To be written

• link to VOMS ACL
• link to VOMS keywords - e.g. VOMS_CA, user called ANYONE

Introduction

This page is to document exploration work with the VOMS after the initial basic install. For basic installation steps refer to VomsInstallation page.

List VDT services - Turn On/Off

• To see a list of VDT services use following command. To turn on/off all VDT services use --on/--off switch. For more info refer to: http://vdt.cs.wisc.edu/releases/2.0.0/man/vdt-control.html

  vdt-control --list  
  

• To turn on/off a particular VDT service, specify the service name after on/off switch. Following example shows how to turn on tomcat service.

  vdt-control --on tomcat-55
  

Configure VOMS - Add/Remove VO

• A VO can be installed/removed using voms-admin-configure / voms-admin-configure.py and configure_voms commands. Use configure_voms command to add and remove a VO as it will do all the magic to set necessary path/variables and deploy it in tomcat, which otherwise need to be specified manually. Use '--server y' option to install and enable voms service. Turn off VDT services before creating a new VO and turn them on after VO is created (vdt-control command). For more info refer to configure_voms man page: http://vdt.cs.wisc.edu/releases/2.0.0/man/configure_voms.html

  $VDT_LOCATION/vdt/setup/configure_voms --vo <vo-name>
  $VDT_LOCATION/vdt/setup/configure_voms -vo <vo-name> --remove
  

Create new user and assign a role

• Create a new VO user

  voms-admin --vo <vo-name> create-user <usercert.pem>
  

• Assign a role to existing user

  voms-admin --vo <vo-name> assign-role VO VO-Admin <usercert.pem>
  

Assign ACL to a user not member of a VO

• Add ACL entry for a user - The syntax for add-ACL-entry command is 'CONTEXT USER PERMISSION PROPAGATE'. The context can be either a group name or a specific role name. If PROPAGATE is true, the entry is propagated to children contexts. The following command adds an ACL entry with all permissions on entire VO (same as assigning new VO-Admin role).

  voms-admin --vo <vo-name> add-ACL-entry /<vo-name> <usercert.pem> "<permissions>" true
  

ACL entry for allowing CE/SE to generate gridmap file

• We need to give 'CONTAINER_READ,MEMBERSHIP_READ' permissions to all users who present certificate issued by a known VO. It also allows VO members to query their groups and role assignments. The ANYONE and VOMS_CA arguments in the following command are keywords used in VOMS to denote 'anyone with a valid certificate'.

  voms-admin --nousercert --vo <vo-name> add-ACL-entry /<vo-name> ANYONE VOMS_CA "CONTAINER_READ,MEMBERSHIP_READ" true