Participants:
Vincenzo Ciaschini (on the telephone), Maria Dimou, Joni Hahkala, David Kelsey
(on the telephone), Tanya Levshina (on the telephone), Karoly Lorentey, Ian
Neilson, John Weigand (on the telephone).
Apologies: .
Agenda:
1. Comments on the previous meeting's notes http://cern.ch/dimou/lcg/registrar/TF/meetings/2005-02-22 - All 2. ORGDB link testing and further steps:
Record precisely what is left to do before we can tell the LHC
Experiments' VO managers we can enter operation. - Karoly and Tanya
3. Discussion on voms code versions:
Up-to-date information since a dedicated meeting we had with USATLAS
on 2005-03-08. Those who haven't please look at page
http://cern.ch/dimou/lcg/voms/voms-challenges.html
- Vincenzo, John and All
4. Action list review - All
5. A.O.B.
6. Select date for next meeting.
The notes were accepted.
Discussion on the code:
Email address should only be used at registration time,
it should not be stored in VOMRS and should not be used as a database key because
it
changes.
The unique
ORGDB-ID should be used instead, because, if it ever changes, it is replaced
by another one, which also remains unique. The ORGDB-ID is returned when the
1st match to the user record in ORGDB is done and the rest of his/her information
is returned by
the
interface. The other method in Karoly's code that checks whether a user is still a
member of the experiment also uses the ORGDB-ID value as the key. There might
be more than one ORGDB-IDs per user but never the same ORGDB-ID for more than
one user.
Discussion on testing:
Karoly will:
Maria will install VOMRS on SL3, once Tanya, following ACTION 2005-02-22--4, gives her OK, and ask all the LHC experiements' VO managers to try it.
Discussion on transition:
Dave expressed the opinion to move the existing users from LDAP and ask the
new ones to use VOMRS. Those users appearing as non-existing in ORGDB due
to email mismatch won't be moved.
An alternative suggestion was to move or not the users who do match between ORGDB and today's registrar+VODB LDAP, depending on what the VO manager wants.
Ian suggested that all users re-register. Maria agreed to this because the present User Registration document requires periodic re-registration, anyway.
Maria offered to document how to go from today's [lcg-registrar+LDAP VODB] to [VOMRS+VOMS] grid-map file and how to notify users about re-registration. This is now done in the following...
...Transition plan:
To follow the latest status of the plan consult
it as a separate document at http://cern.ch/dimou/lcg/registrar/TF/lhc-vos-transition.html
Vincenzo: voms v.1.4.0.2 in INFNforge CVS (openssl 0.9.6 and 0.9.7 incompatibilities). The problems with USATLAS are still not clear. It is due to CA, end-entrity certificates. On LCG CVS, the mirroring agreed in the meeting with USATLAS on March 8th, takes place indeed but the version number is v.1.3.9. It will become the same number a.s.a.p. Maarten Litmaath needs to test that the code builds with the rest of LCG. OSG uses VDT and openssl versions that don't work with any version of the voms-client because the OSG user cert. Users with OSG certificates can't use voms.cern.ch to obtain a voms-proxy. No problem with other certs. Still being investigated by Vincenzo. He will tell us when to install a voms v.1.4.0.2 on voms.cern.ch for Vincenzo to test.
EGEE build envirnonment is different from others so multiple CVSs are likely to stay. Code-wise there is no difference. Vincenzo will check whether the EGEE CVS can carry the same tag/version numbers as in INFNforge.
LCG CVS's voms-admin will disappear in favour of the voms-admin in EGEE (gLite) CVS. Karoly will be replaced by Joni for the maintenance of the EGEE voms-admin branch. Maria/Karoly to install gLite voms on lcg-voms.cern.ch Tanya will have to change the package names of the voms-admin service and the Trust Manager version (the gLite distribution uses tomcat5).
(*** ACTION 2004-09-17--1***) On Ian's suggestion Maria will create 3 savannah tickets containing all the existing VOMS/VOMRS-related tickets across groups per category (Major, Normal, Enhancements). Conclusion: The VOMS/VOMRS savannah summary page is now cleaner but as Maria discussed on April 18th with the savannah expert, present savannah search doesn't allow to select the 'severity' attribute value (even for display) across groups (lcgoperation OR jra1 OR jra3). DONE To be removed after the next meeting.
(*** ACTION 2004-09-17--4 ***) Tanya should
re-open the savannah
ticket
1141 if a more user friendly error message can be envisaged by the VOMRS
developers in case of expired user certificate.
Details by Tanya:
I have no clue how to do for now. It is interesting that VOMS admin
(0.7.5 ) behaves absolutely identical on our host (edg trust manager version
is
1.5.6). Any help is welcome.
Comments by Maria:
I had submitted
that ticket originally because VOMRS was telling me "Cannot find Server" which
didn't help me at all to guess that my certificate might have expired. If voms-admin
and vomrs can find a way to present a text listing possible reasons of failure,
including possible certificate expiration, it would be great.
PENDING
(*** ACTION 2004-09-17--6***) Tanya will enter in the savannah
group lcgoperation the bugs she has observed. Example: Simultaneous "commit"
of changes via the User Interface and the VOMS db API causes the db tables
to go out of
sync. This is, most probably not a database problem but an application
problem of voms-admin.
This problem may have gone away with the latest release. Maybe
close this action after the next meeting?
PENDING
(*** ACTION 2004-09-17--7 ***) Maria to
write recommendation for the CERN IT Management on information quality improvement
for CERN HR db. .
(Maria feels this can only be done when the ORGDB content quality is fully
understood but Ian in the 2005-01-18
meeting recommended that we move ahead with this action already now).
Comment just before the 2005-04-28 meeting:
We can now do this, based on comments
by the VO managers on their VO members absent from ORGDB.
PENDING
(*** ACTION 2004-09-17--8 ***) The ORGDB view with the necessary
and sufficient Personal User data, according to the Requirements' definitions
may need to be tailored according to experiments'
rules Karoly and Maria to investigate and
inform the TF.
DONE. Close this action after the next meeting?
(*** ACTION 2004-09-17--9 ***)Maria will
test VOMRS and make available to the TF a list of features. By the time
these notes are written, Tanya announced mid-December 2004 the pre-alpha
version https://hotdog62.fnal.gov:8443/vo-LCG/vomrs for
testing.
PENDING
(*** ACTION 2004-09-17--10 ***) Tanya expressed worries that
US-CMS users won't accept to type their birthdate, even if it is only DDMM
(no year) and
even if it is not logged in clear, simply a string saying that it was provided.
She also said they might be reluctant to register in CERN HR db,
even
if this is LHC experiment policy. She should give the TF feedback from discussions
on this matter with her community.
PENDING
(*** ACTION 2004-09-17--11 ***) Maria create savannah ticket
for VOMS admin and VOMRS to set Return-email-address to the one of the VO manager
for user
notifications that can't reach the recipients.
PENDING
(*** ACTION 2004-09-17--12 ***) TF to re-discuss
the Usage Rules re-acceptance prompt in more detail.
Comment just before
the 2005-04-28 meeting:
Now that http://edms.cern.ch/document/573348 (VO Security Policy)
should we ask the LHC Experiment VO managers to prepare their AUPs and link
them from VOMRS (when installed at CERN)?
PENDING
(*** ACTION 2004-09-17--13 ***) LCG deployment management has
to plan for
VOMS admin software maintenance continuity
after Karoly's departure from CERN in April 2005. LCG/EGEE management has to plan for EDG trust manager support
continuity after Joni Hahkala's departure from CERN.
PENDING
(*** ACTION 2004-09-17--14 ***) Ian should investigate with
the LCG Deployment management whether resources could be found elsewhere
in
the community to assist Tanya in the VOMRS development work.
Comment just before the 2005-04-28 meeting:
If John is assigned to other projects do we need to keep this action?
PENDING
(*** ACTION 2004-10-28--1***)
Tanya to make a UML diagram in addition to the VOMRS
Registration Process flow and to the VOMRS_new_req
document they prepared
with John.
Comment just before the 2005-04-28 meeting:
Now that Karoly's ORGDB modules are ready, it would be more helpful
to make a diagram on each package involved where/when so that simple users/installers/VOmanagers
can understand how the new structure works.
PENDING
(*** ACTION 2004-11-29--1***) Karoly to make available
a sceleton of Classes for VOMRS developers to use when interfacing to the ORGDB.
DONE. Close this action after the
next meeting?
(*** ACTION 2004-11-29--2***) John and Tanya to submit in
savannah (project=lcgoperation) the problems they mentioned at the meeting
related to voms-core code when using "voms-proxy-init" and anything else they
want to report to the developers. Savannah is the communication medium that
helps the TF check where we stand in the process. All, please
close tickets when actions done.
DONE. Close this action after the
next meeting?
(*** ACTION 2005-01-18--1***) John and Tanya to update their
CA management
paper.
Comment just before the 2005-04-28 meeting:
The document source appears "Last edited 2005-01-10". The updates discussed
are in the notes from the 2005-01-18 meeting.
PENDING?
(*** ACTION 2005-02-22--1***) Karoly to test
whether GT3 is the cause of interoperability problems between what USATLAS
uses and what the CERN VOMS server offers. John to check
and inform
us on the exact VDT (1.3.1.?) release that works with voms 1.3.7. Vincenzo
said that, if there is any inter-operability problem, then, this is a bug and
should
be
entered in savannah. Details in the notes of the 2005-02-22 TF
meeting (section 2).
PENDING?
(*** ACTION 2005-02-22--2***) Action list clean-up by people actioned and savannah tickets' clean-up by ticket submitters.
(*** ACTION 2005-02-22--3***) VOMRS developers to put the
VOMRS
rpms (no binaries!) after test completion (mid-March 2005?) in the LCG
operations CVS. Maria sent their afs login id to Louis.Poncet@cern.ch.
Louis created a directory called 'vomrs' under "Auth" in
our (lcgware) CVS. To navigate via http://cern.ch/grid-deployment,
select "CVS development". Here
is the CVS documentation and the
developer's guide.
PENDING
(*** ACTION 2005-02-22--4 ***) Tanya and John to install
VOMRS on a FNAL SL3 host. Information on SL3 can be found Here.
PENDING
(*** ACTION 2005-03-22--1 ***) Karoly to create a CVS repository
under LCG for
the ORGDB interface code he wrote.
PENDING
The next meeting will be held on 28 April at 16hrs. A TF workshop will be held at CERN in the week of May 23rd.
Maria Dimou, IT/GD, Grid Infrastructure Services