This file contains a history of user-visible changes in VOMS Admin. * Changes in glite-voms-admin-server 1.2.19. ** Service changes *** Bug #13888: Got more roles than expected for user "" Fixed. Voms-admin failed in retrieving roles when there were two users with the same dn (but different cas, and thus two distinct users) registered in the db. *** Bug #15794: voms and voms-admin status script return value incorrect Now voms-admin init script returns the correct return value. * Changes in glite-voms-admin-server 1.2.18. ** Service changes *** Bug #17476: voms-admin fails in creating users correctly on oracle A missing commit statement caused the user creation to fail from time to time on an oracle installation. ** Installation changes *** Bug #15539: voms-admin must support oracle complex connection strings Support for oracle long connection strings have been implemented in the voms-admin-configure script. It is now possible to pass the connection string to be used via the --oracle-conn-string parameter at configuration time. * Changes in glite-voms-admin-server 1.2.17. ** Service changes *** Generic attributes support Support for generic attributes has been implemented in this release. Now administrators can bind generic (name,value) attributes to specific users, groups or roles in the voms databases. These attributes are then encoded as attribute certificates in the proxy certificate generated by voms. *** DBCP connection pool support Support for the apache DBCP connection pool has been included in this release. The new connection pool implementation can be enabled setting the voms.database.dbcp-pool configuration parameter in $GLITE_LOCATION_VAR/etc/voms-admin//voms.database.properties. *** Bug #16246: voms-admin-configure fails when DBA password contains ' Fixed. Now the dba admin password is correctly escaped by the voms-admin-configure script. *** Bug #16245: Removing a VO should call check_parameters() Fixed. *** Bug #16472: VOMS Admin voms.request.webui.enabled config parameter does not work Implemented. Now request.webui may be disabled at configuration time. *** Bug #15566: VOMS Admin does not enforce the correct group semantics Previous versions of VOMS Admin allowed users to be members of subgroups without being members of their parent groups. Also, users could have a role in a group without being a normal member of the group. This bug is now fixed. ** Installation changes *** voms.massage script included in the package: Running this script will fix the results of /opt/glite/etc/config/scripts/glite-voms-server-config.py --configure by correcting the Oracle library paths and setting up the Admin and VOMS services to use the correct connection string to access the production database cluster at CERN. It will also set up the *_W accounts on Oracle. *** voms-ping and voms-check script included in the package: The voms-ping script is used to monitor the voms' servers behaviour. Its return status will be 0 if all server are up and running, 1 otherwise. For more information see https://uimon.cern.ch/twiki/bin/view/LCG/VomsWlcgHa. The voms-check script uses voms-ping to check voms status and, in case of failures, send warnings via email to a specified set of interested remote parties. *** HOW_TO_INSTALL_A_PRODUCTION_VO instructions included in the package * Changes in glite-voms-admin-server 1.2.16 ** This is an incremental bugfix release. ** Service changes *** Bug #13592: Error when displaying the list of all VO requests Some logging instructions caused the deserialization of requests stored in the database to hang forever. Fixed. *** Bug #7634: VOMS ldap synch and signing policies There was a problem in the code that associates INFN users with the corresponding CA. Fixed (this fixes the "Addolorata" problem (first reported in Bug# 14912)). ** Database changes *** Bug #14928: Can't change users twice. The automatic database upgrade method supplied in 1.2.13 to fix this bug was broken. This version contains a fixed upgrade method. * Changes in glite-voms-admin-server 1.2.15 ** This is an incremental bugfix release. ** Service changes *** Bug #14912: VOMS ldap-sync script runs manually but not from cron Fixed some bugs and typos in cron-voms-ldap-sync and glite-environment-sh scripts that prevented the correct cron-voms-ldap-sync script behaviour. Note that the cron-voms-ldap-sync needs to know the GLITE_LOCATION, GLITE_LOCATION_VAR and GLITE_LOCATION_LOG environment variables in order to behave correctly. This can be ensured by defining those variables in the crontab file, like: # Glite environment variables GLITE_LOCATION=/opt/glite GLITE_LOCATION_VAR=/opt/glite/var GLITE_LOCATION_LOG=/var/log/glite # Setting MAILTO makes debugging easier... MAILTO=youraddress@yourdomain.org 13 1,7,13,21 * * * /opt/glite/etc/cron/cron-voms-ldap-sync * Changes in glite-voms-admin-server 1.2.14 ** This is an incremental bugfix release. ** Service changes *** In 1.2.13, the server depended on older versions of the client and interface packages by mistake. This is now fixed. * Changes in glite-voms-admin-server 1.2.13 ** This is an incremental bugfix release. Implements interface version 1.0.3. ** Service changes *** Bug #14193: grid-mapfile generation doesn't work Upgrading to Axis 1.2 had the unintended side effect of breaking the command line client and the VOMS backend of the edg-mkgridmap script. As a workaround, this version of VOMS Admin explicitly overrides Axis to the earlier 1.1 version. *** Bug #14496: Roles cannot be deleted. A typo broke the role deletion command on the web interface in 1.2.12 and earlier versions. *** Bug #14398 (LCG Operations): VOMS Admin API failed to list VO member roles as soon as member has two or more roles (when VOMS uses mysql) One of the SQL queries in VOMS Admin used syntax that is only available in Oracle by accident. *** Bug #13891: VOMS Admin rejects numerical configuration parameters with extra whitespace appended. The service now strips whitespace from all numerical configuration parameters. *** Bug #14399, bug #14021, bug #14885: Fix some more possible resource leaks. Be more careful with SQL cursors, possibly fixing some as yet undiscovered leaks. ** Installation changes *** The --skip-database option was added to voms-admin-configure to let users explicitly forbid the script to recreate/remove the database tables during VO installation/removal. *** In order not to accidentally delete production data, the database deployment mechanism now refuses to recreate the database if it thinks the database already exists. The heuristic is not always reliable, but it is useful as a first approximation to protect against simple mistakes. If you *do* want to recreate the database from scratch, use the --undeploy-database option with the "remove" command of voms-admin-configure before reinstalling your VO. *** Bug #14195: "List all VOs on this server" link doesn't work The voms-admin-configure script generated the siblings context incorrectly in 1.2.12 and below. *** Bug #12168: [VOMS Admin] Doesn't work well with an empty DBA password The voms-admin-configure script should now support passwordless MySQL installations. ** Web interface changes *** Bug #13293: Missing / when adding a user to a certain role ** Database changes *** Bug #14928: Can't change users twice. The database deployment mechanism created archive tables with primary keys on them; this broke update and delete operations on users, groups, roles and capabilities. * Changes in glite-voms-admin-server 1.2.12 ** This is an incremental bugfix release. Implements interface version 1.0.2. ** Service changes *** Bug #10813: Fix critical resource leak in PurgeDeletedRequestsAction. This was very probably the last (and the most serious) outstanding request-related database resource leak in VOMS Admin. It explains all the pending request-related bug reports that we have received so far. * Changes in glite-voms-admin-server 1.2.11 ** This is an incremental bugfix release. Implements interface version 1.0.2. ** Service changes *** Bug #13891: rejects numerical parameters with extra whitespace The service now strips whitespace from all numerical configuration parameters before trying to parse them as a number. *** Bug #13863: VOMS Admin fails to boot and locks down the Tomcat instance In 1.2.10, whenever VOMS Admin failed to start up it froze the entire Tomcat instance, preventing other web apps on the same host from working. *** The request interface has been made much more robust against BLOB/deserialization problems that plagued the previous versions. The new version allows all requests to be listed even if some of them are broken. ** Installation changes *** Bug #9173: Initial support for installation outside gLite tree The voms-admin-configure script now understands and handles VOMS_LOCATION and VOMS_LOCATION_VAR variables to allow installation of VOMS outside of the gLite tree. The support is as yet incomplete and untested. *** Bug #10434: VOMS server update for a vo not possible The voms-admin-configure script has been rewritten to allow for changing the parameters of an existing VO. Simply use the install command with an existing VO name, and specify those parameters that you wish to change: voms-admin-configure --vo foobar install --mail-from foo@example.org --port 15002 *** Bug #10435: Removing of a vo should use stored parameters The remove command of the new voms-admin-configure script doesn't require you to needlessly specify all the parameters on the command line. The script reads in the values from the existing config files, and uses them to delete the VO. For example, it is enough to say voms-admin-configure --vo foobar remove to remove the "foobar" VO. If you want to drop the database tables as well, add the --undeploy-database option to the above command-line. * Changes in glite-voms-admin-server 1.2.10 ** This is an incremental bugfix release. Implements interface version 1.0.2. *** Bug #9171, bug #10383, bug #12169: [VOMS Admin] New options incorrectly specified The --tomcat-group, --voms-group, --config-owner and --hostname parameters to voms-admin-configure were broken in previous releases. *** Bug #12166: [VOMS Admin] Fails to support non-standard MySQL ports The voms-admin-configure script has been updated to support the new --mysql-port option of vomsd. Non-standard MySQL ports are now fully supported. *** Bug #10363: voms-admin script sets file permissions incorrectly If voms-admin-configure had to create directories recursively, it failed. *** Bug #12167: [VOMS Admin] Uses old name of MySQL driver class New VOs created by the voms-admin-configure script will set the MySQL driver name to com.mysql.jdbc.Driver, not the deprecated org.gjt.mm.mysql.Driver. *** Bug #11513: VOMS Admin: Missing slash when adding a user to a (sub)group with a role Cosmetic fix on the web interface. *** Bug #10313: VOMS new user - invalid email The request interface now allows subdomains in email addresses to start with a digit, as in "somebody@4dsoft.hu". * Changes in glite-voms-admin-server 1.2.9 ** This is an emergency bugfix release. Implements interface version 1.0.2. ** Service changes *** VO creation works again. A change in 1.2.8 accidentally broke the creation of new CAs. * Changes in glite-voms-admin-server 1.2.8 ** This is an incremental bugfix release. Implements interface version 1.0.2. ** Installation changes *** The default value of voms.default.cache.refresh.period (the default object cache timeout value) has been increased to five minutes (from 60 seconds). This only affects newly created VOs. ** Service changes *** The time needed for service bootstrap has been improved by preloading all CA instances using a single SQL query. Previously the service loaded each CA one by one. *** The siblings webapp has been fixed. It was accidentaly broken in an earlier version. ** Web interface changes *** The UI messages on the request interface were rewritten to fix English usage. ** Database changes *** Bug #10813: The type of the REQUESTS.REQUEST column has been changed to BLOB. The service will automatically upgrade the database during bootstrap. * Changes in glite-voms-admin-server 1.2.7 ** This is an incremental bugfix release. Implements interface version 1.0.2. ** Service changes *** An Oracle-specific SQL syntax bug was fixed in DBUser.countRoles that broke the "My membership information" page on the Oracle backend. *** Bug #10813: Always use setBinaryStream to store serialized requests. * Changes in glite-voms-admin-server 1.2.6 ** This is an incremental bugfix release. Implements interface version 1.0.2. ** Service changes *** Bug #10970, bug #9178, bug #8956: A critical race condition was fixed in the way the service handles database connections. The race could lead to deadlocks when the service is highly loaded. Mkgridmap is an example of the usage pattern that could easily trigger the deadlock. * Changes in glite-voms-admin-server 1.2.5 ** This is an incremental bugfix release. Implements interface version 1.0.2. ** Service changes *** Fix a typo in the Request.store() method that caused a runtime error when the Request interface was used. * There was no glite-voms-admin-server 1.2.4 version. * Changes in glite-voms-admin-server 1.2.3 TODO * Changes in glite-voms-admin-server 1.2.2 ** This is an incremental bugfix release created by Joni Hahkala. Implements interface version 1.0.2. ** Installation changes *** Remove the "--timeout 30" option from the generated configuration file for vomsd; it caused vomsd to issue certificates with a lifetime of 30 seconds. D'oh! * Changes in glite-voms-admin-server 1.2.1 ** This is an incremental bugfix release created by Joni Hahkala. Implements interface version 1.0.2. ** Service changes *** Fix an Oracle-specific SQL syntax error in Request.java causing a runtime error on the Request interface. *** Fix an Oracle-specific SQL syntax error in DBUser.countRoles causing a runtime error on the "My membership info" page. ** Database changes *** Bug #10813: Use LONG RAW instead of BLOBS to store serialized Request objects on Oracle. * Changes in glite-voms-admin-server 1.2.0 ** This is a new feature release with Oracle support and performance enhancements. Implements interface version 1.0.2. Compatible with vomsd version 1.5.9. ** Installation changes *** Task #1375: There is now full support for using Oracle as the VOMS Admin database backend. There are six new options to voms-admin-configure for configuring VOMS to use a preconfigured database account: --dbtype=TYPE Database type: "mysql" or "oracle". (Default is "mysql".) --dbname=NAME Database name for the VO's database account. --dbusername=NAME Database user name for the VO's database account. --dbpassword=PWD Database password for the VO's database account. --dbhost=HOST Hostname of the database server. (Default is "localhost".) --dbport=PORT Port number of the database server. (Default is 1521 (Oracle) or 3360 (MySQL).) This release continues to support the old "--dbapwd" database setup parameters that were offered in previous releases; however, this obsolete interface may disappear in a future VOMS Admin release. Both MySQL and Oracle may be installed on a remote server; voms-admin-configure has been fixed to make sure that deployment suceeds and both VOMS services are configured correctly in this case. *** WARNING: The --copy-vomsd option to voms-admin-configure is not supported in this release. Please file a bug report at savannah.cern.ch assigned to 'lorentey' if you want it back. VOMS Admin 1.2.0 expects to create the VOMS database tables itself, and will most likely misbehave if run on a database set up by voms_install_db or a third-party install tool. *** Bugs #9168, #9170: Support for the --fileinstall option to voms-admin-configure has been removed in this release. If you used it in previous releaes, please adapt your deployment methods to use the new --dbtype, --dbusername, etc options instead. *** The database deployment mechanism was rewritten in Java. The schema is now defined by a high-level, database-independent description. The script voms-admin-configure now invokes a specially packaged command-line VOMS Admin service to create or drop all tables and indices, and to populate the database with bootstrap rows. *** Bug #5887: The suggested deployment method now requires the system administrators to set up the database accounts themselves, so username clashes are easily prevented. *** Bug #9327: The --logfile option is now correctly set up by voms-admin-configure while configuring the VOMS core service. *** Bug #8869: The documentation of the --code option to voms-admin-configure has been updated to reflect current behaviour. *** The voms-admin-configure script now configures the VOMS core service with suitable default values for the --timeout, --loglevel and --logtype parameters. *** Bugs #4119, #9302: The README file in GLITE_LOCATION/etc/voms-admin/web has been updated and expanded to describe the currently provided customization methods. *** Bug #9128: The voms-admin-configure script now uses the standard environment variables X509_USER_CERT, X509_USER_KEY and X509_CERT_DIR instead of the nonstandard variables used by previous releases. The renamed variables are listed below: X509_CERT --> X509_USER_CERT X509_CADIR --> X509_CERT_DIR GLITE_HOST_CERT --> X509_USER_CERT GLITE_HOST_KEY --> X509_USER_KEY GLITE_TMP --> GLITE_LOCATION_TMP *** Bug #9172: The voms-admin-configure script now supports setting up the database on a remote MySQL server. Previously, the MySQL command-line client was always executed with 'localhost' as the hardcoded hostname. *** Bug #9168: Several Perl coding errors have been fixed in voms-admin-configure. *** Bug #9171: The voms-admin-configure script provides three new options to override the file ownership parameters of configuration files: --config-owner, --tomcat-group and --voms-group. ** Service changes *** By default, clients from localhost do not bypass the ACL checks any more. Please adapt your remaining local batch processes to use an authenticated connection using the host certificate. You can set the "voms.localhost.has.bypass" parameter to true to restore the former behaviour. *** The VOMSAdmin.getVOName SOAP method is now publicly available for every client. No authorization checks are made. In previous releases, the client was expected to have the LIST privilege on the VO group to get the VO name. *** You can now disable some or all parts of the web interface by editing voms.service.properties. For example, it is useful to disable the request interface when users are registered outside of VOMS Admin, e.g. with VOMRS. The new options and their default values are as follows: voms.request.webui.enabled yes voms.admin.webui.enabled yes voms.config.webui.enabled yes voms.core.webui.enabled yes Please note that these settings only affect the HTML user interface, not the underlying SOAP API, which is always enabled. *** The new 'voms.readonly' option allows you to set up a read-only VOMS Admin server, in which all update operations are denied. *** The request scheduler is now enabled by default. This means that old requests are now deleted from the database by a periodically running background thread. Expired requests and requests which are explicitly deleted on the web interface are _completely_removed_ from the database after a short delay. If you don't like this, you must change the "voms.request.purge.task.period.second" parameter to 0 in voms.service.properties. Other parameters related to the request scheduler are listed below. (Their meanings are explained in the properties file.) voms.complete.requests.expire.after 60 voms.incomplete.requests.time.out.after 30 voms.request.expire.task.period.hours 24 voms.request.timeout.task.period.hours 24 voms.request.purge.task.period.seconds 1800 *** The three database connection pools (for Updates, Queries and DirectUpdates) have been consolidated into a single pool to reflect that the suggested deployment method has been changed to use a single database account. The database connection handling layer has been rewritten accordingly. *** Task #1284: The list of known CAs is now always kept in memory. This greatly reduces (in some cases, halves) the number of SQL queries necessary for most SOAP operations. *** Task #1284: The overall performance of the service has been radically improved by limited caching of queried data across transactions. This reduces the average number of SQL operations executed by a factor of 10-20. In exchange, ACL checks and some read-only SOAP operations may use slightly outdated data if the database is modified outside of the VOMS Admin service instance. (Changes that are made inside an instance automatically update its cached objects.) Each object type has its own cache. This release comes with two caches, one for ACLs and one for Admins, with the following default parameters: voms.default.cache.refresh.period 60 (i.e., one minute) voms.acl.cache.maxsize 0 (i.e., no limit) voms.acl.cache.refresh.period -1 (i.e., use the default) voms.admin.cache.maxsize 200 For caches containing mutable objects (like the ACL cache), "refresh period" is the maximum number of seconds that an object may be in the cache without having it refreshed from the database. You can disable caching of mutable objects by setting this to 0. The "maxsize" parameter sets the maximum number of objects that may be stored in the cache. (If this is exceeded, VOMS Admin deletes the least recently used objects first.) Note that it is expected that caching is going to be enabled for other object types (users, groups and roles) as well in future VOMS Admin releases. *** Task #1284: The performance of the ACL checking module has been greatly enhanced in the common case when there is no deny rule and so we can shortcut on the first allow rule found. This, combined with the new caching mechanism made ACL checks vastly cheaper than they were in VOMS Admin 1.1.x and below. (Instead of 18-20 SQL queries, most checks execute without touching the database.) *** Bugs #8799, #9105 and #9408: The parameterless VOMSCompatibility.getGridmapUsers SOAP method does not throw InconsistentDatabase any more. *** Bug #9561: All update grants (ADD, CREATE, DELETE, REMOVE) in ACL entries now implicitly grant the LIST privilege as well. This eliminates the common misconfiguration where a user is able to create groups/add members etc., but can not list them. Similarly, SET-ACL implies GET-ACL; SET-DEFAULT-ACL implies GET-DEFAULT-ACL; and DELETE-ANY-REQUEST implies LIST-ANY-REQUEST. ** Web interface changes *** Bug #8295: The HTML VO welcome page at https://server:8443/voms/VONAME/ is now generated dynamically. It shows the VO name and your login information. *** You can now remove users from groups or roles using the web interface. The previous release removed users from the VO instead by mistake. *** The included ".pp" content files have been reorganized to follow the URLs that are currently used by the service. This means that there is again a default boilerplate text on the request submission page, and other pages. ** Database changes *** The service is now fully capable of running on an Oracle database. *** Bug #9305: The service is now compatible with mysql-connector-java-3.1.8 as the JDBC provider. * Changes in glite-voms-admin-server 1.1.2 ** Emergency bugfix release for gLite 1.2. Implements interface version 1.0.2. Compatible with vomsd version 1.5.4. ** Service changes *** Bug #9305: Java object serialization problems prevented the request module from working with mysql-connector-java-3.1.8. The module was changed to use a more reliable method for storing Java objects in the database. ** Installation changes *** Bug #9327: The --logfile parameter was set incorrectly in the voms.conf file generated by voms-admin-configure. This resulted in vomsd's logfiles being stored in the root directory. ** (There was no official 1.1.1 release.) * Changes in glite-voms-admin-server 1.1.0 ** For gLite 1.2. Implements interface version 1.0.2. Compatible with vomsd version 1.5.4. ** Installation changes *** Bug #8012: The voms-admin-configure script won't complain about missing directories during the first RPM installation anymore. The upgrade & reload mechanism will not run unless there is an existing VO. *** Bug #8869: The "code" value of vomsd (guaranteeing the uniqueness of attribute certificate serial numbers) is now simply set to the port number used by each vomsd instance. The previous default value (calculated from the current time in addition to the port number) was too wide, which caused problems. *** Bug #8869: The voms-admin-configure script now includes the --sqlloc option in voms.conf. (Currently only MySQL is supported by this configuration script.) *** Bug #8092, Bug #6139: The voms-admin-configure script now makes sure that the example "vomses" file is readable by Tomcat. ** Web interface changes *** Bug #8868: The group creation page has been changed in order to allow creating subgroups on any level, not just under the VO group. *** Bug #8006: The "list the roles" page has been fixed so that clicking on a role name shows all users with that role in the VO group, not all VO members. *** Bug #4122, Bug #7696: The "requester's email" field was deleted from the requests details page, as it was always null. ** Database changes *** Bug #8870: This version of the Admin service requires database schema version 2. You need not do anything to upgrade your existing databases; their schema will automatically be upgraded on the VOMS Admin web service startup. * Changes in glite-voms-admin-server 1.0.7 ** This is an incremental bugfix release for gLite 1.2. ** Installation changes *** Bug #8639: The database setup commands were fixed in voms-admin-configure to prevent ERROR 1145. In some cases, MySQL complained about the length of database user names. * Changes in glite-voms-admin-server 1.0.6 ** Part of gLite 1.1. Implements interface version 1.0.2. ** Service changes *** The "status" command of the init script ($GLITE_LOCATION/etc/init.d/voms-admin) now accepts a list of VOs to query. *** This release includes the LDAP synchronization infrastructure that was available in VOMS Admin 0.7.x, updated for gLite. See the script $GLITE_LOCATION/sbin/voms-ldap-sync. ** Web interface changes *** In the previous version, it was impossible to list the members of a subgroup of a role on the web interface. This bug was fixed in this release. *** The package now installs the customizable templates for the HTML pages as normal files. They are also embedded in VOMS Admin's .war file, as usual. These templates may be used to customize the text on the user registration pages, or any other page under the /voms//webui/ URL. * Changes in glite-voms-admin-server 1.0.5 ** Service changes *** The values of GLITE_LOCATION and GLITE_LOCATION_VAR are now included in the context.xml files for all VOMS Admin webapps. This should fix problems with the siblings webapp that is available on https://:8443/vomses/. *** The notification mechanism has been changed to send administrator notifications to the "mail-smtp-from" address that was specified during VO install. Previously, the service tried to collect the email addresses of administrators from the VO database, which failed rather frequently. *** The notification messages were enhanced, some missing template values and typos were fixed. The message templates are no longer copied to the VO configuration directories by default. If you want to use the updated messages, you need to remove the contents of the $GLITE_LOCATION_VAR/etc/voms-admin/*/notification directories that were created by earlier versions of the install script.) *** The list-any-request and delete-any-request privileges were introduced in this release. They are only interpreted in the Global ACL. The request administration pages now require the list-any-request privilege to list requests in the VO. Administrators with the delete-any-request privilege may delete any request, including those submitted by other clients. This affects the administrator-oriented request pages at https://:8443/voms//webui/request/admin The submitters of requests are still able to list or delete their own requests by using the user-oriented request pages at https://:8443/voms//webui/request/user * Changes in glite-voms-admin-server 1.0.4 ** Service changes *** The VO certificate is now allowed unlimited VO Admin privileges by default. This allows the command-line client to use a client-authenticated connection to operate on a local VO. (The insecure listener is disabled in the default Tomcat config.) *** The service now refuses to start up if any of its database passwords are empty, or set to 'changethis' or 'password'. *** The service now ensures that new VO users would not have issuer that is an internal "virtual" CA of the admin service. *** A SOAP serialization error was fixed that made it impossible to use SOAP to call any of the ACL-related methods in the previous release. ** Installation changes *** The VO installation procedure in this release is actively coordinated with the VOMS deployment module. It is now possible to install a working VOMS server using the standard gLite procedure. *** In previous versions, MySQL database creation sometimes failed with ERROR 1045. The bug was caused by a buffering error on our side. It is now fixed. *** The VO installation script has been fixed so that it actually works in this release. Several new parameters (--fileinstall, --admincert, --code) allow improved operation. The --smtp-host and --mail-from parameters are now required for the install command. The script's output messages have been enhanced to prevent user confusion. The context.xml file for the admin webapp once again contains the full path to the VO configuration directory; the removal of this information caused trouble for installations with a customized GLITE_LOCATION_VAR value. *** The postinst script of the server RPM now only restarts the webapp. Previously it also tried to run on automated upgrade. ** Web interface changes *** The service now uses simple space-separated word patterns instead of regular expressions on all search screens. *** Enhanced the login box to be more visible when the client is not authenticated. * Changes in glite-voms-admin-server 1.0.2 ** First gLite release, part of gLite 1.0. Implements interface version 1.0.2. ** Service changes *** The source package has been split up into several smaller packages: org.glite.security.voms-admin-interface Provides SOAP interface definitions in WSDL format. org.glite.security.voms-admin-client Provides command-line clients and tools for accessing a remote VOMS Admin service. org.glite.security.voms-admin-server Provides the files necessary for running a VOMS Admin service. Includes command-line tools that are only useful on the server host. Each package has its own NEWS file. *** The package has been adapted for gLite development conventions. This includes replacing the build system, changing the installation location, and various cosmetic updates. The "edg-" prefix has been removed from executable names and URL components. *** The base path of the web application has been changed from "/edg-voms-admin/VONAME" to "/voms/VONAME". This affects all VOMS Admin-related URLs, including those of the SOAP service. The web interface is now available at the following URL by default: https://HOSTNAME:PORT/voms/VONAME/ *** The service now supports running under Tomcat 5. *** The Javadoc documentation has been improved. *** This release implements the 1.0.0 release of the VOMS Admin SOAP interface. ** Web interface changes *** Capability support has been disabled on the web interface. In this release the SOAP API still provides capability support, but this too will be removed in the next VOMS Admin release. (The feature has several serious bugs regarding capability semantics.) Capabilities will be reimplemented later if the need arises. Currently, we are not aware of any sites that require it. Please contact the developers if you need capability functionality. *** The appearance of the web interface has been changed. We believe the new interface is easier to use. * Changes in edg-voms-admin 0.7.5 ** Service changes *** A serious bug was fixed which made it impossible to create a subgroup when the client's DN was listed will 'all' privileges in the parent group's default ACL. *** The VO installation script edg-voms-admin-configure now adds the default ACL entries to the Global ACL, and leaves the local ACLs empty. *** The VO installation script edg-voms-admin-configure now copies the directory containing the notification template messages to the VO-local configuration directory. *** A null pointer exception during security context initialization that sometimes prevented background system jobs from running has been fixed. ** Web interface changes *** The ACL listing/editing screens were changed to be much easier to use and understand. The user is no longer required to know about the internal representation of special ACL principals. The forms were enhanced with JavaScript code to help preventing mistakes. For groups, there are now separate screens for editing the normal ACL and the default ACL. *** It is now possible to revoke a role from users without removing them from the VO. *** CA entry dropdown lists no longer default to the alphabetically first CA; they show "Please select a CA" by default. The lists do not include the "virtual CAs" used internally by the service anymore. *** The appearance of the buttons on the web interface should now match the conventions of the client's operating system. ** Database changes *** It is now possible to set additional JDBC database connection parameters in the voms.database.properties file. See the file for more details. * Service changes in edg-voms-admin 0.7.4 *** "Deny" rules in VOMS ACLs are now deprecated. Support for them will be removed in the 0.8.x series. Please contact the developers if you rely on this feature. *** Capability support has never been correctly implemented; this feature is now deprecated, and its current interface is going to be removed in the 0.8.x series. Please contact the developers if you currently use the capability support provided by this version of VOMS Admin. (Capability support will be re-added with correct semantics when and if it becomes necessary.) *** A global ACL was introduced to ease VO administration. It behaves as if the entries in it were prepended to all other ACLs in the database. The need to grant or revoke access to each container in a VO is a common operation for a VO administrator. Previously, this operation was fragile and error-prone, as each and every ACL needed to be changed individually by hand (or by using a client-side script). With global ACL entries, VO-wide access may be granted or revoked by changing a single entry. This should improve usability. To change the global ACL, the client must have a SETACL (or ALL) privilege on it. (This also allows SETACL on all containers, but that should not be a problem in practice.) To manipulate the global access control list, use the getACL, setACL, addACLEntry or removeACLEntry operations with a special container name of "Global-ACL". Note that the getACL operation does not return global ACL entries when used on a normal container (group or role), but only the local ACL that is bound to it. If there is both a local and a global ACL entry for a given operation/administrator pair, then the local entry takes precedence. (This is irrelevant unless you use the deprecated "deny" ACL feature.) ** Database changes *** The global ACL is identified with an aid of 0. This id has not been used in previous versions of VOMS Admin. Nevertheless, if an existing container happens to have this id, then the service automatically renumbers it during startup. * Service changes in edg-voms-admin 0.7.3 ** Implements interface 0.3.1. ** Generalized VOMSAdmin.listMembers to support any container type. This allows current versions of edg-mkgridmap to generate sections of the gridmap file from a VOMS role. Upcoming mkgridmap versions will use VOMSCompatibility.getGridmapUsers, which is the better interface. The string syntax to use is illustrated by the following examples: /foo The VO group in the foo VO. /foo/users The "users" group in the foo VO. /foo/users/naughty The "naughty" subgroup in the "users" group. Role=admin The unqualified role named "admin". /foo/Role=admin The role "admin" in the VO group. You will probably want to use this instead of an unqualified role. /foo/users/Role=admin The role "admin" in group "users". ** Implemented "anyuser" ACL entries. This provides support for allowing an operation to anyone with a valid certificate issued by a known CA. To use this feature, set the DN and CA fields of ACL entries as follows: DN: /O=VOMS/O=System/CN=Any Authenticated User CA: /O=VOMS/O=System/CN=Dummy Certificate Authority * Service changes in edg-voms-admin 0.7.2 ** The edg-voms-admin-configure script was changed to allow dots and hyphens in the VO name. It uses the VO name instead of the VO alias wherever possible; notably, this means that the VO name replaces the VO alias in URLs and filenames in newly created VOs. The maximum length of VO aliases has been extended to 12 characters. ** Dots and hyphens are now legal to use in group and role names. ** Each instance of the service now puts logs into its own logfile. The logfile is named after the VO name. ** A bug was fixed which made autogenerated database passwords very easy to guess. ** The request web interface now allows spaces and dashes in phone numbers. ** The service now supports connections via an IPv6 interface. Local Variables: mode: outline paragraph-separate: "[ ]*$" End: arch-tag: 83f92a4e-7b8d-4934-844d-f8a5f8b4ab5a