Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Tips for the VOMS EMI 2 certification
| ||||||||
Added: | ||||||||
> > | 1 Configuring
Normally the | |||||||
1 VOMS Admin server configuration settingsIn order to quickly certify the VOMS Admin service, the default value for some settings has to be changed. All these changes should be put in the YAIM configuration used for certification, in particular in the<SITE_INFO_DIR>/services/glite-vomsfile. 1.1 More frequent membership checkThe membership control checkes are done by a VOMS Admin background task that is run, by default, every 10 minutes. In order to quickly see if VOMS Admin membership check behavior works as expected set a more convenient value for the membership check interval using the following YAIM variable:VOMS_ADMIN_MEMBERSHIP_CHECK_PERIOD=30 1.2 Short Sign AUP task lifetimeSign AUP tasks are created for users in two cases:
VOMS_ADMIN_SIGN_AUP_TASK_LIFETIME=-1In this way Sign AUP tasks are created with the expiration date equal to the creation date is easy to check whether users that didn't sign the AUP are indeed suspended. A trick below explains another way for changing Sign AUP tasks expiration date. 1.3 YAIM VOMS defaultsThe default values and the documentation for VOMS YAIM variables can be found in:/opt/glite/yaim/defaults/glite-voms.pre 1.4 VOMS and VOMS Admin configuration filesConfiguration files for VOMS are found in:/etc/voms/<vo>Configuration files for VOMS Admin are found in: /etc/voms-admin/<vo> 1.5 VOMS and VOMS Admin log filesLog files for VOMS are found in:/var/log/vomsLog files for VOMS admin are found: /var/log/tomcat5 (SL5) /var/log/tomcat6 (SL6) 2 Tips and tricks2.1 VOMS admin commands helpvoms-admin --list-commands (displays all commands available) voms-admin --help <command-name> (displays help about a given command) 2.2 VOMS admin and command line argumentsThe voms admin client enforce the following convention when parsing command-line arguments:voms-admin [options] <command> <arg0> <arg1> <arg2>This means that options, i.e. those things prepended by -- , MUST always be given before the command.
In practice:
voms-admin --vo cert.mysql --description "test" create-group /cert.mysql/test (OK) voms-admin create-group --vo cert.mysql --description "test" /cert.mysql/test (ERROR) 2.3 VOMS admin client and certificatesIf you run voms-admin client as root, it will use the host certificate inetc/grid-security/hostcert.pem to authenticate against the
voms-admin-server.
If you run voms-admin as a normal user, it will look for a proxy in /tmp and if it doesn't find it it will look in $HOME/.globus .
If the private key is protected by a password it will ask for a password whenever a command is run.
A convenient way to use voms-admin as a non-root user is to run voms-proxy-init first to create a grid proxy:
voms-proxy-initvoms-admin will then use the proxy and will not bother about passwords until proxy expiration. Note that voms-proxy-init is not usually installed on a VOMS node, but can be easily installed with: yum install voms-clients 2.4 Create multiple users in a rowThe following command creates 150 users in VOMS (n.b. change the email address to your own):for i in `seq 1 150`; do \ voms-admin --nousercert --vo cert.mysql --name "User $i" \ --surname "Test" --institution "IGI" \ --address "No address" --phoneNumber "051 150 051" \ create-user \ "Test$i" \ "/C=IT/O=INFN/CN=INFN CA" \ "Test User $i" "andrea.ceccanti@cnaf.infn.it"; \ done 2.5 Create multiple groups in a rowfor i in `seq 1 150`; do \ voms-admin --vo cert.mysql --description "This is test group $i" \ create-group /cert.mysql/test-group-$i; \ done 2.6 How to find out which credentials are used by VOMS to connect to the databaseIn the default configuration VOMS and VOMS Admin use the same credentials to access the database. These can be found in:/etc/voms/<vo>/voms.conf (VOMS) /etc/voms-admin/<vo>/voms.database.properties (VOMS Admin) 2.7 How to quickly change membership expiration date for usersThe membership expiration date for each user is stored in the VOMS database in theusr table.
To change the end time for all users use the following command on the db:
update usr set end_time = "2012-04-24";To change it only for a given set of users, use the where clause:
update usr set end_time = "2012-04-24" where userid > 2 and userid < 10;The command above changes the end_time only for users whose id is between 3 and 10. 2.8 How to quickly change expiration date for pending Sign AUP tasksupdate task set expiryDate = "2012-04-28" where status = "CREATED";-- AndreaCeccanti - 2012-04-25 |