Meeting with VOs registering via lcg-registrar.cern.ch ====================================================== Notes by Maria Dimou published on 2005-03-22 Meeting date was 2005-03-14 Participants (on the phone): ---------------------------- Wim Som de Cerff (ESR VO mgr), Yannick Legre (BIOMED VO mgr), Eleonora Luppi (BaBar VO mgr), Eduard Pauna (D0 VO mgr), Mathias de Riese (Zeus and H1 VO mgr). Participants (at CERN): ----------------------- Maria Dimou (lcg-registrar and DTEAM VO mgr), Karoly Lorentey (VOMS-admin developer), Ian Neilson (Security Team Leader). Background: ----------- The meeting participants manage VOs which use lcg-registrar.cern.ch via https://lcg-registrar.cern.ch/cgi-bin/register/account.pl for Usage Rules' acceptance and VO membership registration. The purpose of this telephone meeting was to discuss plans for these VOs' migration to VOMS. The reasons for the discussion are: The host lcg-registrar.cern.ch is now running RedHat7.3, with latest security patches installed, kernel version 2.4.20-42.7.cernsmp. However, RedHat being phased-out for security reasons, the service can't stay as it is. Possible scenarios: a. Migrate lcg-registrar.cern.ch to Scientific Linux (SL3), test the scripts and, if everything still works, continue operating as before. b. Each VO envisages migrating their VO to a SL3 VOMS server. VOMS is not in perfect shape today but it is the only way to go. http://cern.ch/dimou/lcg/voms/voms-challenges.html contains background information on pending VOMS issues. http://cern.ch/grid-deployment/cgi-bin/index.cgi?var=gis/voms-deploy contains VOMS installation instructions. The Joint Security Policy Group (JSPG) decided to ask every VO to write its own Acceptance Use Policy (AUP), in addition to the standard set of common rules required by the sites. This means that every VO will have to publish its own AUP according to the (draft) https://edms.cern.ch/document/573348/ policy document and this is what their candidate members should read and accept before joining the VO. This "decentralised" AUP makes scenario (a) above inadequate and the existence of a common registration server (ala lcg-registrar.cern.ch) obsolete. Outcome from the discussion: ---------------------------- ESR: Uses LDAP today, the VO server is at SARA, technical management by Ron Trompert and Jules Wolfrat. The host OS is RedHat. Wim will discuss these notes with Jules and Ron and will get back to us with their decision. BIOMED: Uses LDAP today, the VO server is in Lyon, technical management by Yannick. The host OS is RedHat 7.3. He already succeeded with the installation of a VOMS server and with correct LDAP synchronisation but he has problems to keep the server alive and accept further registrations. He will email operational problems to Karoly and Maria. BaBar: Uses LDAP today, the VO server is at Manchester, technical management by Andrew McNab. Eleonora received the output of the lcg-registrar scripts after stage https://lcg-registrar.cern.ch/cgi-bin/register/confirm.pl She verifies that candidate users are, indeed, members of the collaboration and forwards her approval to the VO server manager,who inputs the users from the BaBar directory (?) D0: Uses LDAP today, the VO server is at NIKHEF. Eduard will discuss with the VO server manager at NIKHEF (Jeff?) and will get back to us with their decision. HERA VOs: Use LDAP today, the VO server is at DESY. They have no objection to envisage a move to VOMS relatively soon. They consider re-registering the users in VOMS and not synchoronising with LDAP because their community is small. They wait for LCG2 2_4_0 release (planned for April 1st 2005) to have all the right VOMS hooks pre-configured. EGEODE: (Updated with comments by Pierre Girard on 2005-03-23) Same host as the BIOMED one. As a test VOMS server is being set-up in Lyon, BIOMED and EGEODE managers will discuss the future of their VO services and will get back to us with their decision. General comment (by Pierre in email): Today, more than 100 EGEE/LCG sites make reference to lcg-registrar.cern.ch in their configuration. So, as it is clearly a critical service of the grid, any change will have to be synchronized at site deployment level. Therefore, both CICs and ROCs should be put into the loop a.s.a.p.. Maria will mention evolution on this at the Weekly Operations Meetings. Actions: -------- How to attach a VO's AUP to the voms-admin interface: ===================================================== 1. On the VOMS server unzip file /opt/edg/share/webapps/edg-voms-admin.war 2. Copy file UserReqest/create.pp to the directory /opt/edg/var/etc/edg-voms-admin//web/UserRequest (you will need to create the directories web/UserRequest under Example (viewable with certificate loaded): https://voms.cern.ch:8443/edg-voms-admin/dteam/webui/UserRequest/create is made from editing file /opt/edg/var/etc/edg-voms-admin/dteam/web/UserRequest on host voms.cern.ch