TWiki> LCG Web>FtsWlcg>FtsVomsRoles (2007-06-25, SteveTraylen) EditAttachPDF
Show Children Hide Children

Main FTS Pages
FtsRelease22
Install
Configuration
Administration
Procedures
Operations
Development
Previous FTSes
FtsRelease21
FtsRelease21
All FTS Pages
FtsWikiPages
Last Page Update
SteveTraylen
2007-06-25

Use of VOMS Roles within the WLCG FTS Deployment

Currently the administration of FTS channels between sites is maintained as a list of DNs that each site manager running an FTS service has to maintain. This is cumbersome process which could be improved using VOMS roles that the FTS service already supports.

Below is a proposal to achieve this.

This deployment is currently held up by: https://savannah.cern.ch/bugs/?26638

Requirements

For any given channel say RAL-CERN then this channel must be able to be configured by interested parties at CERN and RAL. These interested parties are members of dteam VO.

Proposal

There is now a VOMS role ftsadmin within the dteam VO. Using vomrs these roles are associated with a group say /dteam/cern within dteam. Such a group should contain a list of members permitted to modify channel information for a channel with a CERN endpoint. Generally it is T1 staff that are the eligible candidates.

Members of the dteam VO are already arranged into groups by their region. Given a channel CERN-RAL then the FTSes configured with a CERN-RAL channel would be configured such that this channel could be administrated by proxies generated in the ftsadmin role of either CERN or UKI. 

 /dteam/cern/Role=ftsadmin
 /dteam/uki/Role=ftsadmin

A second role exists ftsmaster and is currently only present in the /dteam/cern group. This would contain a small number of users as a central operations team that might have rights to all FTS channels at all sites. Sites would be at liberty to enable this access or not for. 

/dteam/Role=ftsmaster

Work Required

Maintaining VOMS role.

For a region or group with dteam say /dteam/uki then the group manager, normally the ROC manager is able to add and remove people to /dteam/uki/Role=ftsadmin. If a region has subdivided their group such as France has then they could define a finer role /dteam/france/GRIF/Role=ftsadmin containing people eligible to modify channels with GRIF as an endpoint.

Mapping of Group to Sites.

A central list of group to channel ends or sites would be needed. e.g:

Channel Endpoint Group and Role
RAL /dteam/uki/Role=ftsadmin
IN2P3 /dteam/france/IN2P3-CC/Role=ftsadmin
CERN /dteam/cern/Role=ftsadmin

As dteam stands today it is completely within a region's power to create subgroups and maintain the members of them with vomrs, this allows a region to fine tune members of a group and so who has access to the channels. The central maintenance of group (and subgroup) to a site mapping would be maintained or at least linked from the CIC portal VO cards.

Configuring FTS

All the FTSes would have to be configured such that these groups were respected. This is tedious but still much easier than the current system of adding users individually. Any changes to the mappings expecting updates at the FTS servers would be announced via the WLCG operations meetings and a Broadcast.

-- SteveTraylen - 11 Apr 2007

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r3 - 2007-06-25 - SteveTraylen
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright &© 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback