clarification. In this scenario new groups will not contain uselesspermissions restrictions after creation.

Admin permissions displayed in the next columns, one for every permissions category. Character r indi-cate read (list) action allowed, w – write (set,define,manage). For ACL category character d correspondto Group:ACL:Defaults permissions. When character shown – permissions are allowed, otherwisepermissions denied.

With Group:ACL:Set permissions granted for general ACL† you can also see ACL management links:Add entry on the right above ACLs table, edit and delete in every table row.

Clicking on Add entry you get redirected to the new ACL entry creation form (Fig. 3.23). First you needto select admin identity specification method using the switch on the left. The following methods areavailable (from top to bottom):

• The VO user – drop-down list to select already registered member DN and CA for admin identity;

• The non-VO user – manually enter identity DN and select CA from drop-down list;

• Anyone with role in group – use member assigned role as admin identity;

• Member if the group – use group membership as admin identity;

• Any authenticated user – any user with certificate signed by any trusted CA.

For selected admin identity you need to specify applied permissions. Check-boxes are used for thatpurpose, one for every permission supported.

Propagate to child contexts check-box shown on adding general ACL only. Checking it means that ACLrecord will be created not only for reviewed group but also for every child.

Finally click the Create button to finish with new ACL record creation. If admin identity already existsin ACL table, selected permissions will just overwrite old ones as well as editing.

Clicking on edit link you enter edit permissions form for admin identity specified in chosen row. It lookslike the same as new ACL entry creation form without identity specification. You need to set desiredpermissions using check-boxes and click Save changes button to apply new value.

Clicking on delete link you can delete chosen rule from ACL table (Fig. 3.24). Delete ACL rule formdisplay admin identity, reviewed group (context) and permissions numerical value. Setting Remove alsofrom children contexts? check-box allow to propagate selected rule removal operation to all child groups.

When all rules are deleted from table, table will be removed completely (e.g. after removing all defaultACL rules, new child will inherit general ACL table instead of removed default ACL).

†Group:ACL:Defaults for default ACL




Manage

Users

Groups

Roles

Attributes

Create

Add an ACL entry for context: /test.pva.vo/group1

Add an ACL entry for:

The VO user: /DC=org/DC=ugrid/OU=People/CN=user1

The non-VO user:/C=AM/O=ArmeSFo/CN=ArmeSFo CA

Anyone with: production role in group /test.pva.vo

Members of the

group/test.pva.vo

Any authenticated user

granting the following permissions:

Container rights:Read Write

Membership rights:Read Write

ACL management rights:List Set Defaults

Subscription management rights:List Define

Generic Attributes rights:List Manage

VO Preferences:Read Write

Propagate to children contexts?


Figure 3.23: Add new ACL entry

3.2.2.2.2 Membership details Membership details view provide a list of current group memberusers. Group:Container:Read permissions required to access view.

The member list is the same as all VO members list described in section 3.2.2.1 including search func-tionality (Fig. 3.25).

3.2.2.2.3 Generic attributes management This view requires Group:Attributes:List permis-sions to see assigned attributes and Group:Attributes:Manage permissions to assign attribute values.

Attribute management interface is exactly the same as for user attributes described in section 3.2.2.1.3(Fig. 3.25).




Manage

Users

Groups

Roles

Attributes

Delete ACL entry

Delete ACL entry:

Admin contact:/test.pva.vo/group1VOMS Group

Context: /test.pva.vo/group1

Permissions: 13

Remove also from children contexts?


Figure 3.24: Delete ACL entry



Manage

Users

Groups

Roles

Attributes

Attribute:

Attribute value:

Users:

user1UGRID CA

1-1 of 1

nickname

Set an attribute

Attribute name Attribute value

department parallel computing lab delete

ACL management for group /test.pva.vo/group1

Membership details for group /test.pva.vo/group1

Search users

Generic attributes management for group /test.pva.vo/group1


Figure 3.25: Manage detail group parameters (membership and attributes)

3.2.2.3 Manage Roles

Clicking on Roles link in the left Manage menu you get redirected to roles management interface (Fig.3.20).

Roles management interface works exactly the same as groups management described in section 3.2.2.2.

Access permissions also controlled via Container:Read and Container:Write permissions. Clickingon Create a new role link you can browse new role creation form. You just need to enter new role nameand click on Create! button to define role.

Role name in list is clickable and follow to detail role parameters management interface (Fig. 3.27).




Manage

Users

Groups

Roles

Attributes

Roles:

production delete

tester delete

VO-Admin delete

1-3 of 3

Search role Create a new role


Figure 3.26: Roles management interface



Manage

Users

Groups

Roles

Attributes

Group:

Attribute:

Attribute value:

Search users with role production in selected group

User's DN and CA:

user1UGRID CA

Dissmiss role

1-1 of 1

/test.pva.vo

nickname

Set an attribute

Group name Attribute name Attribute value

/test.pva.vo/group1 priority 68 delete

Membership details for role production

/test.pva.vo Search users

Generic attributes management for role production

PHP VOMS-Admin version 0.6Figure 3.27: Manage detail role parameters

Interface contains of the two views: Membership details and Generic attributes management. Every viewhas minimize/maximize button on the right side of header.

3.2.2.3.1 Membership details Membership details view display list of VO members that have re-viewed role assigned in some group (Fig. 3.27).

Search users button allow to reload user list according to filter applied. Filter contains not only inputfield (like general user search described in 3.2.2.1), but drop-down list of groups. Role can be assignedwithin some group only, like job position in some department. Drop-down groups list contains only groupsgranted Group:Container:Read permissions.

After user searching appliance list of users is shown. It looks like similar to general user list described


in section 3.2.2.1: clickable user common name lead to user detailed management interface, Dismiss rolelink allow to dismiss current role in selected group if Group:Container:Write permissions granted.

3.2.2.3.2 Generic attributes management Generic attributes management view defers from onedescribed in section 3.2.2.1.3 only by manual group specification. On the figure 3.27 you can see drop-down list of groups to select exact container for attribute assignment.

List of applied attributes also contains of Group name field.

Access to role attributes management controlled on per-group basis. Group permissions enforced forevery group selected or shown separately, depending on Group:Attributes:List and Group:Attribu-tes:Manage permissions.

3.2.2.4 Manage Attributes

Clicking on Attributes link in the left Manage menu you get redirected to attribute management interface(Fig. 3.28).



Manage

Users

Groups

Roles

Attributes

Attribute name Attribute value User DN & CA

nickname uuu1 user1UGRID CA

nickname manf Andrii SalnikovUGRID CA

priority 100 maggie/grid.org.uaTestbed CA

priority 68 Andrii SalnikovUGRID CA

1-4 of 4

Search user attributes Manage attribute classes


Figure 3.28: Attributes management interface

You can see assigned general user attributes listed with Attributes:List permissions granted. Tablecontains of following columns:

• Attribute name – defined name of attribute;

• Attribute value – value of assigned attribute;

• User DN & CA – member with assigned attribute; member common name is clickable leading todetailed user management interface (see section 3.2.2.1).

You can see Search user attributes button along with filter input field on the top of the assigned attributeslist. Attributes search functionality works exactly the same as Search users described in section 3.2.2.1.

With Attributes:Manage permissions granted you can see and follow Manage attribute classes link.Clicking the link you enter defined VO attributes management interface (Fig. 3.29).

Interface provide a form for new attribute definition first. You need to enter attribute name, humanreadable attribute description (containing something like usage purpose description) and optionally checkUnique constraint check-box. With unique constrains enabled you cannot define equal attribute valuesfor different users (groups or roles). Clicking on Create! button will define new attribute for VO.

Entering existent attribute name allows you to change attribute description instead of new one creation.Unique constrain cannot be changed for already defined attributes.




Manage

Users

Groups

Roles

Attributes

Attribute name:

Attribute description:

Unique contraint:

Create!

Create a new attribute description

Attribute name Attribute value Unique check

nickname user screenname false delete

department Name of actual organization unit false delete

priority internal scheduler priority false delete


Figure 3.29: Manage defined VO attributes

List of already defined attributes shown after new attribute definition form. All information includingdescription and unique flag is displayed. Each row contains delete link to delete defined attribute alongwith all assignments.

3.2.3 Configuration

Clicking to Configuration link in menu you can browse VO configuration settings (Fig. 3.30). Browsingconfiguration allowed for everyone unauthenticated client.

VO configuration page provide information about permanent link to PHP VOMS-Admin interface forthis VO, configuration of vomses string for credentials retrieval clients, trust chain for list of certificates(.lsc) file used for VOMS AC verification on both client and server side, and the example of mkgridmapand nordugridmap configurations to form grid-mapfile for this VO.

When replication established between several PHP VOMS-Admin instances, vomses and utilities config-uration automatically shows an all replicas information. This configuration ensure redundant operationof client when one of the servers become unavailable.

When successfully authenticated and granted Preferences:Write permissions reread credentials linkwill be shown (Fig. 3.31). Since version 0.6 information about vomses retrieved from database directly,without looking for actual certificate DN stored on disk. The same is valid for .lsc information availablesince PVA 0.6.7. When you change signing certificate for voms-server you need to instruct PVA to rereadcredentials and recreate vomses string stored in database, clicking reread credentials link.

3.2.4 Subscriptions

Subscriptions link shown in menu when granted by Requests:List. Link lead to subscriptions manage-ment interface (Fig. 3.32)


for VO: moldyngrid Current user: use HTTPS for authentication


Configuration information

PHP VOMS-Admin URL for this VO:

https://voms.grid.org.ua/voms/moldyngrid

VOMSES string for this VO:

"moldyngrid" "voms.grid.org.ua" "15110" "/DC=org/DC=ugrid/O=hosts/O=KNU/CN=grid.org.ua" "moldyngrid""moldyngrid" "moldyngrid.org" "15110" "/DC=org/DC=ugrid/O=hosts/O=IMBG/CN=moldyngrid.org" "moldyngrid"

Trust chain for VOMS server (voms.grid.org.ua.lsc):

/DC=org/DC=ugrid/O=hosts/O=KNU/CN=grid.org.ua/DC=org/DC=ugrid/CN=UGRID CA

Example Mkgridmap configuration for this VO:

group voms://voms.grid.org.ua/voms/moldyngrid .moldyngridgroup voms://moldyngrid.org/voms/moldyngrid .moldyngrid

Example ARC [vo] block configuration for the nordugridmap utility:

[vo]vo="moldyngrid"source="vomss://voms.grid.org.ua/voms/moldyngrid"source="vomss://moldyngrid.org/voms/moldyngrid"mapped_unixid=".moldyngrid"file="/etc/grid-security/grid-mapfile"


Figure 3.30: Browsing VO configuration

for VO: moldyngrid Current user: Andrii Salnikov


Configuration information

PHP VOMS-Admin URL for this VO:

https://voms.grid.org.ua/voms/moldyngrid

VOMSES string for this VO: (reread credentials)

"moldyngrid" "voms.grid.org.ua" "15110" "/DC=org/DC=ugrid/O=hosts/O=KNU/CN=grid.org.ua" "moldyngrid""moldyngrid" "moldyngrid.org" "15110" "/DC=org/DC=ugrid/O=hosts/O=IMBG/CN=moldyngrid.org" "moldyngrid"

Trust chain for VOMS server (voms.grid.org.ua.lsc):

/DC=org/DC=ugrid/O=hosts/O=KNU/CN=grid.org.ua/DC=org/DC=ugrid/CN=UGRID CA

Example Mkgridmap configuration for this VO:

group voms://voms.grid.org.ua/voms/moldyngrid .moldyngridgroup voms://moldyngrid.org/voms/moldyngrid .moldyngrid

Example ARC [vo] block configuration for the nordugridmap utility:

[vo]vo="moldyngrid"source="vomss://voms.grid.org.ua/voms/moldyngrid"source="vomss://moldyngrid.org/voms/moldyngrid"mapped_unixid=".moldyngrid"file="/etc/grid-security/grid-mapfile"


Figure 3.31: Reread signing certificate information

3.2.4.1 Pending requests

By default you will see Pending requests view of subscriptions management (Fig. 3.32). Confirmed usermembership requests in pending state shown line by line. Links approve and reject in the right end ofevery line will be shown for VO managers with Requests:Set permissions.

On clicking approve link membership request for user will be approved: new VO user created, request




See

Pendingrequests

Processedrequests

Pending VO Membership requests


approve reject


Figure 3.32: Subscription pending requests

moved to Processed request list, user will be notified about approval.

On clicking reject link membership request for user will be rejected: request moved to Processed requestlist, user will be notified about request rejection.



See

Pendingrequests

Processedrequests

Detailed view of VO membership request

Submission date:

2011-06-10 12:15:57

User DN:

/C=UA/O=KNU/OU=People/CN=Andrii Salnikov

User CA:


User CN:

Andrii Salnikov

User email address:

[email protected]

Institute:

Taras Shevchenko National University of Kyiv

User phone:

+3804411122233

Comment:

You can reject or approve this request for membership.


Figure 3.33: Subscription pending requests details

User name in the pending requests list is also clickable, providing an ability to view membership re-quests details (Fig. 3.33). User contact information (e-mail, institute and phone), submission date andcredentials shown on detailed view.

If you get granted Requests:Set permissions you can also see You can reject or approve this request formembership legend, where approve and reject links are clickable and has the same effect as previouslydescribed.


3.2.4.2 Processed requests

Clicking on Processed requests link in the left menu you can see list of processed VO membership requests(Fig. 3.34).



See

Pendingrequests

Processedrequests

Processed VO Membership requests


rejected


approved


Figure 3.34: Processed VO membership requests

Processed requests list is similar with pending requests list, displaying names of processed users left anddecision taken (approve or reject) right.

Click on user name lead to membership requests details view, that contain the same information as forpending requests (Fig. 3.33). Additionally to basic request info, decision taken and request evaluationdate are also shown for already processed requests.

To view processed request you also must have Requests:List permissions.

3.2.5 Preferences

Preferences link will shown in menu when granted by Preferences:Read permissions. Link lead todifferent preferences options control interface. By default display options preferences are shown.

3.2.5.1 Display

Display preferences handles VO specific values which affect displaying information about VO. WithoutPreferences:Write permissions you can see read-only options view (Fig. 3.35).

Display options control VO description (shown on List served VOs general operations page), VO home-page URL (home icon on List served VOs), VO usage rules link (shown on filling new member registrationform) and default CA – default value for DN of certification authority, used when manually adding newusers.

When Preferences:Write permissions are granted, you can edit VO display preferences. Edit interfaceshown on figure 3.36. VO description, URL to VO homepage and usage rules link can be edited directlyin appropriate edit-box. Default CA can be chosen from trusted CA list with drop-down control.

There is also Member registration control to enable/disable registration request handling from the newusers.

After completion of display preferences changes, you need to click Update button to changes take affect.

3.2.5.2 Transactions

Clicking on Transactions link in preferences options menu you get redirected to transactions logging view.At the top of the page you can see transaction logging status message indicated whether logging enabledor not.

If you granted Preferences:Write permissions, along with status message you will see a link to proceedwith transactions logging status change (Fig. 3.37)




Options

Display

Transactions

Replication

Event Log

VO description:

Homepage URL:

VO usage rules link*:

Default CA:

Member registration:

VO test.pva.vo display preferences

Display preferences handles VO specific values which affect displaying information about VO. This parameters will be

changed any time on demand of VO administrator.

PVA testing VO

http://grid.org.ua/development/pva



Enabled


Figure 3.35: Read-only VO display preferences



Options

Display

Transactions

Replication

Event Log

VO description:

Homepage URL:

VO usage rules link*:

Default CA:

Member registration:

Update

VO test.pva.vo display preferences

Display preferences handles VO specific values which affect displaying information about VO. This parameters will be

changed any time on demand of VO administrator.

PVA testing VO

http://grid.org.ua/development/pva



Enabled


Figure 3.36: Edit VO display preferences

Replication process relies on transactions logging. You cannot disable transaction loggingwhen at least one replication agreement is established.

When transaction log is enabled transaction log viewer (Fig. 3.38) displayed after status message.

Transactions log viewer list all recorded transactions in the table sorted by committed time in descendingorder. Only operation that change database content invoked inside transactions and thus logged. Read-only operations, such as SOAP requests or information access are not logged.




Options

Display

Transactions

Replication

Event Log

VO test.pva.vo transaction logging preferences

Transaction log is now disabled. (enable)


Figure 3.37: Enabling transactions logging

for VO: testbed.univ.kiev.ua Current user: Andrii Salnikov


Options

Display

Transactions

Replication

Event Log

VO testbed.univ.kiev.ua transaction logging preferences

Transaction log is now enabled. (disable)

Recent VO administration activities are listed below. This only covers transactional operation that change databasecontent.Read-only operations, such as SOAP requests or information access are not logged.

Transaction time Performed by Operation description

2011-03-02 21:11:12Ievgen Sliusar from LocalPHP VOMS-Admin

Membership request for user 'BorysenkoAndrii' validated by'Testbed CA' has been accepted

2011-03-02 20:48:17BorysenkoAndrii from LocalPHP VOMS-Admin

Membership request confirmed by user 'BorysenkoAndrii'validated by 'Testbed CA'

2011-03-02 20:47:33BorysenkoAndrii from LocalPHP VOMS-Admin

New membership request from user 'BorysenkoAndrii'validated by 'Testbed CA'


Grant membership for user 'Oleksandr Sudakov' in group'/testbed.univ.kiev.ua' with role 'VO-Admin'


Membership request for user 'Oleg Bezshyyko' validated by'Testbed CA' has been accepted

2011-02-25 13:59:16Oleg Bezshyyko from LocalPHP VOMS-Admin

Membership request confirmed by user 'Oleg Bezshyyko'validated by 'Testbed CA'

2011-02-25 13:56:36Oleg Bezshyyko from LocalPHP VOMS-Admin

New membership request from user 'Oleg Bezshyyko'validated by 'Testbed CA'

2011-02-11 15:34:02Andrii Salnikov frommoldyngrid.org

Variable 'vomses_moldyngrid_org' stored with value'"testbed.univ.kiev.ua" "moldyngrid.org" "15100" "/DC=org/DC=ugrid/O=hosts/O=IMBG/CN=grid.imbg.org.ua""testbed.univ.kiev.ua"' inside transaction

2011-02-11 15:34:02Andrii Salnikov frommoldyngrid.org

Variable 'vomses_moldyngrid_org' stored with value'"testbed.univ.kiev.ua" "moldyngrid.org" "15100" "/DC=org/DC=ugrid/O=hosts/O=IMBG/CN=grid.imbg.org.ua""testbed.univ.kiev.ua"' inside transaction

2011-02-11 15:34:02Andrii Salnikov fromchimera.biomed.kiev.ua

Variable 'vomses_chimera_biomed_kiev_ua' stored with value'"testbed.univ.kiev.ua" "chimera.biomed.kiev.ua" "15123" """testbed.univ.kiev.ua"' inside transaction

« newer | older »

PHP VOMS-Admin version 0.6 rc2 @ Parallel Computing Lab ICC KNU 2011

Figure 3.38: Transactions log viewer

Table has three columns:

• Transaction time – represent transaction date and time;

• Performed by – represent who is perform operation and were; Local PHP VOMS-Admin used toindicate that transaction was performed from this server; FQDN of replica server will be displayed


instead, when multi-master replication established and transaction was performed on replica server(moldyngrid.org and chimera.biomed.kiev.ua on figure 3.38)

• Operation description – human readable description of operation performed inside transaction.

At the right bottom of the table links newer and older are displayed. Links allow to navigate transactionslog, getting older or newer transactions displayed.

3.2.5.3 Replication

Clicking on Replication link in preferences options menu you can browse replication status and changereplication preferences. More information about replication process and security internals can be foundin section 5.2.

3.2.5.3.1 Overview replication details Replication status message displayed first and indicatewhether replication agreements exists or not.



Options

Display

Transactions

Replication

Event Log

VO test.pva.vo replication preferences

VO database replication is now disabled. (enable)


Figure 3.39: Replication status (no agreements established)

If replication agreements does not exists, status shown that replication is disabled (Fig. 3.39). WhenPreferences:Write permissions are granted, you will see an enable link. Clicking on the link you getredirected to a new agreement establishing form. You can access new agreement establishing form,following Create new replication agreement link when agreements already exists (Fig. 3.41).

Replication process relies on transactions logging. You cannot establish replication without enablingtransaction log.

There is no explicit disable replication link, replication will be disabled automatically, when all agreementsare removed.

Without Preferences:Write permissions you can only browse agreement status here (Fig. 3.40). Ad-justed replication (transactions syncing) interval shown, following with list of replication agreements.

Established agreements list have two columns – replica server distinguished name and syncing status.Syncing status reflect success of syncing in established agreement and have one of the following values:

• UNCONFIRMED – initial new agreement state before peer confirmation;

• INITIALIZED – agreement confirmed, but no sync performed yet;

• LAST SYNC – successful syncing (time of last sync operation shown);

• LAST SYNC – there is no successful sync during three syncing intervals (time of last successful syncoperation shown);

With Preferences:Write permissions granted you will be able to change syncing interval, clicking onappeared edit link (Fig. 3.41). Link enables drop-down list of possible syncing intervals allowing you tochoose one according to operations frequency.




Options

Display

Transactions

Replication

Event Log

VO testbed.univ.kiev.ua replication preferences

VO database replication is now enabled.

Sync with other servers every 30 minutes.

List of replication agreements

/DC=org/DC=ugrid/O=hosts/O=IMBG/CN=moldyngrid.org LAST SYNC: 2011-04-22 19:09:01

/DC=org/DC=ugrid/O=hosts/O=NSCMBR/CN=chimera.biomed.kiev.ua LAST SYNC: 2011-06-12 21:26:02


Figure 3.40: Replication status (with agreements established, read-only)



Options

Display

Transactions

Replication

Event Log


VO database replication is now enabled.

Sync with other servers every 30 minutes (edit)

List of replication agreements

/DC=org/DC=ugrid/O=hosts/O=IMBG/CN=moldyngrid.org LAST SYNC: 2011-04-22 19:09:01

/DC=org/DC=ugrid/O=hosts/O=NSCMBR/CN=chimera.biomed.kiev.ua LAST SYNC: 2011-06-12 21:26:02

Create new replication agreement


Figure 3.41: Replication status (with agreements established)

HINT for VOMS server administrator! You can verify that replication process is enabled for VOand adjusted transactions syncing interval from server shell, reviewing crontab for web-server user.For example:

[root@pva-server ~]# crontab -l -u apache13,33,53 * * * * (cd /usr/share/pva && php modules/cron.php moldyngrid) >/dev/null24,54 * * * * (cd /usr/share/pva && php modules/cron.php testbed.univ) >/dev/null

Replica server distinguished name is clickable, link lead to replication agreement details (Fig. 3.42).Details information shown on replica DN is:

• Agreement code – this server agreement code to authorize on peer (see 3.2.5.3.2);

• Server endpoint – URL to replica server endpoint for this VO;

• Endpoint IP address – IPv4 address of endpoint server used for peer authentication;




Options

Display

Transactions

Replication

Event Log

Agreement code:

Server endpoint:

Endpoint IP address:

Agreement status:

Replicant code:


» Agreement details for /DC=org/DC=ugrid/O=hosts/O=NSCMBR/CN=chimera.biomed.kiev.ua

9D3SZ75SNNRNFP5Z (remove agreement)

https://chimera.biomed.kiev.ua/voms/testbed.univ.kiev.ua/

194.44.249.81

LAST SYNC: 2011-06-13 12:24:02

D9Q8MFANAEAYOHOH (edit)


Figure 3.42: Replication agreement details

• Agreement status – agreement syncing status (the save values as described above);

• Replicant code – remote server agreement code used for peer authentication;

If you granted Preferences:Write permissions, you will also see an remove agreement link opposite toagreement code and edit link opposite replication code (Fig. 3.42).

Clicking on remove agreement link you will be warned that your VO database may be out of sync afteragreement removal and asked to provide confirmation. After confirmation agreement will be removed.

Removing replication agreement does remove agreement information from transactionslog, you can still review the source of transaction.

Clicking on edit link you can change remote server agreement code used for peer authentication. Thiswill be useful in case of remote server reinstallation: you able to change agreement code without completeagreement removal and creation from scratch.

Changing agreement code reset agreement status to UNCONFIRMED. That means you need tocompletely rewrite database on consumer (see section 3.2.5.3.2). This is definitely desiredaction on PVA reinstallation.Such behavior has another consequence feature: you can willfully reset agreement toUNCONFIRMED state to force database rewrite in case of any bugs with transactions syncing.

3.2.5.3.2 Establishing replication agreement To establish a first replication agreement you needto follow enable link (Fig. 3.39) on both PHP VOMS-Admin servers used. You need Preferences:Writepermissions granted to proceed.

Agreemnt establishing process adjust parameters required for peer authorization. You should enterfollowing parameters (Fig. 3.43):

• Replicant DN – distinguished name of peer PVA server certificate;

• Replicant CA – distinguished name of certification authority signed peer PVA server certificate;

• Server endpoint – FQDN of PVA peer server;

• Replicant code – authorization code from Agreement code filed in peer PVA server configuration.




Options

Display

Transactions

Replication

Event Log

Agreement code:

Replicant DN:

Replicant CA:

Server endpoint:

Replicant code:

Create


» Create agreement with new replicant:

Fill the form below to establish new replication agreement. Open the same window on the replicant and crossenteragreement codes.

Note: Creating an agreement does not enable replication itself, but is required for replicant authorization!

If you want to establish a "full-mesh" replication between more than two servers, you need to establish replicationagreements on every server to every other servers.

BEDL8WBN9XP2RL4I

https:// /voms/testbed.univ.kiev.ua/


Figure 3.43: New replication agreement form

To successfully establish agreement you need to crossenter agreement codes for both peers.

Creating an agreement does not enable replication itself. Clicking on Create button will put a newagreement to UNCONFIRMED state. This state indicate, that agreement record has been created in database,but peer confirmation procedure has not completed yet.

To proceed with peer confirmation you need to enter UNCONFIRMED replication agreement details (clickingon replica server DN in the list of replication agreements).

With Preferences:Write permissions granted you can see a confirmation instructions (Fig. 3.44).During confirmation process replicant agreement code will used for authorization, to ensure that code isvalid. The second purpose of confirmation process – ensure database content is the same. To accomplishidentical database content, complete database refill is used.

You need to proceed with database refilling to confirm replication agreement. So now you need to choosewhat PVA instance is information consumer and what is producer. Apparently, PVA that already serveVO needs some time and contain information is producer and newly established replica is consumer.When VO install several PVA instances from scratch – no matter who is consumer.

First, you need to confirm consumer. Setting Overwrite local database with replicant data check-box, clickConfirm button on consumer instance. After database refill the message “Congratulations! Database wassuccessfully filled with replicant data.Replication with this peer has entered active state.” will be shownand agreement state changed to INITIALIZED.

Then go to producer agreement confirmation page and just click Confirm button WITHOUT settinga check-box. “Agreement successfully confirmed.” message appeared and agreement state changed toINITIALIZED.

You CANNOT confirm producer before consumer, getting an error message “Agreement confirmationfailed (remote or this instance does not consume database)”.




Options

Display

Transactions

Replication

Event Log

Agreement code:

Server endpoint:

Endpoint IP address:

Agreement status:

Replicant code:

Confirm


» Agreement details for /DC=org/DC=ugrid/O=hosts/O=IMBG/CN=moldyngrid.org

BEDL8WBN9XP2RL4I (remove agreement)

https://moldyngrid.org/voms/testbed.univ.kiev.ua/

194.44.249.91

UNCONFIRMED

UHIQ36AK5TNZNAXJ (edit)

» This agreement requires confirmation

Confirmation ensures that replicant code is valid and may be used for regular transaction synchronization.

To begin transaction synchronization you also need to ensure that databases on the different PVA instances are identical.For that purose consumer PVA instance must completely rewrite own database with provider's data.

If this PVA instance has to be established as consumer, set the checkbox below to completely refill the database.

ATTENTION! Backing up current consumer database before rewriting server data is STRONGLY recomended.

ATTENTION! After a database refill you may lose your administrator privileges.

If you have already applied as the consumer for another replicant in multi-replica environment and already took part intransaction synchronization process, you may omit database refilling.

Overwrite local database with replicant data


Figure 3.44: Confirm replication agreement

3.2.5.3.3 Add more replication agreements Further replication agreements can be establishedfollowing Create new replication agreement link (Fig. 3.41) on both PHP VOMS-Admin servers used.You need Preferences:Write permissions granted to proceed.

Follow the procedure, described in section 3.2.5.3.2 to reach UNCONFIRMED state. Then you needto confirm replicants sequentially, to ensure safety in multi-replica environment.

Generally speaking, agreement confirmation succeed if:

• database refilling was requested

• replicant on another end of agreement already confirmed (with refilling procedure)

• you are already have confirmed active agreements

Lets examine an example of configuration: 1st PVA server contain original working database; and wewant to establish 2nd and 3rd servers as full-mesh replicas.

The following confirmation sequence ensures safety:

• consume database from the 1st, confirming agreement on the 2nd;

• confirm agreement to the 2nd on the 1st (the 2nd is already confirm this agreement);

• consume database from the 1st, confirming agreement on the 3rd;

• confirm agreement to the 3rd on the 1st (the 3rd is already confirm this agreement);

• confirm agreement to the 3rd on the 2nd (already have confirmed agreement);


• confirm agreement to the 2nd on the 3rd (already have confirmed agreement);

3.2.5.4 Event Log

Clicking on Event Log link in preferences options menu you get redirected to deferred operations eventlog viewer. For processes worked outside the browser interface, event log is VO administrator applianceto take notice of possible errors happened.

In version 0.6 only replication process represent deferred operation, utilizing cron daemon to proceedwith regular transactions syncing operations. Looking forward, not only replication error may logged,but also security incidents or some debug messages for example.



Manage

Users

Groups

Roles

Attributes

PVA needs your attention! There are 375 unhandled log events in the queue.

Users:

Oleksandr SudakovUGRID CA

deleteuser

Oxana SmirnovaCERN Trusted Certification Authority

deleteuser

Ievgen SliusarTestbed CA

deleteuser


deleteuser

moldyngrid.orgTestbed CA

deleteuser

Inna MakarenkoTestbed CA

deleteuser

Anton AlkinUGRID CA

deleteuser


deleteuser

Oleksandr ZenaievTestbed CA

deleteuser

Andrii Salnikov at ChimeraTestbed CA

deleteuser

1-10 of 26 »

Search users Leave this VOCreate a new user


Figure 3.45: New log events notification on VO management

When Preferences:Write permissions are granted, entering base PHP VOMS-Admin URL for VO youwill see notification shown on figure 3.45 when unhandled events present in the log.

Event log viewer show the following information (Fig. 3.46):

• Subsys – indicate PHP VOMS-Admin subsystem, where event was occurred. Subsystem is prepen-ded by message log level character. Meaning of log level characters are listed below. In version 0.6only Replication subsystem record error events in this log;

• Message – event message stored in log subsystem;

• Occurrence – this column display event occurrence time; when the same event occurs several times,number of logged events and time interval is displayed instead.

Log level character is one of the following:

E – Error (something goes wrong preventing proper operation)

W – Warning (something goes wrong but operation succeeded)

I – Info (notice about some operational event)

V – Verbose (verbose notice about some operational event)

D – Debug (operation debugging message)

When event log viewer accessed with Preferences:Write permissions granted additional control linksare shown (Fig. 3.47).




Options

Display

Transactions

Replication

Event Log

PVA event log for VO testbed.univ.kiev.ua operation

List of events that happens out of your visit to PVA web-interface are listed below.

Events covers deferred operations like replication and security incidents that ocured due to intentional or accidental useractions.

Subsys Message Occurrence

E Replication RPC Error #1: Specified VO is not served by this endpoint39 times from2011-06-12 18:56 till2011-06-13 13:54

E ReplicationEndpoint connection error: Couldn't resolve host'chimera.biomed.kiev.ua'

76 times from2011-06-05 23:26 till2011-06-07 12:56

E Replication Endpoint connection error: connect() timed out!221 times from2011-04-26 14:26 till2011-06-01 13:56

E Replication Endpoint connection error: name lookup timed out3 times from 2011-06-0112:56 till 2011-06-0113:56

E Replication Endpoint connection error: couldn't connect to host34 times from2011-04-26 15:56 till2011-06-01 13:26

E Replication Endpoint connection error: SSL connect error2 times from 2011-05-1116:56 till 2011-05-1814:26

PHP VOMS-Admin version 0.6 rc2 @ Parallel Computing Lab ICC KNU 2011Figure 3.46: Event log viewer (read-only)

Having a look at occurred event you can click take notice opposite event notification, confirming thatyou take notice of the event and is nothing to worry about (like temporary connection problems or DNSreachability). After taking a notice, notification about the event will disappeared.

At the bottom of the event list you can click on take notice of the all events to take notice of the all eventin one click.

If you receive a valuable event that can not be solved because of server internal failures, please contactVOMS server administrator.

3.2.6 Other VOs on this server

Clicking on Other VOs on this server link in menu you get redirected to List served VOs default generalPHP VOMS-Admin operation (see section 3.1).




Options

Display

Transactions

Replication

Event Log

PVA event log for VO testbed.univ.kiev.ua operation

List of events that happens out of your visit to PVA web-interface are listed below.

Events covers deferred operations like replication and security incidents that ocured due to intentional or accidental useractions.

Clicking on "take notice" you are confirmed that you take notice of the event and notification about it will dissapeared. Ifyou receive events due to inproper operation of VOMS server, or need help in hangling system event, please ContactVOMS Server Admin.

Subsys Message Occurrence

E Replication RPC Error #1: Specified VO is not served by this endpoint39 times from2011-06-12 18:56 till2011-06-13 13:54

takenotice

E ReplicationEndpoint connection error: Couldn't resolve host'chimera.biomed.kiev.ua'

76 times from2011-06-05 23:26 till2011-06-07 12:56

takenotice

E Replication Endpoint connection error: connect() timed out!221 times from2011-04-26 14:26 till2011-06-01 13:56

takenotice

E Replication Endpoint connection error: name lookup timed out3 times from 2011-06-0112:56 till 2011-06-0113:56

takenotice

E Replication Endpoint connection error: couldn't connect to host34 times from2011-04-26 15:56 till2011-06-01 13:26

takenotice

E Replication Endpoint connection error: SSL connect error2 times from 2011-05-1116:56 till 2011-05-1814:26

takenotice

take notice of the all events


Figure 3.47: Event log viewer

Chapter 4

Using SOAP interfaces

4.1 VOMSCompatibility

PHP VOMS-Admin implements VOMSCompatibility interface to serve SOAP requests from gridmapgenerators. The version information methods (getMajorVersionNumber, getMinorVersionNumber andgetPatchVersionNumber) are not really useful and return compatibility WSDL version 2.0.2.

The getGridmapUsers method used to retrieve list of DN. Method has optional argument to show list ofDN for specified container only. Container format is the following:

/voname[/group[/subgroup...]][/Role=role][/Capability=capability]

Capabilities is not handled by PHP VOMS-Admin as well as by EDG Java VOMS-Admin 2.0.18.

In version 0.6 listMembers method from VOMSAdmin WSDL implemented as well. This was donebecause AMGA use this method instead of compatibility interface utilization. Since 0.6.5 separate VOM-SAdmin interface has been implemented with all methods including listMembers.

Requests can be send via SOAP directly (POST request) or using special URL parameters (GET request).Base URL for SOAP requests is https://pva.server/voms/voname/services/VOMSCompatibility.When wsdl parameter is specified – WSDL file is returned.

Use method parameter to specify method to call via GET request and container to provide optionalcontainer value when getGridmapUsers method called.

For example, following URL return list of testbed.univ.kiev.ua VO members with role VO-Admin in rootgroup: https://voms.grid.org.ua/voms/testbed.univ.kiev.ua/services/VOMSCompatibility?method=getGridmapUsers&container=/testbed.univ.kiev.ua/Role=VO-Admin

PVA distribution also include VOMSCompatibility2.php that provide more accurateSOAP implementation based on PHP-SOAP class. But unfortunately, PHP SOAP is notcompatible with AXIS 1.2 used in Java VOMS-Admin. Detailed description of problemprovided in “NOTE” comment inside script body.

4.2 VOMSAdmin

VOMSAdmin SOAP interface used to manage VO users, control groups and roles asignment. Interfaceimplemented with PHP SOAP. It is strongly recommended to use true SOAP clients (Python voms-adminclients are compatible).

It is also possible to use GET requests with the following base URL: https://pva.server/voms/voname/services/VOMSAdmin

49

https://pva.server/voms/voname/services/VOMSCompatibility

https://voms.grid.org.ua/voms/testbed.univ.kiev.ua/services/VOMSCompatibility?method=getGridmapUsers&container=/testbed.univ.kiev.ua/Role=VO-Admin

https://voms.grid.org.ua/voms/testbed.univ.kiev.ua/services/VOMSCompatibility?method=getGridmapUsers&container=/testbed.univ.kiev.ua/Role=VO-Admin

https://pva.server/voms/voname/services/VOMSAdmin

https://pva.server/voms/voname/services/VOMSAdmin

50 CHAPTER 4. USING SOAP INTERFACES

4.2.1 Complex types

User {string CA,string CN,string DN,string certUri,string mail

}

4.2.2 Methods

All methods return operation status until other behavior is specified. In case of any errors methods willthrow SOAP:Exception.

createUser (User USER)Add a new member type to VO. Information about new member specified as complex type argument.Require Membership:Write permissions.

deleteUser (string DN, string CA)Delete membed from VO. Information about member specified by DN and CA. Require Member-ship:Write permissions.

getUser (string DN, string CA)Return (complex type user) information about VO member specified by DN and CA. RequireMembership:Read permissions.

setUser (user USER)Update information about VO member. Information passed using complex type user argument.DN and CA records from complex type user used to find record in database. CN, certURI and mailrecods are updated. Require Membership:Write permissions.

assignRole (string GROUP, string ROLE, string DN, string CA)Assing role ROLE in group GROUP for user specified by DN and CA. Require Group:Member-ship:Write permissions.

dismissRole (string GROUP, string ROLE, string DN, string CA)Dissmiss members role ROLE in group GROUP. Member is specifyed by DN and CA. RequireGroup:Membership:Write permissions.

listUsersWithRole (string GROUP, string ROLE)Return (array of complex type user) list of users that has assigned role ROLE in group GROUP.Require Membership:Read permissions.

listRoles ()Return (array of strings) list of roles. Roles are printed as follows: Role=ROLE. Require Con-tainer:Read permissions.

listRoles (string DN, string CA)Return (array of strings) list of roles assigned to user specified by DN and CA formated asFQAN: /group/subroup/Role=ROLE. Permissions are checked for each group. Only roles thatallowed by Group:Container:Read permissions are shown.

createRole (string ROLE)Create a new role using name ROLE. Require Container:Write permissions.

deleteRole (string ROLE)Remove role by name specified. All roles asingment will be removed authomaticly. Require Con-tainer:Write permissions.

4.2. VOMSADMIN 51

listMembers (optional string GROUP)Return (array of complex type user) list of group GROUP members. If group name is notspecified, root group is used (all VO members will be returned). Require Membership:Readpermissions.

addMember (string GROUP, string DN, string CA)Assing mebership in group GROUP for user specified by DN and CA. Require Group:Member-ship:Write permissions.

removeMember (string GROUP, string DN, string CA)Dissmiss mebership in group GROUP for user specified by DN and CA. Require Group:Member-ship:Write permissions.

getVOName ()Return (string) VO name.

listSubGroups (string GROUP)Return (array of strings) list of child groups for requested group. Require Group:Contain-er:Read permissions.

listGroups ()Return (array of strings) list of all defined groups. Permissions are checked for each group.Only grouops that allowed by Group:Container:Read permissions are shown.

createGroup (unused, string GROUP)Create a new group specified by GROUP argument. GROUP should be specified as absolute pathstarting from root group: /group/subroup/subgroup.... First parameter is not used by EDGJava VOMS-Admin and present for “bug-to-bug” compatibility. RequireGroup:Container:Writepermissions for parent group.

deleteGroup (string GROUP)Delete group specified by GROUP name. All group asingments will be removed authomaticly.GROUP should be specified as absolute path starting from root group. Require Group:Contain-er:Write permissions for parent group.

listCAs ()Return (array of strings) list of supported certification authorities DNs.

getGroupPath (string CONTAINER)Return (array of strings) list of groups starting from root group and continue down the tree tothe child group specified. This method is remote WS parser and does not rely on actual groupshierarchy.

4.2.3 Obsolete methods

There are couple of methods that exists in WSDL but unsupported:

Operations with capabilities. Capabilities are unsupported in Java VOMS-Admin 2.0 and PVA re-spectively. Attributes are used instead to achive the same functionality. PHP VOMS-Admin willrise exception upon invocation of the following methods:

• createCapability(string CAPABILITY)

• deleteCapability(string CAPABILITY)

• assignCapability(string CAPABILITY, string DN, string CA)

• dissmissCapability(string CAPABILITY, string DN, string CA)

• listUsersWithCapability(string CAPABILITY)

• listCapabilities()

• listCapabilities(string DN, string CA)

Operations with ACLs. Operation with ACLs are moved to VOMSACL SOAP interface. All invoca-tions of this functions via VOMSAdmin will rise exception.


4.3 VOMSACL

VOMSACL SOAP interface used to manage access control lists (ACL) for VO groups. Please refer tosection 3.2.2.2.1 to find more information regarding ACLs.

Interface implemented with PHP SOAP. It is strongly recommended to use true SOAP clients (Pythonvoms-admin clients are compatible).

It is also possible to use GET requests with the following base URL: https://pva.server/voms/voname/services/VOMSACL

4.3.1 Complex types

ACLEntry {string adminIssuer,string adminSubject,int vomsPermissionBits

}

4.3.2 Methods

getACL (string CONTAINER)Return (array of ACLEntry) ACLs defined for CONTAINER. Container is FQAN that spec-ify group and role: /group/subroup/Role=ROLE. Currently only groups are valuable. RequireGroup:ACL:Read permissions.

getDefaultACL (string CONTAINER)Return (array of ACLEntry) default ACLs defined for CONTAINER. Container is FQAN thatspecify group and role: /group/subroup/Role=ROLE. Currently only groups are valuable. RequireGroup:ACL:Read permissions.

addACLEntry (string CONTAINER, ACLEntry ACL, bool PROPAGATE)Add a new ACL enrty for specified CONTAINER. If PROPAGATE flag is set, entry will be prop-agated to all child groups. Require Group:ACL:Write permissions.

addDefaultACLEntry (string CONTAINER, ACLEntry ACL)Add a new default ACL entry for specified CONTAINER. Require Group:ACL:Default permis-sions.

removeACLEntry (string CONTAINER, ACLEntry ACL, bool PROPAGATE)Remove ACL entry from specified CONTAINER. If PROPAGATE flag is set, entry will be removedfrom all child groups. Require Group:ACL:Write permissions.

removeDefaultACLEntry (string CONTAINER, ACLEntry ACL)Remove default ACL entry from specified CONTAINER. Require Group:ACL:Default permis-sions.

setACL (string CONTAINER, array of ACLEntry ACLs)Replace all ACL rules for specified CONTAINER to one passed in array. Require Group:ACL:Write permissions.

setDefaultACL (string CONTAINER, array of ACLEntry ACLs)Replace all default ACL rules for specified CONTAINER to one passed in array. Require Group:ACL:Default permissions.

4.4 VOMSAttributes

VOMSAttrubutes SOAP interface used to manage attribute classes and their asignment.

https://pva.server/voms/voname/services/VOMSACL

https://pva.server/voms/voname/services/VOMSACL

4.4. VOMSATTRIBUTES 53

Interface implemented with PHP SOAP. It is strongly recommended to use true SOAP clients (Pythonvoms-admin clients are compatible).

It is also possible to use GET requests with the following base URL: https://pva.server/voms/voname/services/VOMSAttributes

4.4.1 Complex types

User {string CA,string CN,string DN,string certUri,string mail

}

AttributeClass {string description,string name,bool uniquenessChecked

}

AttributeValue {AttributeClass attributeClass,string context,string value

}

4.4.2 Methods

createAttributeClass (string CLASS, optional string DESCRIPTION, optional bool UNIQ)Create a new aattribute class CLASS. In case DESCRIPTION is specified it is also stored for at-tribute class. UNIQ flag apply unique constraine to attribute asignment. RequireAttributes:Wri-te permissions.

saveAttributeClass (AttributeClass CLASS)Create a new attribute class specified by complex type AttributeClass. Require Attributes:Writepermissions.

deleteAttributeClass (string CLASS)Delete attribute class specified by class name. Require Attributes:Write permissions.

deleteAttributeClass (AttributeClass CLASS)Delete attribute class specified by complex type AttributeClass. Method obtains class name fromcomplex type and use it to acomplish deletion. Other field of AttributeClass type are not valuable.Require Attributes:Write permissions.

listAttributeClasses ()Return (array of AttributeClass) list of defined attribute classes. Require Attributes:Readpermissions.

getAttributeClass (string CLASS)Return (AttributeClass) complex type structure by given class name. Require Attributes:Readpermissions.

setUserAttribute (User USER, AttributeValue VALUE)Set an attribute with value specified by complex type AttributeValue for VO member. A memberis specified using complex type User argumnet. Require Attributes:Write permissions.

https://pva.server/voms/voname/services/VOMSAttributes

https://pva.server/voms/voname/services/VOMSAttributes


deleteUserAttribute (User USER, string CLASS)Dissmiss attribute asignment for user VO member specified by complex type User. Attribute classto dissmiss specified by name. Require Attributes:Write permissions.

deleteUserAttribute (User USER, AttributeValue VALUE)Dissmiss attribute asignment for user VO member specified by complex type User. Attribute classto dissmiss specified by complex type AttributeValue. Only AttributeClass name field is valuable.Require Attributes:Write permissions.

setGroupAttribute (string GROUP, AttributeValue VALUE)Set an attribute with value specified by complex type AttributeValue for group GROUP. RequireGroup:Attributes:Write permissions.

deleteGroupAttribute (string GROUP, string CLASS)Dissmiss attribute asignment for group GROUP. Attribute class to dissmiss specified by name.Require Group:Attributes:Write permissions.

deleteGroupAttribute (string GROUP, AttributeValue VALUE)Dissmiss attribute asignment for group GROUP. Attribute class to dissmiss specified by com-plex type AttributeValue. Only AttributeClass name field is valuable. Require Group:Attri-butes:Write permissions.

setRoleAttribute (string GROUP, string ROLE, AttributeValue VALUE)Set an attribute with value specified by complex type AttributeValue for role ROLE in groupGROUP. Require Group:Attributes:Write permissions.

deleteRoleAttribute (string GROUP, string ROLE, AttributeValue VALUE)Dissmiss attribute asignment for role ROLE in group GROUP. Attribute class to dissmiss specifiedby name. Require Group:Attributes:Write permissions.

deleteRoleAttribute (string GROUP, string ROLE, AttributeValue VALUE)Dissmiss attribute asignment for role ROLE in group GROUP. Attribute class to dissmiss specifiedby complex type AttributeValue. Only AttributeClass name field is valuable. Reqiure Group:Attributes:Write permissions.

listUserAttributes (User USER)Return (array of AttributeValue) list of all attribute asigned to VO member specified by com-plex type User. Require Attributes:Read permissions.

listGroupAttributes (string GROUP)Return (array of AttributeValue) list of all attribute asigned to group GROUP. RequireGroup:Attributes:Read permissions.

listRoleAttributes (string GROUP, string ROLE)Return (array of AttributeValue) list of all attribute asigned to role ROLE in group GROUP.Require Group:Attributes:Read permissions.

4.5 VOMSRegistration

VOMSRegistration SOAP interface used to sent a new user registration requests.

Interface implemented with PHP SOAP. It is strongly recommended to use true SOAP clients (there areno options in Python clients to use this interface).

It is also possible to use GET requests with the following base URL: https://pva.server/voms/voname/services/VOMSRegistration

https://pva.server/voms/voname/services/VOMSRegistration

https://pva.server/voms/voname/services/VOMSRegistration

4.5. VOMSREGISTRATION 55

4.5.1 Complex types

RegistrationRequest {bool aupAccepted,string comments,string emailAddress,string institute,string phoneNumber

}

4.5.2 Methods

submitRegistrationRequest (RegistrationRequest REQUEST)Sent a new user registration request. No special permissions required. You should use HTTPSclient certificate authentication. DN and CA of the registrant obtained from HTTPS session.

submitRegistrationRequestForUser (string DN, string CA, RegistrationRequest REQUEST)Sent a new user registration request. No special permissions required. DN and CA of the registrantpassed to method directly. Anyway you should use HTTPS client certificate authentication to beable to submit request. DN and CA from HTTPS session will be stored in transaction log.

Chapter 5

Brief overview of some PHPVOMS-Admin internals

5.1 Multilingual support

PHP VOMS-Admin interface supports multiple languages and distributed with English, Ukrainian andRussian translation. Interface generator scripts rely on PHP variables containing a string constants(variable names started with $voms_).

This chapter provides some technical details about language detection and processing that can be usefulduring customization of PVA translation or creating a new one.

Language to use determined from HTTP header sent by client browser (HTTP_ACCEPT_LANGUAGE). Tochange the language you should customize you prefered language in browser settings. For debug purposeslanguage can be redefined with the lang cookie, but there is no interface option to set the cookie. Ifthere is no information provided by browser – english is used by default.

All translation are stored in files under lang directory. File name is <web browser language identificationcode>.inc. Each file contains a list of all language-dependent string variables.

English is a reference translation for PHP VOMS-Admin . File en.inc always sourced first. Then variablevalues redefined sourcing another translation file (according to requested language). If translation file isnot available for requested language – nothing to worry about, english is already there.

NOTE, you can create partial translations if you dont manage to translate entire english file. All un-translated strings stays in english.

Changing a language files directly (in case you want to modify some text in PVA interface, like addingleagal notice, etc.) is not a good idea. Upon next package update it will be overwitten. To saveyou changes permanent you can use lang overlay feature: in the common PVA configuration define$lang_overlay variable that caontains a path to an overlay directory. Inside overlay directory create afile with redefined variables. Overlay files are sourced last.

Example operation (english):

• lang/en.inc sourced

• langoverlay/en.inc sourced (if defined and exists)

Example operation (ukrainian):

• lang/en.inc sourced

• lanf/uk.inc sourced

• langoverlay/uk.inc sources (if defined and exists)

57

58 CHAPTER 5. BRIEF OVERVIEW OF SOME PHP VOMS-ADMIN INTERNALS

5.2 Replication process

PHP VOMS-Admin replication operation use pull model. That means information about new transactionsperformed on replicants are retrieved on demand of PVA request. No information are pushed to anyPVA instance.

Replication works using own RPC interface for pulling transactions and rely on system cron daemon toperform syncs. RPC interface support following operations:

• ping – echo requests processing to ensure endpoint support PVA RPC;

• status – return an agreement status based on client authentication;

• ltt – return last transaction timestamp;

• tdiff – return all transactions since requested time;

• alldata – return complete database content for refilling;

All operation except ring require client authorization. RPC security relies on several things. Client verifyserver certificate signature utilizing TLS on connection, ensuring data is come from trusted source inagreement. Server use client IP address and authorization code obtained during agreement establishment.Client certificate authentication is not used because passing private key of entire server to php doesnot provide much security. Especially considering serving an other web-sites along with PHP VOMS-Admin and per-VO basis of replication.

First line of RPC response contains numeric and readable response code (zero is RPC_OK, non-zero repre-sent an error). Next line contains JSON encoded request result on success.

General replication algorithm consist of the following steps:

• on regular basis connect to all replicas servers and get last transaction time (ltt)

• compare replicant ltt value with one recorded in own database (NOTE! time is always relative toevery server to solve possible time desync);

• if returned ltt is equal to recorded – finish operation;

• get all transactions since ltt stored in own database (tdiff);

• gathering all agreements retrieved transactions solve possible conflicts (UUID to find duplicatetransactions);

• apply transactions to the current database;

• change stored ltt for each agreement;

5.3 Autoincrement problem in multi-master replication process

INSERT INTO SQL calls on tables with autoincremented primary keys may break transactions synchro-nization.

Creating a new record (e.g. createUser call) generate ID automatically. Within agreements sync intervalsame functions can be called on different PVA instances leading to information desync.

Lets investigate an example: two PVA instances with replication agreement configured. Inside next syncinterval createUser(’user1’) was called on PVA1 and createUser(’user2’) was called on PVA2.Autoincrement values for new user will be the same on PVA1 and PVA2, let it be 30. After sync users’user1’ and ’user2’ will be created with the next autoincrement id value on the second server. Followingdatabase structure obtained:

5.3. AUTOINCREMENT PROBLEM IN MULTI-MASTER REPLICATION PROCESS 59

-- PVA1 -- -- PVA2 --30 user1 30 user231 user2 31 user1

Deletion of ’user1’ on PVA2 calls deleteUser(31) function, that delete ’user2’ instead of ’user1’ onPVA1.

To overcame this issue integer autoincrement primary keys required to use UUID instead of ID, but dueto compatibility with credentials signing daemon and EDG Java VOMS-Admin database schema couldnot be changed this way.

Transparent use of UUIDs become possible with the following concept:

• separate table that handle maps between IDs and UUIDs used;

• all functions that change database in PVA code, first handles UUID as top-priority, but utilizegeneral table ID when UUID does not exists;

• functions with INSERT INTO operations, adds new autoincrement ID to UUID map; UUID saved intransactions table;

• replicated transactions already have UUID identifier attached to functions arguments;

• when replicated function called new autoincremented id will map to the same UUID referenced infunction arguments;

60 CHAPTER 5. BRIEF OVERVIEW OF SOME PHP VOMS-ADMIN INTERNALS

Chapter 6

Acknowledgments

I would like to thank our old equipment for inspiring me to develop PHP VOMS-Admin :-) The joke ofcause.

I am pleased to thank my friend and colleague Ievgen Sliusar for productive discussions, debate of ideasand english text corrections.

This is a great opportunity to express my personal respect to Oxana Smirnova, Mattias Ellert andother members of Nordugrid Collaboration for assistance with PHP VOMS-Admin project, especially forproviding code repository, bug tracking system and packaging.

I would also like to thank chief of Information and Computer Center, Dr. Yurij Boyko and head of parallelcomputing lab Dr. Oleksandr Sudakov under whose leadership grid grows in Taras Shevchenko NationalUniversity of Kyiv.

With best regards, Andrii Salnikov

61

php voms-admin 0.6.7 operation...

Documents