TWiki> UCSDTier2 Web>WebTopicList>CMSGumsConfig (2006/11/09, TerrenceMartin)EditAttach

UCSD CMS T2 Gums Mappings for CMS

Contents

Introduction

The following mappings represent the current configuration at UCSD for CMS. They compliant with GUMS 1.1 but are based on an earlier GUMS 1.0 config so are a bit more redundant than they need to be. However if its not broke....

The basic layout is

  1. Map all voms-proxy CMS users to a pool of users
  2. Map all special USCMS roles to group users. These maps are to groups to make managing UID and GID easier at the file system level when there are 2 or more users that use one of these roles
  3. Map all grid-proxy users that appear in the USER table in gums for the CMS VO. WARNING: This rule is dependent on where it is placed in the gums.config as gums will match a user to the first rule that it comes across. That is why this rule is last

Mapping Table

The following is a basic example of how maps work at UCSD with the below GUMS configuration. This table assumes roles are used, even for regular users.

Role UID Map
cmsuser uscms001-uscms3000
cmsprod cmsprod
cmssoft cmssoft
cmst2admin cmst2admin

Mappings 

   <!-- VOMS Proxy mapping for USCMS Users -->
   <groupMapping name="cmsVOMuser" accountingVo="uscms" accountingDesc="CMS">
     <userGroup 
       className="gov.bnl.gums.VOMSGroup" 
       url="https://lcg-voms.cern.ch:8443/voms/cms/services/VOMSAdmin" 
       persistenceFactory="mysql" 
       name="cmsuser" 
       voGroup="/cms/uscms" 
       voRole="cmsuser" 
       matchFQAN="exact" 
       sslCertfile="/etc/grid-security/http/httpcert.pem" 
       sslKey="/etc/grid-security/http/httpkey.pem"
     />
     <accountMapping 
       className="gov.bnl.gums.AccountPoolMapper" 
       persistenceFactory="mysql" 
       name="uscmsPool"
     />
   </groupMapping>

<groupMapping name="uscmst2admin" accountingVo="uscms" accountingDesc="CMS">
<userGroup 
   className="gov.bnl.gums.VOMSGroup" 
   url="https://lcg-voms.cern.ch:8443/voms/cms/services/VOMSAdmin"
       persistenceFactory="mysql" 
   name="cmst2admin" 
   voGroup="/cms/uscms" 
   voRole="cmst2admin" 
   matchFQAN="exact"
       sslCertfile="/etc/grid-security/http/httpcert.pem" 
   sslKey="/etc/grid-security/http/httpkey.pem"/>
<accountMapping className="gov.bnl.gums.GroupAccountMapper" groupName="cmst2admin"/>
</groupMapping> 

  <!-- CMS Phedex Admin Mapping -->
  <groupMapping name="cmsphedex" accountingVo="uscms" accountingDesc="CMS">
     <userGroup 
       className="gov.bnl.gums.VOMSGroup" 
       url="https://lcg-voms.cern.ch:8443/voms/cms/services/VOMSAdmin" 
       persistenceFactory="mysql" 
       name="cmsphedex" 
       voGroup="/cms/uscms" 
       voRole="cmsphedex" 
       matchFQAN="exact" 
       sslCertfile="/etc/grid-security/http/httpcert.pem" 
       sslKey="/etc/grid-security/http/httpkey.pem"/>
   <accountMapping 
       className="gov.bnl.gums.GroupAccountMapper" 
       groupName="cmsphedex"/>
   </groupMapping>

  <!-- CMS Software Admin Mapping -->
  <groupMapping name="cmssoft" accountingVo="uscms" accountingDesc="CMS">
     <userGroup 
       className="gov.bnl.gums.VOMSGroup" 
       url="https://lcg-voms.cern.ch:8443/voms/cms/services/VOMSAdmin" 
       persistenceFactory="mysql" 
       name="cmssoft" 
       voGroup="/cms/uscms" 
       voRole="cmssoft" 
       matchFQAN="exact" 
       sslCertfile="/etc/grid-security/http/httpcert.pem" 
       sslKey="/etc/grid-security/http/httpkey.pem"/>
   <accountMapping 
     className="gov.bnl.gums.GroupAccountMapper" 
     groupName="cmssoft"/>
   </groupMapping>

  <!-- CMS Production User Mapping -->
  <groupMapping name="cmsprod" accountingVo="uscms" accountingDesc="CMS">
     <userGroup 
       className="gov.bnl.gums.VOMSGroup" 
       url="https://lcg-voms.cern.ch:8443/voms/cms/services/VOMSAdmin" 
       persistenceFactory="mysql" 
       name="cmsprod" 
       voGroup="/cms/uscms" 
       voRole="cmsprod" 
       matchFQAN="exact" 
       sslCertfile="/etc/grid-security/http/httpcert.pem" 
       sslKey="/etc/grid-security/http/httpkey.pem"/>
   <accountMapping 
       className="gov.bnl.gums.GroupAccountMapper" 
       groupName="cmsprod"/>
   </groupMapping>

  <groupMapping name="cmsGLOBALuser" accountingVo="uscms" accountingDesc="CMS">
    <userGroup className="gov.bnl.gums.VOMSGroup"
        url="https://lcg-voms.cern.ch:8443/voms/cms/services/VOMSAdmin"
        persistenceFactory="mysql"
        name="cmsGLOBALuser" 
        voGroup="/cms"
        matchFQAN="vo"
        acceptProxyWithoutFQAN="true"
        sslCertfile="/etc/grid-security/http/httpcert.pem"
        sslKey="/etc/grid-security/http/httpkey.pem"/>
    <accountMapping className="gov.bnl.gums.AccountPoolMapper"
      persistenceFactory="mysql"
      name="uscmsPool"/>
  </groupMapping>



   <!-- Grid Proxy mapping for USCMS Users -->
   <groupMapping name="cmsUSuser" accountingVo="uscms" accountingDesc="CMS">
     <userGroup 
       className="gov.bnl.gums.VOMSGroup" 
       url="https://lcg-voms.cern.ch:8443/voms/cms/services/VOMSAdmin" 
       persistenceFactory="mysql" 
       name="cmsuser" 
       voGroup="/cms/uscms" 
       voRole="cmsuser" 
       matchFQAN="vo" 
       acceptProxyWithoutFQAN="true" 
       sslCertfile="/etc/grid-security/http/httpcert.pem" 
       sslKey="/etc/grid-security/http/httpkey.pem"/>
     <accountMapping 
       className="gov.bnl.gums.AccountPoolMapper" 
       persistenceFactory="mysql" 
       name="uscmsPool"/>
   </groupMapping>

-- TerrenceMartin - 09 Nov 2006

Edit | Attach | Print version | History: r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r1 - 2006/11/09 - 18:13:15 - TerrenceMartin
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback