LIGO Data Grid

Contents:

• General Information.
• LAMS User Application States.
• Administrative Duties.
• Links.
• Database / CGI.
• PSU Site Admin.

General Information

LAMS

The LIGO/LSC Account Management System (LAMS) is a tool used by the LSC to accept and manage account requests for LSC resources. LAMS was developed and is maintained internally by the LSC. Through a web interface, users request accounts on LSC computing resources. Authorized agents of the LSC use a web interface to modify the request &emdash; they can accept, reject or hold the request. At every change, email is sent to the applicant, relevent LSC agents, LSC site admins and LAMS administrators.

VOMS / VOMS Admin

The Virtual Organization Membership Service (VOMS) is used by the Open Science Grid (OSG) to manage OSG resource access. VOMS Admin is a set of tools for VOMS users and administrators and includes a web based tool for maintaining the VOMS database. VOMS and VOMS admin were developed and are maintained by the European Data Grid (EDG). Both are included in the VDT. Note that much of the functionality of VOMS is not used by they LSC and is strictly used to manage access to OSG sites.

In short, LAMS manages user applications for LSC computing resources and VOMS manages user authorization to user OSG resources under the LIGO Virtual Organization. The relationship between them is that a LAMS/VOMS administrator will manually update the VOMS database as user applications in VOMS change state. That is, as accounts are approved or rejected in LAMS, they are manually added and deleted in VOMS.

Note that neither LAMS nor VOMS are directly used to authorize users. In the case of LAMS, it us up to individual site administrators to manually synchronize their grid-mapfiles with LAMS. As for the OSG, there are a number of tools, notably GUMS and edg-mkgridmap, which access LIGO's VOMS server to construct individual OSG site grid-mapfiles.

LAMS User Application States

There are 5 basic states (and 2 special states) associated with a LAMS user application. They are: PENDING, APPROVED, REJECTED, HELD and EXPIRED, with the 2 special states being OLD and DUPLICATE.

PENDING

When a user applies for an account, the application status is PENDING. This is the only time an application is in this state. Once an application leaves this state, it does not ever return.

EXPIRED

An approved user application may contain an expiration date. When this date is reached, the application is transitioned to an EXPIRED state. This is the only route by which an application can reach this state. NOTE: By default an application does not have an expiration date and this feature is not used in practice.

APPROVED / REJECTED / HELD

An authorized LSC agent may change the state of an application to any of these states from any other state.

OLD / DUPLICATE

These states are not reachable through the LAMS web interface, but may be set manually through SQL by a LAMS administrator. The reason for doing so appears to be to avoid clutter and confusion on the LAMS web admin page. OLD indicates that the certificate DN associtated with this application is no longer in use by the user. DUPLICATE indicates that this application is a duplicate and can be ignored. Any user application in one of these states will not appear on the web admin page and is (currently) only accessible through direct SQL queries to the database.

Administrative Duties

A LAMS/VOMS administrator will monitor both the LAMS and VOMS web front ends to ensure they are running. If there are problems that require site admin assistance, contact the site administrator.

Whenever a LAMS user application is modified for any reason, an email is sent to the LAMS/VOMS administrator. (an email alias on gravity.phys.uwm.edu called lamsadmin) The administrator will monitor these emails and act on them appropriately. Note that email is not secure. Always be sure to verify the contents of any email. If it is automatically generated, verify the contents on the LAMS web page before updating VOMS. If it is from a person, it must be signed or verified by some other means, such as as phone call.

VOMS updates need to be done when the following state transitions are noticed:

Old State		New State		Action
PENDING	→	APPROVED		Add the user to VOMS unless this is a Virgo user or you have been given direction otherwise by someone to whom you know you should listen. Of course, if the user is already in VOMS, do not add them again.
REJECTED	→	APPROVED
APPROVED	→	REJECTED		Remove the user from VOMS, if they are present there.

The LAMS/VOMS administrator will respond to requests to fix any problems with either system. Generally, these will require manual intervention in the LAMS or VOMS database. An admin familiar with MySQL should be able to address any simple problem that arises.

The LAMS/VOMS administrator will not change the state on LAMS user applications.

The LAMS Admin Web Interface and the VOMS Admin Web Interface are straightforward in their use.

Links

• LAMS User Guide
• LAMS Admin Web Interface (authorization required)
• VOMS Admin Web Interface (authorization required)
• VOMS Documentation for OSG Admins

Database / CGI

Both the LAMS and VOMS databases reside on ligohelp.gravity.psu.edu. The CGI scripts that comprise the LAMS web frontend reside in /var/www. The CGI scripts should really be left alone, if it can be helped. For information about and access to this machine, database and other PSU resources, contact the site admin.

Database Tips

There are few reasons access the database and fewer for altering it. One might access it in order to verify that the LAMS and VOMS databases are consistent. One might alter it to change an application's status to OLD or DUPLICATE.

To change the status of an application to DUPLICATE:

    First find the id associated with the record you want to change:

    SELECT * from userapp.application app
    WHERE certificate = 'DN of user you are looking for';

    Note the id column and use it in place of user_id below:

    UPDATE userapp.application app
    SET app.status TO 'DUPLICATE'
    WHERE id = user_id;

To list DNs that are in VOMS, but have no corresponding application records in LAMS:

    SELECT usr.dn
    FROM userapp.application app
    RIGHT JOIN voms_LIGO.usr usr
    ON app.certificate = usr.dn
    WHERE app.certificate IS NULL;

To list DNs which have applications in LAMS, but are not in VOMS:

    SELECT app.certificate, app.status
    FROM userapp.application app
    LEFT JOIN voms_LIGO.usr usr
    ON app.certificate = usr.dn
    WHERE usr.dn IS NULL
    ORDER BY app.status;

To list DNs in VOMS which have no corresponding LAMS application with an APPROVED status:

    CREATE TEMPORARY TABLE t
    AS SELECT app.certificate, app.status
    FROM userapp.application app
    LEFT JOIN voms_LIGO.usr usr
    ON app.certificate = usr.dn
    WHERE usr.dn IS NOT NULL AND app.status <> 'APPROVED'
    ORDER BY app.certificate;

    CREATE TEMPORARY TABLE u
    AS SELECT t.certificate, a.status
    FROM t
    JOIN application a
    ON t.certificate = a.certificate AND a.status = 'APPROVED'
    ORDER BY certificate;

    SELECT t.certificate
    FROM t
    LEFT JOIN u
    ON t.certificate = u.certificate
    WHERE u.certificate IS NULL;

To discover LAMS applications with non-unique DNs:

    SELECT a.certificate, a.status, b.status
    FROM application a
    LEFT JOIN application b
    ON a.certificate = b.certificate
    WHERE a.status <> b.status AND a.status < b.status
    ORDER BY a.status, b.status;

PSU Site Admin

The site admin is responsible for maintaining the hardware and software environment where the LAMS and VOMS systems reside, including backups.

For information or help regarding access or other issues with computing resources at PSU related to LAMS and VOMS, please contact Jeff Minelli.

Supported by the National Science Foundation. Any opinions, findings and conclusions or recomendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation (NSF)

---

$Id: LAMS.html,v 1.8 2007/10/30 16:18:32 bmoe Exp $