PHP VOMS-Admin version 0grid.org.ua/development/pva/packages/docs/pva-0.6-manual-eng.pdf · PVA installation path, CA certi cates path and e-mail copies location are speci ed automatically

DRAFT-022031-PVA

Lang: english

Compiled: 22/6/2011

PHP VOMS-Admin version 0.6

Operation Manual

Andrii Salnikov∗

∗[email protected]

2

Contents

1 Introduction 5

2 Getting started with PVA-based VOMS server 7

2.1 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.2 Basic con�guration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.2.1 PVA web-interface con�guration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.2.2 Con�guration of pva-addvo script . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.3 Adding a new VO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.4 VO-speci�c settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.5 Adding external VOMSes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3 Using the web-interface 13

3.1 General operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3.1.1 List served VOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3.1.2 Contact VOMS Server Admin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3.1.3 Request VOMS resources for new VO . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.2 VO operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3.2.1 New member registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

3.2.1.1 Filling registration form . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

3.2.1.2 Con�rming your registration request . . . . . . . . . . . . . . . . . . . . . 19

3.2.1.3 Receiving membership approval . . . . . . . . . . . . . . . . . . . . . . . 20

3.2.2 VO management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

3.2.2.1 Manage Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

3.2.2.1.1 User details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.2.2.1.2 Membership details . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.2.2.1.3 Generic attributes management . . . . . . . . . . . . . . . . . . 24

3.2.2.2 Manage Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3.2.2.2.1 ACL Management . . . . . . . . . . . . . . . . . . . . . . . . . . 25



3.2.2.3 Manage Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30



3

4 CONTENTS

3.2.2.4 Manage Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3.2.3 Con�guration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

3.2.4 Subscriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

3.2.4.1 Pending requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

3.2.4.2 Processed requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

3.2.5 Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

3.2.5.1 Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

3.2.5.2 Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

3.2.5.3 Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3.2.5.3.1 Overview of replication details . . . . . . . . . . . . . . . . . . . 38

3.2.5.3.2 Establishing replication agreement . . . . . . . . . . . . . . . . . 40

3.2.5.3.3 Adding more replication agreements . . . . . . . . . . . . . . . . 42

3.2.5.4 Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

3.2.6 Other VOs on this server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

4 Using SOAP interface 47

5 Brief overview of some PHP VOMS-Admin internals 49

5.1 Replication process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

5.2 Autoincrement problem in multi-master replication process . . . . . . . . . . . . . . . . . 50

6 Acknowledgments 51

Chapter 1

Introduction

PHP VOMS-Admin (PVA) is a software written in PHP that presents a web-interface to control virtualorganization (VO) membership parameters.

I have started to work on PHP VOMS-Admin to mitigate lack of scalability of traditional Java-basedVOMS-Admin solution for Apache Tomcat environment. Ukrainian National Grid deployment is builton top of Nordugrid ARC middleware and requires more and more VOs to be served by a single server.Java VM consumes a lot of memory, and each VO servlet runs as an independent instance inside Tomcat.In case of Java VOMS-Admin, memory usage is about 600MB for every VO. This limits a number ofVOs dramatically. So idea to create lightweight solution was born and PHP appeared like suitableweb-technology that provide desired stability and relatively low resource usage.

Instead of using di�erent instances of VOMS-Admin for each VO, PVA invokes the same code minimizingmemory and CPU usage many times. Resulting memory consumption is tens of megabytes for all VOs.Another advantage of PVA is that it has about 100 times faster response times especially in concurrentsimultaneous connections. And of course you do not need insane number of �gLite-dependencies� to installPVA, just PHP 5.2 or newer and MySQL database.

The functionality of PHP VOMS-Admin in �rst implementation was the same as in traditional JAVA-based VOMS-Admin (v.2.0.18). During further PVA development new functions have been implemented.Major highlights are:

� internationalization (english, ukrainian and russian translations are available)

� transaction log viewer

� database multi-master replication

� error noti�cations for deferred operations

� per-VO preferences and interface enhancements

PVA is a fully compatible with credentials signing backend (vomsd), and use the same MySQL databaseas JAVA-based VOMS-Admin with the same ACL rules for easy migration. Additional database tablesfor PVA-only functions get created automatically and does not a�ect basic operation.

PVA development held at Parallel Computing Lab of Information and Computer Centre of Kyiv NationalTaras Schevchenko University. You can �nd latest production version in-work at Ukrainian grid-segmentVO's VOMS-admin server here: https://grid.org.ua/voms

You are free to use PHP VOMS-Admin under the terms of Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0).

More details can be found on project web-site: http://grid.org.ua/development/pva/.

This guide presents a consistent view of a web-interface with comprehensive description to show how touse and con�gure PVA features for both VO users and administrators.

I hope you enjoy PVA operation, with best regardsAndrii Salnikov

5

https://grid.org.ua/voms

http://www.apache.org/licenses/LICENSE-2.0


http://grid.org.ua/development/pva/

6 CHAPTER 1. INTRODUCTION

Chapter 2

Getting started with PVA-based

VOMS server

This chapter describes VOMS server administrator actions to proceed with installation and con�gurationof the new PHP VOMS-Admin instance on top of the Linux server. If you are general VO member orVO administrator, you can skip this chapter and continue reading from the chapter 3.

2.1 Installation

The easiest and recommended way of PHP VOMS-Admin installation is using out-of-the-box pack-ages. Currently RPM and DEB packages are available: http://grid.org.ua/development/pva/?act=download.

Packages imply choice of Apache as a web-server, and install the following �les and directories: ∗

%{_sysconfdir}/httpd/conf.d/pva.conf

%{_sysconfdir}/pva/

%{_sysconfdir}/pva/vomses/

%{_sbindir}/pva-addvo

%{_datadir}/doc/php-voms-admin-0.6

%{_mandir}/man1/pva-addvo.1.gz

%{_mandir}/man5/addvo.conf.5.gz

%{_mandir}/man5/pva-config.5.gz

%{_datadir}/pva

%{_localstatedir}/www/pva/mail-copies

Vanilla sources can be downloaded from Nordugrid SVN server:

svn export http://svn.nordugrid.org/repos/nordugrid/contrib/pva/tags/pva-0.6 pva-0.6

Source code distribution has the following structure:

pva-0.6

|--conf <-- PVA configuration files

| |--vomses <-- per-VO configuration files

∗Debian and derivatives use /etc/apache2 instead of /etc/httpd

7

http://grid.org.ua/development/pva/?act=download

http://grid.org.ua/development/pva/?act=download

8 CHAPTER 2. GETTING STARTED WITH PVA-BASED VOMS SERVER

|--debian <-- rules for .deb packaging

|--interfaces <-- web-interface server-side scripts

|--js <-- web-interface client-side JavaScript

|--kcaptcha <-- CAPTCHA generator library

|--lang <-- interface translation files

|--mail_copies <-- empty directory for PVA mail local store

|--modules <-- auxiliary server-side script files

|--pics <-- web-interface graphics

|--styles <-- web-interface CSS

|--wsdl <-- SOAP WSDL files

|.htaccess <-- Apache in-place config (use pva.conf instead if possible)

|addvo <-- new VO deployment script

|addvo.conf <-- new VO deployment script configuration

|index.php <-- web-interface entry point

|pva.conf <-- apache server configuration

|pva.spec <-- rules for .rpm packaging

|rpc.php <-- PVA internal RPC interface (for replication)

|VOMSCompatibiliy.php <-- VOMS-Admin SOAP interface (compatibility implemntation)

|VOMSCompatibiliy2.php <-- VOMS-Admin SOAP interface (pure PHP-SOAP implemntation)

Recommendations and example con�guration for installation on top of Nginx web-server provided inNOTES �le included in the distribution.

If you have not done it already, you need to con�gure HTTPS protocol following the documentationfor the web-server you have chosen. Ensure that client certi�cate veri�cation is enabled. For Apachemod_ssl con�guration will look like the following:

SSLVerifyClient optional

SSLVerifyDepth 10

PHP VOMS-Admin properly handles requests without client certi�cate provided, so optional is therecommended setting. But if you want to enforce more security restrictions you are free to specifyrequired value.

You need to put client veri�cation options inside <VirtualHost> for proper operation. Putting it inside<Directory> block in /etc/httpd/conf.d/pva.conf leads to failure with a message: �Re-negotiationhandshake failed: Not accepted by client!?�

The latter is really not accepted by modern browsers, because it was discovered that the SSL protocolhas a very bad man-in-the-middle attack when SSL renegotiation enabled.

2.2 Basic con�guration

2.2.1 PVA web-interface con�guration

Con�guration �le /etc/pva/pva-config† contains general PVA interface settings.

$pva_install_path="/usr/share/pva";

$ca_certificates_path="/etc/grid-security/certificates";

$mail_filecopies_path="/var/www/pva/mail-copies";

$items_per_page=10;

$lastresort_permissions = 517;

†config.inc in case of manual installation from SVN is located directly in the conf/ directory of PVA tree

2.2. BASIC CONFIGURATION 9

$mail_from = "[email protected]";

$mail_from_name = "PHP VOMS Admin";

$voms_admin_mail = "[email protected]";

You must specify proper values for mail_from, mail_from_name and voms_admin_mail variables toensure e-mail operations.

PVA installation path, CA certi�cates path and e-mail copies location are speci�ed automatically whenPHP VOMS-Admin is installed from package. Value of items_per_page determine how many entries(users, groups, roles, etc.) will be shown simultaneously on the same page during PVA output. Valueof lastresort_permissions set the default permissions, which are applied when more speci�c matchwas not found (HTTP insecure access is the most common example of such situation). More details onsetting permissions can be found in ACL con�guration section(3.2.2.2.1).

2.2.2 Con�guration of pva-addvo script

Con�guration �le /etc/pva/addvo.conf ‡ sets host-speci�c parameters for pva-addvo script operation.Several con�guration variables might be reviewed and modi�ed:

# Where to find configuration files and voms-server libriries

LIBDIR="/usr/lib64"

CONFDIR="/etc"

# PHP VOMS-Admin config dir

PVACONFDIR="${CONFDIR}/pva/vomses"

# PHP VOMS-Admin config owner

PVACONF_OWNER="apache:apache"

# MySQL user used for PHP VOMS-Admin VO databases creation

MYSQL_USER="root"

# PHP VOMS-Admin per-VO databases access credentials

# "voms_VONAME" user with dynamically generated password will be used if not specified

#VODBUSER="voms"

#VODBPASS="commonpassword"

# hostname running voms-server

#VOHOST="myvomds.host.org"

# voms-server config files location

VOMSDDIR="${CONFDIR}/voms"

# voms-server certificate and key pathes (on server where vomsd is running)

VOMSDCERT="${CONFDIR}/grid-security/hostcert.pem"

VOMSDKEY="${CONFDIR}/grid-security/hostkey.pem"

# voms-server config files owner

VOMSDCONF_OWNER="voms:voms"

Out-of-the-box installation from pacakge sets most of variables accordinly to default settings that willhopefully work without modi�cations.

You need to change voms-server VOHOST value when running vomsd on separate server (PVA host namewill is used by default). If you have chosen to use common MySQL account for all VOs, uncomment andspecify VODBUSER and VODBPASS variables. If using Nginx web-server you most probably need to changePVACONF_OWNER.

‡location of addvo.conf in case of manual installation from SVN need to be speci�ed in the addvo script via ADDVOCONF

variable. Generally speaking, you can set all host-speci�c parameters directly in the script body, but this way will create

obstacles for future PVA updates.


2.3 Adding a new VO

The pva-addvo§ script can be used to add new VO for serving by PHP VOMS-Admin. It also gener-ates con�guration �les for voms-server for use in conjunction with PVA. Host-speci�c con�guration �le/etc/pva/addvo.conf (section 2.2.2) must be reviewed before adding the �rst VO.

New VO parameters can be provided via environment variables. Any subset of con�guration variablescan be speci�ed in VO con�g �le passed as pva-addvo parameter:

pva-addvo [/path/to/vo_config]

The following environment variables are used to provide information about a new VO:

VONAME (required) � The name for a new VO to add. According to EGI documentation, using FQDNis preferred way (e.g. vo.example.org)

ADMDN (required) � Initial VO administrator's certi�cate distinguished name

ADMCA (required) � Distinguished name of a certi�cation authority, which has signed initial VOadministrator's certi�cate

ADMMAIL (required) � E-mail address of initial VO administrator

RULES_URL (required) � URL that points to VO usage rules. Every new user must agree and accept therules to proceed

VOPORT (required) � voms-server listen port to issue VOMS ACs (e.g. 15004)

HOMEPAGE (optional) � URL to VO homepage

DESCR (optional) � Short human-readable description of the VO

DEFCA (optional) � Default value for DN of certi�cation authority, used when manually adding newusers via the web-interface

When Request VOMS resources for new VO form (section 3.1.3) via PVA web-interface is �lled andsubmitted by VO admin, PVA will automatically send an e-mail to server administrator formatted ascon�guration �le to use with pva-addvo. VOPORT is not included in mail body and must be set manually.

[root@pva-server ~]# VOPORT=15110 pva-addvo /var/www/pva/mail-copies/new_VO_request

INFO: Using default hostname "pva.example.org" for VOHOST value.

INFO: Generating CA list from /etc/grid-security/certificates... Done.

INFO: Creating database and credentials...

Enter password: *********

INFO: Writting vomsd conf at: /etc/voms/test.pva.vo/voms.conf

INFO: Writting PHP VOMS-Admin conf at: /etc/pva/vomses/test.pva.vo.conf

INFO: Please restart vomsd to begin serving voms-extension requests for VO test.pva.vo

2.4 VO-speci�c settings

PHP VOMS-Admin VO-speci�c con�guration is stored in /etc/pva/vomses/{vo_name}.conf �le. The�le contains several con�guration variables:

§in the SVN � addvo script located in the top directory of the source tree

2.5. ADDING EXTERNAL VOMSES 11

$dbhost="localhost";

$dbname="voms_test_pva_vo";

$dbuser="voms_test_pva_vo";

$dbpasswd="EBD2pPytpmcYBfBjfGLzBVFTf3hEaxOM";

$vo_port="15110";

$vo_host="pva.example.org";

$vo_cert="/etc/grid-security/hostcert.pem";

$vo_rules_link="http://www.apache.org/licenses/LICENSE-2.0";

$defaultca="/DC=org/DC=ugrid/CN=UGRID CA";

$vo_description="PVA testing VO";

$vo_mainurl="http://grid.org.ua/development/pva";

Variables store the same parameters pushed on VO creation with pva-addvo script, presented in PHP-friendly way.

Since version 0.6 changing the variable values in the latter con�guration �le will a�ectonly database operations (dbhost, dbname, dbuser and dbpasswd)! All other parametersof VO con�guration are now stored in VO database due to common replication interfaceand such changes in con�guration �le will be ignored.

2.5 Adding external VOMSes

External VOMS servers can be speci�ed in /etc/pva/vomses/external �le. External VO informationmust be written to external_vos array in the following format:

$external_vos = array (

"some.external.vo.name" => array (

"vomsurl" => "https://voms.example.org/voms/some.external.vo.name",

"description" => "Some External VO",

"mainurl" => "http://info.example.org/vo.name/"

)

);

In the example above, some.external.vo.name is the name of the external VO, vomsurl � link to VOoperations page on external VOMS, description � short human-readable description of the externalVO, mainurl � URL to the VO homepage.

If name of the external VO is equal to one of the VO names served by this PVA instance � �external�icon will be shown along with VO description in List of VOs con�gured on this server section, instead ofnew record in List of VOs con�gured on external servers.


Chapter 3

Using the web-interface

Interface elements availability depend on permissions de�ned by the access-lists. Conditions of web-interface elements availability are provided in element description with ACL permission speci�cation, likeMembership:Read orPreferences:Write. Prepending �Group� to permissions (e.g. Group:Container:Read)means that child group permissions considered to make access deceision in contrast to root group per-missions only.

Existence of such conditions means that you must be granted speci�ed permissions by a correspondingACL (see section 3.2.2.2.1) for the action in question.

3.1 General operations

By browsing to the PHP VOMS-Admin base URL (e.g. http://example.org/voms) you get access togeneral operations interface.

3.1.1 List served VOs

Default general operation applied on accessing the PVA is List served VOs. Interface displays all VOscon�gured on this instance of PVA , VOs con�gured on external servers and links to replication serversfor each of the VOs. General VO preferences (name, description, homepage) are also displayed.

When there are no VOs con�gured, PVA shows the corresponding message (Fig. 3.1)

List served VOs Contact VOMS Server Admin Request VOMS resources for new VO

List of VOs configured on this server

There is no VOs currently served

PHP VOMS-Admin version 0.6 rc2

Figure 3.1: List served VOs (empty)

If VO con�guration exists, List of VOs con�gured on this server is displayed �rst. Then List of VOs con�g-ured on external servers is displayed if any externat VOs are de�ned. Figure 3.2 shows an example of Listserved VOs output for current con�guration of http://grid.org.ua/voms PHP VOMS-Admin server.

All served VOs are displayed in the table, one VO in each row. The rows are sorted alphabetically by�rst column value. First column contains VO name. VO name is a link that points to VO managementinterface. Second column contains VO description if speci�ed in con�guration.

13

http://example.org/voms

http://grid.org.ua/voms

14 CHAPTER 3. USING THE WEB-INTERFACE


List of VOs configured on this server

academia National University of Kyiv-Mohyla Academy

compuchemgridua Computational chemistry and related fields

crimeaeco Crimean ecology VO

eegm Environmental Emergency GRID Modeling

eo-grid.ikd.kiev.ua Earth Observation Grid

geopard Паралельні розрахунки великих дослідницьких задач геофізики

medgrid Ukrainian Medical Grid applications

moldyngrid MolDynGrid Virtual Laboratory

networkdynamics Mathematical modeling of nonlinear processes

sysbio Reverse-engineering gene regulatory networks

telemed Grid technologies in telemedicine

testbed.univ.kiev.ua KNU testing and learning puproses

ukraine UAG Admins

virgo.ua Cosmological simulations and astrophysical data analysis

List of VOs configured on external servers

medgrid.immsp.kiev.ua Telemedical Grid, Ukrainian Medical Grid applications

PHP VOMS-Admin version 0.6 rc2 @ Parallel Computing Lab ICC KNU 2011

Figure 3.2: List served VOs (grid.org.ua)

Several icons can be shown along with VO description:

� VO home page URL

� URL of external stand-alone VOMS server that also serves this VO

� URL of another PVA instance con�gured in replication with this one

� URL of another PVA instance con�gured in replication with this one (connectivity problems)

All icons are clickable, except replication connectivity problem icon. Click opens an URL correspondingto each icon.

3.1.2 Contact VOMS Server Admin

By clicking on Contact VOMS Server Admin link you get redirected to VOMS administrator feedbackform. Form can be accessed either via HTTP without authentication or via HTTPS with client certi�cateprovided. Accessing via HTTP is useful when HTTPS problems exist and user wants to report aboutthese problems.

When HTTPS client certi�cate authentication is performed, your name will be captured automaticallyfrom your certi�cate (Fig. 3.3). You need to enter reply e-mail address to proceed. This e-mail addressis used to send your message and allows VOMS server administrator to send reply to your request.

Just enter the message text into corresponding �eld and press Send e-mail button.

3.1. GENERAL OPERATIONS 15


Sender name:

E-mail for reply:

Message text:

Send e-mail

Contact VOMS server administrator

Using this form you can send e-mail to VOMS server administrator to ask questions or report problems devoted to server operation. Pleasespecify correct e-mail address to receive an answer for you e-mail.

Andrii Salnikov


Figure 3.3: Contact VOMS Server Admin (accessing via HTTPS)

When form accessed via HTTP (Fig. 3.4) you additionally need to enter your name directly, recognizeand enter text printed on the CAPTCHA picture. CAPTCHA is required to prevent VOMS serveradministrator from getting SPAM through PHP VOMS-Admin .

3.1.3 Request VOMS resources for new VO

By clicking on Request VOMS resources for new VO link you enter resources request page. Request mayonly be sent by VO administrator and hence HTTPS client certi�cate authentication is required to provethe identity.

When Request VOMS resources for new VO page is accessed via HTTP, warning saying that HTTPSconnection to the VOMS server must be used will be shown (Fig. 3.5).

When proper HTTPS connection is used you can see request form displayed on �gure 3.6. As VOadministrator you can �ll up the form and send a request to VOMS server administrator asking toprovide resources to serve your VO.

Initial VO administrator identity is automatically retrieved from provided client certi�cate, �lling theVO Admin DN and VO Admin CA �elds. VO default CA is assumed to be equal to VO Admin CA butcan be changed by VOMS server administrator or removed completely. The meaning of all form �eldscorrespond to pva-addvo script con�guration variables and is described in section 2.3.

Clicking on Send request will send request to VOMS administrator.



Sender name:

E-mail for reply:

Message text:

Enter text on the picture:

Send e-mail

Contact VOMS server administrator

Using this form you can send e-mail to VOMS server administrator to ask questions or report problems devoted to server operation. Pleasespecify correct e-mail address to receive an answer for you e-mail.


Figure 3.4: Contact VOMS Server Admin (accessing via HTTP)


Request VOMS server resources to serve your VO

Filling the form below, you can send a request to VOMS server administrator for providing resources to serve your own VO. You must be VOAdministrator and use HTTPS connection to server with authentication by you personal user certificate. The same authentication method will beprovided for VO administration in the future.

You must use HTTPS connection to the VOMS server to proceed.


Figure 3.5: Request VOMS resources for new VO (accessing via HTTP)

3.2 VO operations

Clicking on VO name in List served VOs page you get redirected to VO operation page for selected VO.PHP VOMS-Admin web-interface header will indicate name of the VO selected and your provided useridentity (Fig. 3.7).

If you use HTTP protocol, your identity cannot be determined, and the Current user �eld becomes alink to the HTTPS server connection (Fig. 3.8)

If you are not the VO user, a link to VO membership registration form (Fig. 3.9) appears in the top

3.2. VO OPERATIONS 17


VO name*:

VO Admin DN:

VO Admin CA:

VO Admin e-mail*:

VO default CA:

VO description:

VO homepage:

VO rules of usage URL*:

Send request

Request VOMS server resources to serve your VO

Filling the form below, you can send a request to VOMS server administrator for providing resources to serve your own VO. You must be VOAdministrator and use HTTPS connection to server with authentication by you personal user certificate. The same authentication method will beprovided for VO administration in the future.

/DC=org/DC=ugrid/O=people/O=KNU/CN=Andrii Salnikov

/DC=org/DC=ugrid/CN=UGRID CA



Figure 3.6: Request VOMS resources for new VO form

for VO: test.pva.vo Current user: Andrii Salnikov

VO management Configuration Other VOs on this server

Manage

Users

Groups

Roles

Attributes

Users:

Andrii SalnikovUGRID CA

Andrii SalnikovTestbed CA

1-2 of 2

Search users Leave this VO


Figure 3.7: VO operations PHP VOMS-Admin header

for VO: test.pva.vo Current user: use HTTPS for authentication


You must use HTTPS connection to the VOMS server to proceed.


Figure 3.8: VO operations accessed via HTTP PVA header

right corner of a page.

for VO: test.pva.vo Current user: Andrii SalnikovYou are not a member - Register!


Manage

Users

Groups

Roles

Attributes

No members found

Search users


Figure 3.9: VO operations register link in PVA header


3.2.1 New member registration

3.2.1.1 Filling registration form

By clicking on Register! link (Fig. 3.9) you navigate to a new user registration form shown on �gure3.10.



Your distinguished name (DN):

Your CA:

Your email address:

Your institute:

Your phone number:

Comments for the VO admin:

Register

PHP VOMS-Admin membership registration for the test.pva.vo VO.

To access the VO resources, you must agree to the VO's Usage Rules. Please fill out all fields in the form below and click on the register buttonat the bottom of the page.

After you submit this request, you will receive an email with instructions on how to proceed. Your request will not be forwarded to the VOmanagers until you confirm that you have a valid email address by following those instructions.

IMPORTANT:

By submitting this information you agree that it may be distributed to and stored by VO and site administrators. You also agree that action maybe taken to confirm the information you provide is correct, that it may be used for the purpose of controlling access to VO resources and that itmay be used to contact you in relation to this activity.

/C=UA/O=KNU/OU=People/CN=Andrii Salnikov

/C=UA/O=KNU/CN=Testbed CA

You agree on the VO's usage rules.


Figure 3.10: New VO member registration form

You should �rst read and accept VO usage rules to become a VO member. You can �nd usage rulesinformation by following VO Usage Rules link on registration page.

PVA automatically get your identity from client certi�cate and �lls Your distinguished name (DN) andYour CA.

You must manually �ll contact information (e-mail address, institute and phone number) to make VOmanager able to contact you in case of any questions.

You can also �ll Comments for the VO admin box, to provide additional information to include in yourmembership request.

Setting the You agree on the VO's usage rules check-box in the bottom of the page you con�rm that youagree on the VO usage rules. Finally click Register button to proceed with registration request.


3.2.1.2 Con�rming your registration request

When you submit registration form, you will be informed about successful submission (Fig. 3.11). Infor-mation says that you will receive an e-mail with further instructions on how to proceed.



Confirmation required

An email has been sent to you with instructions on how to proceed with the registration for the test.pva.vo VO.Please follow the instructions withing 24 hours or your request will be ignored by PHP VOMS-Admin.


Figure 3.11: Submitting registration form con�rmation

E-mail will have the following subject: Your membership request for VO test.pva.vo. Body text will looklike the following:

Dear Andrii Salnikov, you have requested to be a member of VO test.pva.vo

In order for the registration to proceed, you should confirm this

request by going to the following url:

https://pva.example.org/voms?vo=test.pva.vo&action=confirmation.....

In case you occationally requested the membership in VO test.pva.vo, please

cancel request going to the following url:

https://pva.example.org/voms?vo=test.pva.vo&action=confirmation.....

Your sincerely,

PHP VOMS-Admin registration service for VO test.pva.vo

Your request will not be forwarded to the VO managers until you con�rm that you have a valid e-mailaddress by following e-mail instructions and navigating to an URL provided.



You have allready applied. Confirmation E-mail with instructions was sent to you inbox (check SPAM filer if you can not find it in Inbox). If youstill have a problem contact the VO administrator or wait 24 hours while request is no longer valid.


Figure 3.12: Already applied noti�cation

You need to complete e-mail con�rmation within 24 hours or your request will be ignored by PHPVOMS-Admin . You can manually cancel you request, by following the second URL in the e-mail body.

You cannot send registration request once more within 24 hours hold time and will be noti�ed withmessage shown on �gure 3.12 when trying to click Register! link after successful form submission.

Following the con�rmation link provided in e-mail body, you will see noti�cation about successful requestcon�rmation (Fig. 3.13).




Membership request confirmation

Your request successfully confirmed. You will receive notification when VO Administrator precess your request.


Figure 3.13: Membership request successful con�rmation

If you do not receive con�rmation e-mail, check your SPAM �lter �rst and try to �nde-mail in SPAM. You can also try to specify another e-mail address after 24-hours holdtime period. If problem is still not solved, please contact your VO manager directly usingcontacts found on the VO homepage.

3.2.1.3 Receiving membership approval

After completion of e-mail con�rmation your request will be forwarded to VO managers and will appearin Subscriptions administrator's menu (see section 3.2.4).

Actions may be taken by VO managers are to con�rm that the information you provided is correct andclari�cation of your VO a�liation.

After successful con�rmation of your membership request, you will receive an e-mail like the following:

Dear Andrii Salnikov, your membership request for VO test.pva.vo

has been approved.

Your sincerely,

PHP VOMS-Admin registration service for VO test.pva.vo

3.2.2 VO management

VO management is default VO operations action taken when following PVA URL for VO. VO man-agement is responsible for internal VO structure control: assigning groups, roles, attributes and accessrestrictions. You can return to VO management from other operations by clicking VO management linkin the top menu. The default VO management action is Manage Users.

3.2.2.1 Manage Users

With Membership:Read permissions granted (recommended behavior for all authenticated users) youcan see the list of VO members (Fig. 3.14).

Every user common name (CN) along with certi�cation authority CN are displayed line by line. IfMembership:Write permissions are granted then delete user link is shown on the right of every line.List is sorted ascending by member creation time.

At the bottom of the page total number of VO members is displayed. When number of records per pageis less then total number of members, the navigation links are also displayed. By clicking on navigationlinks you can display next or previous subset of members.

You can also see Search users button along with �lter input �eld on the top of the members list. Enteringmatch template into the input �eld and pressing Search users leads to displaying only users with CNmatching the speci�ed template (Fig. 3.15).



VO management Configuration Subscriptions Preferences Other VOs on this server

Manage

Users

Groups

Roles

Attributes

Users:

user1UGRID CA

deleteuser

user2UGRID CA

deleteuser

user3UGRID CA

deleteuser


deleteuser

maggie/grid.org.uaTestbed CA

deleteuser

1-5 of 7 »

Search users Leave this VOCreate a new user


Figure 3.14: Manage users VO membership view



Manage

Users

Groups

Roles

Attributes

Users:

user1UGRID CA

deleteuser

user1Testbed CA

deleteuser

1-2 of 2

user1 Search users Leave this VOCreate a new user


Figure 3.15: Filter the list of VO members

Along with the search form, Create a new user and Leave this VO links can be displayed. You needto be a VO member for Leave this VO link. Create a new user is available when Membership:Write

permissions are granted to you.

By clicking on Leave this VO link you can dismiss your own membership directly, without contactingVO administrator. Pop-up window will appear, requesting operation con�rmation to prevent eventualunwanted membership dismission. After con�rmation, your membership will be removed immediately.

By clicking on Create a new user link you can manually add new VO member as VO administrator (Fig.3.16). You need to enter member DN, CN to be displayed in members list, e-mail contact address andchoose certi�cation authority that have signed member's personal certi�cate from the drop-down list.Then, click on Create! button to con�rm member parameters and create a new member record.

The recommended way to add general users is to follow member registration procedure(section 3.2.1). Consider using manual method to add services and hosts ONLY!

Every member CN in the list (Fig. 3.14) is a link that points to detailed member parameters managementinterface (Fig. 3.17).

Interface contains of the three views: User details, Membership details and Generic attributes manage-




Manage

Users

Groups

Roles

Attributes

DN:

CN:

CA:

E-mail:

Create!

Create a new VO user



Figure 3.16: Manually add new VO member



Manage

Users

Groups

Roles

Attributes

User's DN and CA:

User's common name:

User's e-mail address:

Attribute:

Attribute value:

delete this user

/DC=org/DC=ugrid/OU=People/CN=user1


user1

[email protected]

Save changes

/test.pva.vo/group1 Add to group

Group name Roles

/test.pva.vo VO-Admin Assign role

nickname

Set an attribute

Attribute name Attribute value

nickname uuu1 delete

User details

Membership details

Generic attributes management


Figure 3.17: Manage detail member parameters


ment. Every view has minimize/maximize button on the right side of its header.

3.2.2.1.1 User details User details view show DN of the member, DN of the certi�cate authoritythat have signed member's personal certi�cate, common name and contact e-mail of the member whenMembership:Read permissions are granted. With Membership:Write permissions granted, you canchange member common name and contact e-mail (con�rming changes by clicking on Save changesbutton) and delete member directly from user details view by clicking on delete this user link.

3.2.2.1.2 Membership details Content of membership details view depend on per-group permis-sions granted by corresponding ACLs (see section 3.2.2.2.1). The purpose of the view is to review andmanage containers for current member or simply said: member enrollment in groups and roles in thatgroups.



Manage

Users

Groups

Roles

Attributes

/test.pva.vo/group2 Add to group

Group name Roles

/test.pva.voproduction

testerDissmiss roleAssign role

/test.pva.vo/group1productiontester

/test.pva.vo/group1/subgroup1VO-Admin

productionDissmiss roleAssign role

Remove

User details

Membership details

Generic attributes management


Figure 3.18: User membership details view per-group ACLs example

More accurate example, that ilustrate di�erent per-group ACLs, is shown on �gure 3.18.

Membership details list contains records for each group that user is member of. Each group gets dis-played in the list only when its own Subgroup:Container:Read permissions are granted for reviewer.For every group a list of roles assigned in this group is also displayed in the second column. When Sub-group:Container:Write permissions are granted, a drop-down box of unassigned groups along withAssign role link gets displayed to allow assigning a selected role on click. Dismiss role link also appearson the third column along with every already assigned role to allow dismissing the corresponding role.The last column contains Remove link to completely remove membership in the corresponding group.

Look at the �gure 3.18. The following information can be obtained from the output:

� user is a member of at least three groups displayed in �rst column;

� ACL for groups shown allow Group:Container:Read permissions for reviewer;

� It is possible that user can be a member of another groups, with ACL that DO NOT grantGroup:Container:Read permissions for reviewer;

� User have a role production in the /test.pva.vo group;

� Reviewer is grantedGroup:Container:Write permissions in the group /test.pva.vo, so can dismissproduction role or assing any others;


� Group /test.pva.vo is catch-all root group and cannot be removed even with Container:Write

permissions

� User have roles production and tester in the /test.pva.vo/group1 group;

� Reviewer is NOT grantedGroup:Container:Write permissions in the /test.pva.vo/group1 group;

� User have a role VO-Admin in the /test.pva.vo/group1/subgroup1 group;

� Reviewer is granted Group:Container:Write permissions in the /test.pva.vo/group1/subgroup1group, so can dismiss VO-Admin role or assign any others; Reviewer is also allowed to removemembership completely in /test.pva.vo/group1/subgroup1 group.

Before the list of groups you can also see control to add member into the group. Drop-down box of groupswhere user can be added into by reviewer is shown. User can be added to group if Group:Container:Write

permissions allowed to reviewer. If no unassigned groups grant Group:Container:Write permissions,that control is not displayed. Choosing a group from the drop-down list and clicking Add to group buttonwill grant membership in selected group for the reviewed user.

3.2.2.1.3 Generic attributes management Generic attributes management view allow to controlmember's assigned attributes (Fig. 3.17).

With Attributes:Manage permissions granted, attribute assignment form is displayed �rst. Formconsists of a drop-down list of de�ned VO attributes, input �eld to �ll attribute value and Set an attributebutton.

Clicking on Set an attribute button applies value to user's attribute. If attribute was previously assigneddi�erent value, previous value will be overwritten instead of addition of an attribute with the same name.

With Attributes:List permissions granted, list of assigned VO attributes gets shown. Each row containsattribute name in the �rst column and attribute value in the second. If Attributes:Manage permissionsare also allowed, the third column will contain delete link for attribute removal.

3.2.2.2 Manage Groups

Clicking on Groups in the left Manage menu you get redirected to groups management interface (Fig.3.19).



Manage

Users

Groups

Roles

Attributes

Groups:

/test.pva.vo

/test.pva.vo/group1 delete

/test.pva.vo/group1/subgroup1 delete

/test.pva.vo/group1/subgroup2 delete

/test.pva.vo/group2 delete

1-5 of 6 »

Search groups Create a new group


Figure 3.19: Groups management interface

You can see Search groups button along with �lter input �eld on the top of the groups list. Search groupsworks exactly the same way as Search users in section 3.2.2.1.

Along with the search form, Create a new group link may be displayed when Container:Write permis-sions are granted. By clicking on Create a new group link you can navigate to a new group creation form.




Manage

Users

Groups

Roles

Attributes

Parent group:

Name:

Create!

Create a new VO group

/test.pva.vo/group2


Figure 3.20: Create new group in VO

You need to enter group name and select parent group from the drop-down list of previously de�nedgroups. Finally click on Create! button to �nish a new group creation.

List of groups de�ned for VO is displayed when Container:Read permissions are granted. Catch-allroot group name is equal to VO name and cannot be removed and is always displayed �rst in the list.

Every row in the groups list contains clickable group name along with optional delete link displayed onlywhen Container:Write permissions are granted. By following delete link you can remove de�ned VOgroup.

By clicking on a group name in the list you get redirected to detailed group parameters managementinterface (Fig. 3.21, 3.24).

Interface consists of the three views: ACL management, Membership details and Generic attributesmanagement. Every view has minimize/maximize button on the right side of its header.

3.2.2.2.1 ACL Management ACL Management view provides an interface to manage ACLs for theselected group. View can be accessed with Group:ACL:List permissions granted.

For compatibility with EDG Java VOMS-Admin 2.0.x, the same two sorts of ACLs are implemented:

� general ACLs � used for policy enforcement for every group; apply to the current group and can bepropagated to all child groups during the creation; inherited on child creation when default ACLsare not de�ned;

� default ACLs � does not enforce any policy; used only for inheritance process on child creation; ifde�ned, parent default ACL is inherited by new child as general ACL;

In most VO con�gurations there is no need to de�ne di�erent ACLs for childs (all groupshave the same ACLs as catch-all root group). Default ACLs are not useful in this case.Default ACLs only provide an ability to rede�ne inheritance for complex VO internalstructures with responsibility divisions.

Global permissions (mentioned without Group: pre�x in this manual) assigned to catch-all root group.They are used to enforce VO general con�guration restrictions, such as changing global preferences,con�gure replication or approve new VO members.

Per-group permissions (mentioned with Group: pre�x in this manual) assigned for every de�ned groupand are used to enforce group-speci�c operations restriction, such as adding to the group or assigningrole in the group.




Manage

Users

Groups

Roles

Attributes

Add entry

Add entry

Access control list:

Admin DN & CA

Any Authenticated UserDummy Certificate Authority

r r edit delete


rw rw rwd rw rw rw edit delete

/test.pva.vo/Role=VO-AdminVOMS Role

rw rw r rw rw r edit delete

/test.pva.vo/group1VOMS Group

r r r edit delete

user1UGRID CA

rw r r edit delete

/test.pva.vo/group2VOMS Group

r r r edit delete

Default Access control list:

Admin DN & CA

Any Authenticated UserDummy Certificate Authority

r r edit delete


rw rw rwd rw rw rw edit delete

/test.pva.voVOMS Group

r r r edit delete

ACL management for group /test.pva.vo/group2

Con

tain

er

Mem

bers

hip

AC

L

Att

ribu

tes

Req

uest

s

Pre

fere

nces

Con

tain

er

Mem

bers

hip

AC

L

Att

ribu

tes

Req

uest

s

Pre

fere

nces

Membership details for group /test.pva.vo/group2

Generic attributes management for group /test.pva.vo/group2


Figure 3.21: Manage detail group parameters (ACLs)

The following permissions are supported by PHP VOMS-Admin ∗:

Container:Read (1) � view information about groups and roles;

Container:Write (2) � view groups membership and roles assignment;

Membership:Read (4) � list VO users;

Membership:Write (8) � create/modify/delete VO users;

ACL:List (16) � view ACLs permissions;

ACL:Set (32) � de�ne general ACLs permissions;

ACL:Defaults (64) � de�ne default ACLs permissions;

∗permissions numerical decimal values shown in parentheses; adding numerical values for each allowed action results in

total ACL numeric permissions


Subscription:List (128) � view membership VO requests;

Subscription:De�ne (256) � approve/decline membership requests;

Attributes:List (512) � view assigned attributes;

Attributes:Manage (1024) � create/assign attributes;

Preferences:Read (2048) � view VO preferences options;

Preferences:Write (4096) � modify VO preferences options.

For every group ACL management view shows general ACLs �rst, then default ACLs if any. First ACLtable column contains admin distinguished name and CA. Admin in this case means user identity providedfor web-interface usage. Provided identity must match admin record in ACL table to get correspondingpermissions granted.

Identity check order is the following:

� user DN and CA directly match ACL admin identity;

� role assigned for member user (sorted ascending, roles in root group �rst);

� group assigned for member user (sorted ascending, root group �rst);

� any authenticated user (with valid certi�cate);

� absolutely anyone;

� last resort PVA server permissions;

Only Container, ACL and Attributes permissions are used for enforcing per-groupoperations. Other permissions has global scope and are meaningful for catch-all rootgroup only.HINT! It may be useful to de�ne default ACL, that allows only a�ected per-group permis-sions to improve rules clari�cation. In this scenario new groups will not contain uselesspermissions restrictions after creation.

Admin permissions displayed in the next columns, one for every permissions category. Character rindicate read (list) action allowed, w � write (set,de�ne,manage). ACL category character d correspondsto Group:ACL:Defaults permissions. When character shown � permissions are allowed, otherwisepermissions denied.

With Group:ACL:Set permissions granted for general ACL† you can also see ACL management links:Add entry on the right above ACLs table, edit and delete in every table row.

By clicking on Add entry you get redirected to the new ACL entry creation form (Fig. 3.22). First youneed to select admin identity speci�cation method using the switch on the left. The following methodsare available (from top to bottom):

� The VO user � drop-down list to select already registered member DN and CA for admin identity;

� The non-VO user � manually enter identity DN and select CA from drop-down list;

� Anyone with role in group � use member assigned role as admin identity;

� Member of the group � use group membership as admin identity;

� Any authenticated user � any user with certi�cate signed by any trusted CA.

†Group:ACL:Defaults for default ACL




Manage

Users

Groups

Roles

Attributes

Create

Add an ACL entry for context: /test.pva.vo/group1

Add an ACL entry for:

The VO user: /DC=org/DC=ugrid/OU=People/CN=user1

The non-VO user:/C=AM/O=ArmeSFo/CN=ArmeSFo CA

Anyone with: production role in group /test.pva.vo

Members of the

group/test.pva.vo

Any authenticated user

granting the following permissions:

Container rights:Read Write

Membership rights:Read Write

ACL management rights:List Set Defaults

Subscription management rights:List Define

Generic Attributes rights:List Manage

VO Preferences:Read Write

Propagate to children contexts?


Figure 3.22: Add new ACL entry

For selected admin identity you need to specify applied permissions. Check-boxes are used for thatpurpose, one for every permission supported.

Propagate to child contexts check-box is shown on adding general ACL only. Checking it means thatACL record will be created not only for reviewed group but also for every child.

Finally click the Create button to �nish with new ACL record creation. If admin identity already existsin ACL table, selected permissions will just overwrite old ones as well as editing.

By clicking on edit link you enter edit permissions form for admin identity speci�ed in chosen row. Itlooks like the same as new ACL entry creation form without identity speci�cation. You need to setdesired permissions using check-boxes and click Save changes button to apply the new values.

By clicking on delete link you can delete chosen rule from ACL table (Fig. 3.23). Delete ACL rule formdisplays admin identity, reviewed group (context) and permissions numerical value. Setting Remove alsofrom children contexts? check-box allows to propagate selected rule removal operation to all child groups.




Manage

Users

Groups

Roles

Attributes

Delete ACL entry

Delete ACL entry:

Admin contact:/test.pva.vo/group1VOMS Group

Context: /test.pva.vo/group1

Permissions: 13

Remove also from children contexts?


Figure 3.23: Delete ACL entry

When all rules are deleted from the table, it will be removed completely (i.e. after removing all defaultACL rules, new child will inherit general ACL table instead of removed default ACL).



Manage

Users

Groups

Roles

Attributes

Attribute:

Attribute value:

Users:

user1UGRID CA

1-1 of 1

nickname

Set an attribute

Attribute name Attribute value

department parallel computing lab delete

ACL management for group /test.pva.vo/group1

Membership details for group /test.pva.vo/group1

Search users

Generic attributes management for group /test.pva.vo/group1


Figure 3.24: Manage detail group parameters (membership and attributes)

3.2.2.2.2 Membership details Membership details view provides a list of current group memberusers. Group:Container:Read permissions are required to access the view.

The member list is the same as whole-VO members list described in section 3.2.2.1 including searchfunctionality (Fig. 3.24).


3.2.2.2.3 Generic attributes management This view requires Group:Attributes:List permis-sions to see assigned attributes and Group:Attributes:Manage permissions to assign attribute values.

Attribute management interface is exactly the same as for user attributes described in section 3.2.2.1.3(Fig. 3.24).

3.2.2.3 Manage Roles

By clicking on Roles link in the left Manage menu you get redirected to roles management interface (Fig.3.19).



Manage

Users

Groups

Roles

Attributes

Roles:

production delete

tester delete

VO-Admin delete

1-3 of 3

Search role Create a new role


Figure 3.25: Roles management interface

Roles management interface works exactly the same way as groups management described in section3.2.2.2.

Access permissions are controlled via Container:Read and Container:Write permissions. By clickingon Create a new role link you can browse a new role creation form. You just need to enter new role nameand click on Create! button to de�ne role.

Role name in the list is clickable and points to detailed role parameters management interface (Fig. 3.26).

Interface consists of the two views: Membership details and Generic attributes management. Every viewhas minimize/maximize button on the right side of its header.

3.2.2.3.1 Membership details Membership details view displays a list of VO members that havereviewed role assigned in some group (Fig. 3.26).

Search users button allow to reload user list according to a �lter applied. Filter contains not only input�eld (like general user search described in 3.2.2.1), but also a drop-down list of groups. Role can beassigned within some group only, like job position in some department. Drop-down groups list containsonly groups with granted Group:Container:Read permissions.

After user search was issued, a list of users is shown. It looks very similar to general user list describedin section 3.2.2.1: clickable user common name leads to user detailed management interface, Dismiss rolelink allows to dismiss current role in selected group if Group:Container:Write permissions are granted.

3.2.2.3.2 Generic attributes management Generic attributes management view defers from onedescribed in section 3.2.2.1.3 only by manual group speci�cation. On the �gure 3.26 you can see drop-down list of groups to select exact container for attribute assignment.

List of applied attributes also contains Group name �eld.

Access to role attributes management is controlled on per-group basis. Group permissions are enforced forevery group selected or shown separately, depending onGroup:Attributes:List andGroup:Attributes:Manage

permissions.




Manage

Users

Groups

Roles

Attributes

Group:

Attribute:

Attribute value:

Search users with role production in selected group

User's DN and CA:

user1UGRID CA

Dissmiss role

1-1 of 1

/test.pva.vo

nickname

Set an attribute

Group name Attribute name Attribute value

/test.pva.vo/group1 priority 68 delete

Membership details for role production

/test.pva.vo Search users

Generic attributes management for role production

PHP VOMS-Admin version 0.6Figure 3.26: Manage detail role parameters

3.2.2.4 Manage Attributes

By clicking on Attributes link in the left Manage menu you get redirected to attribute managementinterface (Fig. 3.27).



Manage

Users

Groups

Roles

Attributes

Attribute name Attribute value User DN & CA

nickname uuu1 user1UGRID CA

nickname manf Andrii SalnikovUGRID CA

priority 100 maggie/grid.org.uaTestbed CA

priority 68 Andrii SalnikovUGRID CA

1-4 of 4

Search user attributes Manage attribute classes


Figure 3.27: Attributes management interface


You can see assigned general user attributes list with Attributes:List permissions granted. The tableconsists of following columns:

� Attribute name � de�ned name of attribute;

� Attribute value � value of assigned attribute;

� User DN & CA � member with assigned attribute; member common name is clickable and leads todetailed user management interface (see section 3.2.2.1).

You can see Search user attributes button along with �lter input �eld on the top of the assigned attributeslist. Attributes search functionality works exactly the same as Search users described in section 3.2.2.1.



Manage

Users

Groups

Roles

Attributes

Attribute name:

Attribute description:

Unique contraint:

Create!

Create a new attribute description

Attribute name Attribute value Unique check

nickname user screenname false delete

department Name of actual organization unit false delete

priority internal scheduler priority false delete


Figure 3.28: Manage de�ned VO attributes

With Attributes:Manage permissions granted you can see and follow Manage attribute classes link.By clicking that link you enter de�ned VO attributes management interface (Fig. 3.28).

Interface provides a form for a new attribute de�nition �rst. You need to enter attribute name, human-readable attribute description (containing something like usage purpose description) and optionally checkUnique constraint check-box. With unique constrains enabled you cannot de�ne equal attribute valuesfor di�erent users (groups or roles). Clicking on Create! button will de�ne a new attribute for the VO.

Entering existing attribute name allows you to change attribute description instead of creating a newattribute. Unique constrain cannot be changed for already de�ned attributes.

List of already de�ned attributes is shown after a new attribute de�nition form. All information includingdescription and unique �ag is displayed. Each row contains delete link to delete de�ned attribute alongwith all assignments.

3.2.3 Con�guration

By clicking on Con�guration link in menu you can browse VO con�guration settings (Fig. 3.29). Browsingcon�guration is allowed for any client, even unauthenticated.

VO con�guration page provides information about permanent link to PHP VOMS-Admin interface forthis VO, con�guration of vomses string for credentials retrieval clients and example of mkgridmap andnordugridmap con�gurations to form grid-map�le for this VO.


for VO: moldyngrid Current user: use HTTPS for authentication


Configuration information

PHP VOMS-Admin URL for this VO:

https://grid.org.ua/voms/moldyngrid

VOMSES string for this VO:

"moldyngrid" "grid.org.ua" "15110" "/DC=org/DC=ugrid/O=hosts/O=KNU/CN=grid.org.ua" "moldyngrid""moldyngrid" "moldyngrid.org" "15110" "/DC=org/DC=ugrid/O=hosts/O=IMBG/CN=moldyngrid.org" "moldyngrid"

Example Mkgridmap configuration for this VO:

group voms://grid.org.ua/voms/moldyngrid .moldyngridgroup voms://moldyngrid.org/voms/moldyngrid .moldyngrid

Example ARC [vo] block configuration for the nordugridmap utility:

[vo]id="vo_moldyngrid"vo="moldyngrid"source="voms://grid.org.ua/voms/moldyngrid"source="voms://moldyngrid.org/voms/moldyngrid"mapped_unixid=".moldyngrid"file="/etc/grid-security/grid-mapfile"


Figure 3.29: Browsing VO con�guration

When replication between several PHP VOMS-Admin instances has been established, vomses and utili-ties con�guration automatically show information for all replicas. This con�guration ensures redundantoperation of clients when one of the servers become unavailable.

for VO: moldyngrid Current user: Andrii Salnikov


Configuration information

PHP VOMS-Admin URL for this VO:

https://grid.org.ua/voms/moldyngrid

VOMSES string for this VO: (recreate vomses)

"moldyngrid" "grid.org.ua" "15110" "/DC=org/DC=ugrid/O=hosts/O=KNU/CN=grid.org.ua" "moldyngrid""moldyngrid" "moldyngrid.org" "15110" "/DC=org/DC=ugrid/O=hosts/O=IMBG/CN=moldyngrid.org" "moldyngrid"

Example Mkgridmap configuration for this VO:

group voms://grid.org.ua/voms/moldyngrid .moldyngridgroup voms://moldyngrid.org/voms/moldyngrid .moldyngrid

Example ARC [vo] block configuration for the nordugridmap utility:

[vo]id="vo_moldyngrid"vo="moldyngrid"source="voms://grid.org.ua/voms/moldyngrid"source="voms://moldyngrid.org/voms/moldyngrid"mapped_unixid=".moldyngrid"file="/etc/grid-security/grid-mapfile"


Figure 3.30: Recreate vomses for VO con�guration

If the client was successfully authenticated and granted Preferences:Write permissions, then recreatevomses link will be also shown (Fig. 3.30). Since version 0.6 information about vomses gets retrievedfrom database directly, without looking for actual certi�cate DN stored on disk. When you change voms-server parameters or certi�cate you need to recreate vomses string stored in database by clicking recreatevomses link.


3.2.4 Subscriptions

Subscriptions link is shown in menu when granted by Requests:List. Link leads to subscriptions man-agement interface (Fig. 3.31)



See

Pendingrequests

Processedrequests

Pending VO Membership requests


approve reject


Figure 3.31: Pending subscription requests

3.2.4.1 Pending requests

By default you will see Pending requests view of subscriptions management (Fig. 3.31). Con�rmed usermembership requests in pending state are shown line by line. Links approve and reject in the right endof every line will be shown for VO managers with Requests:Set permissions.

By clicking on approve link membership request for the user will be approved: a new VO user created,request is moved to Processed request list and user will be noti�ed about approval.

By clicking on reject link membership request for the user will be rejected: request is moved to Processedrequest list and user will be noti�ed about request rejection.

User name in the pending requests list is also clickable, providing an ability to view membership re-quest details (Fig. 3.32). User contact information (e-mail, institute and phone), submission date andcredentials are shown in the detailed view.

If you are granted Requests:Set permissions you can also see You can reject or approve this request formembership legend, where approve and reject links are clickable and has the same e�ect as previouslydescribed.

3.2.4.2 Processed requests

By clicking on Processed requests link in the left menu you can see a list of processed VO membershiprequests (Fig. 3.33).

Processed requests list is similar to pending requests list, displaying names of processed users on the leftand decision taken (approve or reject) on the right.

Click on a user name leads to membership requests details view, that contains the same information asfor pending requests (Fig. 3.32). Additionally to basic request info, decision taken and request evaluationdate are also shown for already processed requests.

To view processed request you also must have Requests:List permissions granted.

3.2.5 Preferences

Preferences link will be shown in the menu when granted by Preferences:Read permissions. Link leadsto preferences options control interface. Display options preferences are shown by default.




See

Pendingrequests

Processedrequests

Detailed view of VO membership request

Submission date:

2011-06-10 12:15:57

User DN:

/C=UA/O=KNU/OU=People/CN=Andrii Salnikov

User CA:


User CN:

Andrii Salnikov

User email address:

[email protected]

Institute:

Taras Shevchenko National University of Kyiv

User phone:

+3804411122233

Comment:

You can reject or approve this request for membership.


Figure 3.32: Pending subscription requests details



See

Pendingrequests

Processedrequests

Processed VO Membership requests


rejected


approved


Figure 3.33: Processed VO membership requests

3.2.5.1 Display

Display preferences handle VO speci�c values which a�ect displaying of information about the VO.Without Preferences:Write permissions you can see read-only options view (Fig. 3.34).

Display options control VO description (shown on List served VOs general operations page), VO home-page URL (home icon on List served VOs), VO usage rules link (shown when �lling a new memberregistration form) and default CA � default value for DN of certi�cation authority, used when manuallyadding new users.

When Preferences:Write permissions are granted, you can edit VO display preferences. Edit interfaceis shown on �gure 3.35. VO description, URL of the VO homepage and usage rules link can be editeddirectly in appropriate edit-box. Default CA can be chosen from trusted CA list with drop-down control.




Options

Display

Transactions

Replication

Event LogVO description:

Homepage URL:

VO usage rules link*:

Default CA:

VO test.pva.vo display preferences

Display preferences handles VO specific values which affect displaying information about VO. This parameters will bechanged any time on demand of VO administrator.

PVA testing VO

http://grid.org.ua/development/pva




Figure 3.34: Read-only VO display preferences



Options

Display

Transactions

Replication

Event LogVO description:

Homepage URL:

VO usage rules link*:

Default CA:

Update

VO test.pva.vo display preferences

Display preferences handles VO specific values which affect displaying information about VO. This parameters will bechanged any time on demand of VO administrator.

PVA testing VO

http://grid.org.ua/development/pva




Figure 3.35: Edit VO display preferences

After completion of display preferences changes, you need to click on Update button for changes to takea�ect.

3.2.5.2 Transactions

By clicking on Transactions link in preferences options menu you get redirected to transactions loggingview. At the top of the page you can see transaction logging status message indicating whether loggingis enabled or not.

If you are granted Preferences:Write permissions, along with status message you will see a link toproceed with transactions logging status change (Fig. 3.36)

Replication process relies on transactions logging. You cannot disable transaction loggingwhen at least one replication agreement is established.




Options

Display

Transactions

Replication

Event Log

VO test.pva.vo transaction logging preferences

Transaction log is now disabled. (enable)


Figure 3.36: Enabling transactions logging

for VO: testbed.univ.kiev.ua Current user: Andrii Salnikov


Options

Display

Transactions

Replication

Event Log

VO testbed.univ.kiev.ua transaction logging preferences

Transaction log is now enabled. (disable)

Recent VO administration activities are listed below. This only covers transactional operation that change databasecontent.Read-only operations, such as SOAP requests or information access are not logged.

Transaction time Performed by Operation description

2011-03-02 21:11:12Ievgen Sliusar from LocalPHP VOMS-Admin

Membership request for user 'BorysenkoAndrii' validated by'Testbed CA' has been accepted

2011-03-02 20:48:17BorysenkoAndrii from LocalPHP VOMS-Admin

Membership request confirmed by user 'BorysenkoAndrii'validated by 'Testbed CA'

2011-03-02 20:47:33BorysenkoAndrii from LocalPHP VOMS-Admin

New membership request from user 'BorysenkoAndrii'validated by 'Testbed CA'


Grant membership for user 'Oleksandr Sudakov' in group'/testbed.univ.kiev.ua' with role 'VO-Admin'


Membership request for user 'Oleg Bezshyyko' validated by'Testbed CA' has been accepted

2011-02-25 13:59:16Oleg Bezshyyko from LocalPHP VOMS-Admin

Membership request confirmed by user 'Oleg Bezshyyko'validated by 'Testbed CA'

2011-02-25 13:56:36Oleg Bezshyyko from LocalPHP VOMS-Admin

New membership request from user 'Oleg Bezshyyko'validated by 'Testbed CA'

2011-02-11 15:34:02Andrii Salnikov frommoldyngrid.org

Variable 'vomses_moldyngrid_org' stored with value'"testbed.univ.kiev.ua" "moldyngrid.org" "15100" "/DC=org/DC=ugrid/O=hosts/O=IMBG/CN=grid.imbg.org.ua""testbed.univ.kiev.ua"' inside transaction

2011-02-11 15:34:02Andrii Salnikov frommoldyngrid.org

Variable 'vomses_moldyngrid_org' stored with value'"testbed.univ.kiev.ua" "moldyngrid.org" "15100" "/DC=org/DC=ugrid/O=hosts/O=IMBG/CN=grid.imbg.org.ua""testbed.univ.kiev.ua"' inside transaction

2011-02-11 15:34:02Andrii Salnikov fromchimera.biomed.kiev.ua

Variable 'vomses_chimera_biomed_kiev_ua' stored with value'"testbed.univ.kiev.ua" "chimera.biomed.kiev.ua" "15123" """testbed.univ.kiev.ua"' inside transaction

« newer | older »


Figure 3.37: Transactions log viewer

When transaction log is enabled, a transaction log viewer (Fig. 3.37) is displayed after the status message.

Transactions log viewer lists all recorded transactions in the table sorted by committed time in descendingorder. Only operation that change database content are invoked inside transactions and thus get logged.Read-only operations, such as SOAP requests or information browsing are not logged.


The table has three columns:

� Transaction time � represent transaction date and time;

� Performed by � represent who has performed the operation and where; Local PHP VOMS-Adminis used to indicate that transaction was performed from this server; FQDN of replica server will bedisplayed instead, when multi-master replication was established and transaction was performed onreplica server (moldyngrid.org and chimera.biomed.kiev.ua on �gure 3.37)

� Operation description � human-readable description of operation performed inside the transaction.

At the right bottom of the table links newer and older are displayed. Links allow to navigate transactionslog, getting older or newer transactions displayed.

3.2.5.3 Replication

By clicking on Replication link in preferences options menu you can browse replication status and changereplication preferences. More information about replication process and security internals can be foundin section 5.1.

3.2.5.3.1 Overview of replication details Replication status message is displayed �rst and indicatewhether replication agreements exist or not.



Options

Display

Transactions

Replication

Event Log

VO test.pva.vo replication preferences

VO database replication is now disabled. (enable)


Figure 3.38: Replication status (no agreements established)

If replication agreements does not exist, status message shown telling that replication is disabled (Fig.3.38). When Preferences:Write permissions are granted, you will see an enable link. By clicking onthe link you get redirected to a new agreement establishment form. You can access new agreementestablishment form by following Create new replication agreement link when some agreements alreadyexist (Fig. 3.40).

Replication process relies on transactions logging. You cannot establish replication without enablingtransaction log.

There is no explicit link to disable replication, it will be disabled automatically when all agreements areremoved.

Without Preferences:Write permissions you can only browse agreement status here (Fig. 3.39). Ad-justed replication (transactions syncing) interval is shown in each entry in the list of replication agree-ments.

Established agreements list have two columns � replica server distinguished name and synchronizationstatus. Synchronization status re�ect success of syncing in established agreement and can have one ofthe following values:

� UNCONFIRMED � new agreement initial state (before peer con�rmation);

� INITIALIZED � agreement con�rmed, but no sync performed yet;




Options

Display

Transactions

Replication

Event Log

VO testbed.univ.kiev.ua replication preferences

VO database replication is now enabled.

Sync with other servers every 30 minutes.

List of replication agreements

/DC=org/DC=ugrid/O=hosts/O=IMBG/CN=moldyngrid.org LAST SYNC: 2011-04-22 19:09:01

/DC=org/DC=ugrid/O=hosts/O=NSCMBR/CN=chimera.biomed.kiev.ua LAST SYNC: 2011-06-12 21:26:02


Figure 3.39: Replication status (with agreements established, read-only)

� LAST SYNC � successful sync (time of last sync operation shown);

� LAST SYNC � there was no successful sync during three sync intervals (time of last successful syncoperation shown);



Options

Display

Transactions

Replication

Event Log


VO database replication is now enabled.

Sync with other servers every 30 minutes (edit)

List of replication agreements

/DC=org/DC=ugrid/O=hosts/O=IMBG/CN=moldyngrid.org LAST SYNC: 2011-04-22 19:09:01

/DC=org/DC=ugrid/O=hosts/O=NSCMBR/CN=chimera.biomed.kiev.ua LAST SYNC: 2011-06-12 21:26:02

Create new replication agreement


Figure 3.40: Replication status (with agreements established)

With Preferences:Write permissions granted you will be able to change synchronization interval byclicking on edit link (Fig. 3.40). Link enables drop-down list of possible synchronization intervals allowingyou to choose one according to operations frequency.

HINT for VOMS server administrator! You can verify that replication process is enabled for VOand adjust transaction synchronization interval from server shell by reviewing crontab for web-serveruser. For example:

[root@pva-server ~]# crontab -l -u apache

13,33,53 * * * * (cd /usr/share/pva && php modules/cron.php moldyngrid) >/dev/null

24,54 * * * * (cd /usr/share/pva && php modules/cron.php testbed.univ) >/dev/null




Options

Display

Transactions

Replication

Event Log

Agreement code:

Server endpoint:

Endpoint IP address:

Agreement status:

Replicant code:


» Agreement details for /DC=org/DC=ugrid/O=hosts/O=NSCMBR/CN=chimera.biomed.kiev.ua

9D3SZ75SNNRNFP5Z (remove agreement)

https://chimera.biomed.kiev.ua/voms/testbed.univ.kiev.ua/

194.44.249.81

LAST SYNC: 2011-06-13 12:24:02

D9Q8MFANAEAYOHOH (edit)


Figure 3.41: Replication agreement details

Replica server distinguished name is clickable, link points to replication agreement details (Fig. 3.41).Detailed information shown on replica DN include:

� Agreement code � this server agreement code to be authorized by peer (see 3.2.5.3.2);

� Server endpoint � URL to replica server endpoint for this VO;

� Endpoint IP address � IPv4 address of endpoint server used for peer authentication;

� Agreement status � agreement synchronization status (the same values as described above);

� Replicant code � remote server agreement code used for peer authentication;

If you are granted Preferences:Write permissions, you will also see a remove agreement link across theagreement code and edit across the replication code (Fig. 3.41).

By clicking on remove agreement link you will be warned that your VO database may be out of syncafter agreement removal and asked to provide con�rmation. After your con�rmation the agreement willbe removed.

Removing replication agreement does not remove agreement information from transactionlog, you can still see the correct source of transactions.

By clicking on edit link you can change remote server agreement code used for peer authentication. Thismay be useful in case of remote server reinstallation: you are able to change agreement code withoutcomplete agreement removal and creation from scratch.

Changing agreement code resets agreement status to UNCONFIRMED. This means that youneed to completely rewrite database on consumer (see section 3.2.5.3.2). This is de�nitelydesired action on PVA reinstallation.Such behavior has another feature as a consequence: you can forcefully reset agreement toUNCONFIRMED state to force database rewrite in case of any bugs with transactions syncing.

3.2.5.3.2 Establishing replication agreement To establish the �rst replication agreement youneed to follow enable link (Fig. 3.38) on both PHP VOMS-Admin servers involved. You need to havePreferences:Write permissions granted to proceed.




Options

Display

Transactions

Replication

Event Log

Agreement code:

Replicant DN:

Replicant CA:

Server endpoint:

Replicant code:

Create


» Create agreement with new replicant:

Fill the form below to establish new replication agreement. Open the same window on the replicant and crossenteragreement codes.

Note: Creating an agreement does not enable replication itself, but is required for replicant authorization!

If you want to establish a "full-mesh" replication between more than two servers, you need to establish replicationagreements on every server to every other servers.

BEDL8WBN9XP2RL4I

https:// /voms/testbed.univ.kiev.ua/


Figure 3.42: New replication agreement form

Agreement establishment process adjust parameters required for peer authorization. You should enterthe following parameters (Fig. 3.42):

� Replicant DN � distinguished name of peer PVA server certi�cate;

� Replicant CA � distinguished name of certi�cation authority that has signed peer PVA servercerti�cate;

� Server endpoint � FQDN of PVA peer server;

� Replicant code � authorization code from Agreement code �eld in peer PVA server con�guration.

To successfully establish an agreement you need to cross-enter agreement codes for both peers.

Creating an agreement does not enable replication itself. Clicking on Create button will put a newagreement to an UNCONFIRMED state. This state indicates that agreement record has been created in thedatabase, but peer con�rmation procedure has not yet completed.

To proceed with peer con�rmation you need to enter UNCONFIRMED replication agreement details (byclicking on replica server DN in the list of replication agreements).

With Preferences:Write permissions granted you can see a con�rmation instructions (Fig. 3.43).During con�rmation process replicant agreement code will be used for authorization, to ensure thatcode is valid. The second purpose of the con�rmation process � to ensure that database content is thesame. To accomplish identical database content, a complete database re�ll is conducted.

You need to proceed with database re�lling to con�rm replication agreement. So now you need to choosewhat PVA instance is information consumer and what is producer. Apparently, PVA that already servethe VO fpr some time and contain actual information is a producer and newly established replica is aconsumer. When VO install several PVA instances from scratch � no matter which instance is a consumer.

First, you need to con�rm a consumer. Set Overwrite local database with replicant data check-box andclick Con�rm button on consumer instance. After database re�ll the message �Congratulations! Database




Options

Display

Transactions

Replication

Event Log

Agreement code:

Server endpoint:

Endpoint IP address:

Agreement status:

Replicant code:

Confirm


» Agreement details for /DC=org/DC=ugrid/O=hosts/O=IMBG/CN=moldyngrid.org

BEDL8WBN9XP2RL4I (remove agreement)

https://moldyngrid.org/voms/testbed.univ.kiev.ua/

194.44.249.91

UNCONFIRMED

UHIQ36AK5TNZNAXJ (edit)

» This agreement requires confirmation

Confirmation ensures that replicant code is valid and may be used for regular transaction synchronization.

To begin transaction synchronization you also need to ensure that databases on the different PVA instances are identical.For that purose consumer PVA instance must completely rewrite own database with provider's data.

If this PVA instance has to be established as consumer, set the checkbox below to completely refill the database.

ATTENTION! Backing up current consumer database before rewriting server data is STRONGLY recomended.

ATTENTION! After a database refill you may lose your administrator privileges.

If you have already applied as the consumer for another replicant in multi-replica environment and already took part intransaction synchronization process, you may omit database refilling.

Overwrite local database with replicant data


Figure 3.43: Con�rm replication agreement

was successfully �lled with replicant data. Replication with this peer has entered active state.� will beshown and agreement state will be changed to INITIALIZED.

Then navigate to a producer agreement con�rmation page and then click on Con�rm button WITHOUTsetting a check-box. �Agreement successfully con�rmed.� message will appear and agreement state willchange to INITIALIZED.

You CANNOT con�rm producer before consumer, and if you try you'll get an error message �Agreementcon�rmation failed (remote or this instance does not consume database)�.

3.2.5.3.3 Adding more replication agreements Further replication agreements can be establishedby following Create new replication agreement link (Fig. 3.40) on both PHP VOMS-Admin serversinvolved. You need to have Preferences:Write permissions granted to proceed.

Follow the procedure described in section 3.2.5.3.2 to reach UNCONFIRMED state. Then you willneed to con�rm replicants sequentially to ensure safety in multi-replica environment.

Generally speaking, agreement con�rmation will succeed if:

� database re�ll was requested

� replicant on other side of agreement already con�rmed (with re�ll procedure)

� you have already con�rmed active agreements

Let's proceed with an example con�guration: 1st PVA server contain original working database and wewant to establish 2nd and 3rd servers as full-mesh replicas.


The following con�rmation sequence ensures safety:

� consume database from the 1st, con�rming agreement on the 2nd;

� con�rm agreement to the 2nd on the 1st (the 2nd has already con�rmed this agreement);

� consume database from the 1st, con�rming agreement on the 3rd;

� con�rm agreement to the 3rd on the 1st (the 3rd has already con�rmed this agreement);

� con�rm agreement to the 3rd on the 2nd (already have con�rmed agreement);

� con�rm agreement to the 2nd on the 3rd (already have con�rmed agreement);

3.2.5.4 Event Log

By clicking on Event Log link in preferences options menu you get redirected to deferred operations eventlog viewer. For actions that proceed outside the browser interface, event log is a tool for VO administratorto take notice of possible errors happened.

In version 0.6 only replication processes represent deferred operations, utilizing cron daemon to proceedwith regular transactions synchronization operations. Looking forward, not only replication error maybe logged, but also security incidents or some debug messages for example.



Manage

Users

Groups

Roles

Attributes

PVA needs your attention! There are 375 unhandled log events in the queue.

Users:

Oleksandr SudakovUGRID CA

deleteuser

Oxana SmirnovaCERN Trusted Certification Authority

deleteuser

Ievgen SliusarTestbed CA

deleteuser


deleteuser

moldyngrid.orgTestbed CA

deleteuser

Inna MakarenkoTestbed CA

deleteuser

Anton AlkinUGRID CA

deleteuser


deleteuser

Oleksandr ZenaievTestbed CA

deleteuser

Andrii Salnikov at ChimeraTestbed CA

deleteuser

1-10 of 26 »

Search users Leave this VOCreate a new user


Figure 3.44: New log events noti�cation on VO management

If Preferences:Write permissions are granted, when you enter base PHP VOMS-Admin URL for theVO you will see noti�cation shown on �gure 3.44 when unhandled events are present in the log.

Event log viewer shows the following information (Fig. 3.45):

� Subsys � indicate PHP VOMS-Admin subsystem, where an event has occurred. Subsystem isprepended by message log level character. Meaning of log level characters are listed below. Inversion 0.6 only Replication subsystem records error events in this log;

� Message � event message stored in log subsystem;

� Occurrence � this column displays event occurrence time; when the same event occurs several times,number of logged events and time interval are displayed instead.




Options

Display

Transactions

Replication

Event Log

PVA event log for VO testbed.univ.kiev.ua operation

List of events that happens out of your visit to PVA web-interface are listed below.

Events covers deferred operations like replication and security incidents that ocured due to intentional or accidental useractions.

Subsys Message Occurrence

E Replication RPC Error #1: Specified VO is not served by this endpoint39 times from2011-06-12 18:56 till2011-06-13 13:54

E ReplicationEndpoint connection error: Couldn't resolve host'chimera.biomed.kiev.ua'

76 times from2011-06-05 23:26 till2011-06-07 12:56

E Replication Endpoint connection error: connect() timed out!221 times from2011-04-26 14:26 till2011-06-01 13:56

E Replication Endpoint connection error: name lookup timed out3 times from 2011-06-0112:56 till 2011-06-0113:56

E Replication Endpoint connection error: couldn't connect to host34 times from2011-04-26 15:56 till2011-06-01 13:26

E Replication Endpoint connection error: SSL connect error2 times from 2011-05-1116:56 till 2011-05-1814:26

PHP VOMS-Admin version 0.6 rc2 @ Parallel Computing Lab ICC KNU 2011Figure 3.45: Event log viewer (read-only)

Log level character can be one of the following:

E � Error (something goes wrong preventing proper operation)

W � Warning (something goes wrong but operation succeeded)

I � Info (notice about some operational event)

V � Verbose (verbose notice about some operational event)

D � Debug (debugging message)

When event log viewer is accessed with Preferences:Write permissions granted, additional control linksare shown (Fig. 3.46).

Having a look at occurred event you can click take notice opposite to event noti�cation, con�rming thatyou have taken notice of this event and is nothing to worry about (like temporary connection problemsor DNS reachability). After taking a notice, noti�cation about this event will disappear.

At the bottom of the event list you can click on take notice of all the events to take notice of all theevents in one click.

If you have received a valuable event that cannot be solved because of server internal failure, pleasecontact your VOMS server administrator.

3.2.6 Other VOs on this server

By clicking on Other VOs on this server link in menu you get redirected to List served VOs defaultgeneral PHP VOMS-Admin operation view (see section 3.1).




Options

Display

Transactions

Replication

Event Log

PVA event log for VO testbed.univ.kiev.ua operation

List of events that happens out of your visit to PVA web-interface are listed below.

Events covers deferred operations like replication and security incidents that ocured due to intentional or accidental useractions.

Clicking on "take notice" you are confirmed that you take notice of the event and notification about it will dissapeared. Ifyou receive events due to inproper operation of VOMS server, or need help in hangling system event, please ContactVOMS Server Admin.

Subsys Message Occurrence

E Replication RPC Error #1: Specified VO is not served by this endpoint39 times from2011-06-12 18:56 till2011-06-13 13:54

takenotice

E ReplicationEndpoint connection error: Couldn't resolve host'chimera.biomed.kiev.ua'

76 times from2011-06-05 23:26 till2011-06-07 12:56

takenotice

E Replication Endpoint connection error: connect() timed out!221 times from2011-04-26 14:26 till2011-06-01 13:56

takenotice

E Replication Endpoint connection error: name lookup timed out3 times from 2011-06-0112:56 till 2011-06-0113:56

takenotice

E Replication Endpoint connection error: couldn't connect to host34 times from2011-04-26 15:56 till2011-06-01 13:26

takenotice

E Replication Endpoint connection error: SSL connect error2 times from 2011-05-1116:56 till 2011-05-1814:26

takenotice

take notice of the all events


Figure 3.46: Event log viewer


Chapter 4

Using SOAP interface

PHP VOMS-Admin implements VOMSCompatibility interface to serve SOAP requests. Version querymethods (getMajorVersionNumber, getMinorVersionNumber and getPatchVersionNumber) are not re-ally useful and return WSDL version 2.0.2 for compatibility.

The getGridmapUsers method is used to retrieve a list of DNs. Method has optional argument to get alist of DNs for speci�ed container only. Container format is the following:

/voname[/group[/subgroup...]][/Role=role][/Capability=capability]

Capabilities are deprecated and are not handled by PHP VOMS-Admin as well as by original JavaVOMS-Admin.

In version 0.6 listMembers method from VOMSAdmin WSDL is implemented as well. This was mainlyimplemented because AMGA servuce employ this method instead of interoperable compatibility interface.

Requests can be sent via SOAP directly (POST request) or using special URL parameters (GET request)for compatibility with Java VOMS-Admin and grid-map�le generation tools like edg-mkgridmap. BaseURL for SOAP requests is https://pva.server/voms/voname/services/VOMSCompatibility. If wsdlparameter is speci�ed then WSDL �le is returned.

Use method parameter to specify method to call via GET request and container to provide optionalcontainer value when invoking getGridmapUsers method.

For example, the following URL will return a list of testbed.univ.kiev.ua VOmembers with role VO-Adminin root group: https://grid.org.ua/voms/testbed.univ.kiev.ua/services/VOMSCompatibility?

method=getGridmapUsers&container=/testbed.univ.kiev.ua/Role=VO-Admin

PVA distribution also includes VOMSCompatibility2.php that provide more accurateSOAP implementation based on PHP-SOAP class. But unfortunately, PHP SOAP is notcompatible with AXIS 1.2 used in Java VOMS-Admin. Detailed description of problemprovided in �NOTE� comment inside script body.

47

https://pva.server/voms/voname/services/VOMSCompatibility

https://grid.org.ua/voms/testbed.univ.kiev.ua/services/VOMSCompatibility?method=getGridmapUsers&container=/testbed.univ.kiev.ua/Role=VO-Admin

https://grid.org.ua/voms/testbed.univ.kiev.ua/services/VOMSCompatibility?method=getGridmapUsers&container=/testbed.univ.kiev.ua/Role=VO-Admin

48 CHAPTER 4. USING SOAP INTERFACE

Chapter 5

Brief overview of some PHP

VOMS-Admin internals

5.1 Replication process

PHP VOMS-Admin replication operation employs the pull model. This means that information aboutnew transactions performed on replicants is retrieved on demand of PVA request. No information ispushed to any PVA instance.

Replication works using its own RPC interface for pulling transactions and rely on system cron daemonto perform synchronization. RPC interface support the following operations:

� ping � echo request to ensure that endpoint supports PVA RPC;

� status � return an agreement status based on client authentication;

� ltt � return last transaction timestamp;

� tdi� � return all transactions since requested time;

� alldata � return complete database content for re�lling;

All operations except ping require client authentication. RPC security relies on several things. Client ver-ify server certi�cate signature by utilizing TLS on connection, ensuring that data is coming from trustedsource in agreement. Server use client IP address and authorization code obtained during agreementestablishment. Client certi�cate authentication is not used because passing private key of entire server tophp does not provide much security. Especially considering serving an other web-sites along with PHPVOMS-Admin and per-VO basis of replication.

First line of RPC response contains numeric and readable response code (zero is RPC_OK, non-zero repre-sents an error). Next line contains JSON-encoded request result on success.

General replication algorithm consists of the following steps:

� on regular basis contact all replica servers and get last transaction time (ltt)

� compare replicant ltt value with one recorded in own database (NOTE! time is always relative toevery server to solve possible time desync);

� if returned ltt is equal to recorded � then �nish operation;

� get all transactions since ltt stored in own database (tdi�);

� gather retrieved transactions from all the agreements and resolve possible con�icts (use UUID to�nd duplicate transactions);

� apply transactions to the current database;

� change stored ltt for each agreement;

49

50 CHAPTER 5. BRIEF OVERVIEW OF SOME PHP VOMS-ADMIN INTERNALS

5.2 Autoincrement problem in multi-master replication process

INSERT INTO SQL calls on tables with autoincremented primary keys may break transactions synchro-nization.

Creating a new record (e.g. createUser call) generates ID automatically. Within agreements synchroniza-tion interval tha same functions can be called on di�erent PVA instances leading to ID duplication andinformation desync.

Let's investigate an example: we have two PVA instances with replication agreement con�gured. Insidenext synchronization interval createUser('user1') was called on PVA1 and createUser('user2') wascalled on PVA2. Autoincrement values for new user will be the same on PVA1 and PVA2, let it be 30.After sync users 'user1' and 'user2' will be created with the next autoincrement id value on the secondserver. This will result in the following database structure:

-- PVA1 -- -- PVA2 --

30 user1 30 user2

31 user2 31 user1

Deletion of 'user1' on PVA2 calls deleteUser(31) function, that will delete 'user2' instead of 'user1' onPVA1.

To overcome this issue with integer autoincrement, primary keys are required to use UUID instead of ID,but due to compatibility with credentials signing daemon and Java VOMS-Admin the database schemacould not be changed this way.

Transparent use of UUIDs become possible by the following concept:

� a separate table that handle mappings between IDs and UUIDs used;

� all functions that change database in PVA code �rst handle UUID as top-priority, but fall back togeneral table ID when UUID mapping does not exist;

� functions that use INSERT INTO operations, add new autoincrement ID to UUID map; UUID isthen saved in the transactions table;

� replicated transactions already have UUID identi�er attached to function arguments;

� when replicated function is called, a new autoincremented ID will map to the same UUID that isreferenced in function arguments;

Chapter 6

Acknowledgments

I would like to thank our old computing equipment for inspiring me to develop PHP VOMS-Admin :-)The joke of course.

I am pleased to thank my friend and colleague Ievgen Sliusar for productive discussions, debate of ideasand english text corrections.

This is a great opportunity to express my personal respect to Oxana Smirnova, Mattias Ellert andother members of Nordugrid Collaboration for assistance with PHP VOMS-Admin project, especially forproviding code repository, bug tracking system and packaging.

Finally, my thanks and gratitude go to chief of Information and Computer Center Dr. Yurij Boyko andhead of Parallel Computing Lab Dr. Oleksandr Sudakov under whose mentorship the Grid developmentis constantly growing at the Taras Shevchenko National University of Kyiv.

With best regards,Andrii Salnikov

51

Documents

PHP VOMS-Admin version 0grid.org.ua/development/pva/packages/docs/pva-0.6-manual-eng.pdf · PVA installation path, CA certi cates path and e-mail copies location are speci ed automatically