LSC Data Grid (6 sources) Load

Navigation

General Information
LSC LIGO Scientific Collaboration
LIGO-Caltech
LIGO-Hanford Observatory
LIGO-Livingston Observatory

DataGrid Details

What is LSC DataGrid?
LDG Clusters Usage [Ganglia]
Available Data per site
Grid Service Details [Monitoring]

User Manual

How to get started
Install Data Grid Client
Getting Certificates
Account Request
SSH Login Portal
CVS/Bug Account Request
Request Software changes to SCCB

Admin Manual [(*) = optional]

Install DataGrid Server
Get server certificates
Configure/deploy Condor
Include site into Grid Monitoring
Graceful Condor shutdown
(*) Configure/deploy CondorView
(*) Configure Condor Flocking
(*) CondorC on LDG
LAMS / VOMS Admin [LSC internal]
Syracuse X4500 wiki [passwd required]
Edit these web pages

Request/Bug Tracking

Request Tracking System [RT]
LDG trouble ticket system

Policy

Reference O/S Schedule

LDG Collaborations

Condor-LIGO biweekly telecon
Globus-LIGO monthly telecon
LIGO VO in Open Science Grid [OSG]
Archival GriPhyN-LIGO WG pages

Exits

OSG

LAMS/VOMS Administration

Contents:

General Information

LAMS
The LIGO/LSC Account Management System (LAMS) is a tool used by the LSC to accept and manage account requests for LSC resources. LAMS was developed and is maintained internally by the LSC. Through a web interface, users request accounts on LSC computing resources. Authorized agents of the LSC use a web interface to modify the request &emdash; they can accept, reject or hold the request. At every change, email is sent to the applicant, relevent LSC agents, LSC site admins and LAMS administrators.
VOMS / VOMS Admin
The Virtual Organization Membership Service (VOMS) is used by the Open Science Grid (OSG) to manage OSG resource access. VOMS Admin is a set of tools for VOMS users and administrators and includes a web based tool for maintaining the VOMS database. VOMS and VOMS admin were developed and are maintained by the European Data Grid (EDG). Both are included in the VDT. Note that much of the functionality of VOMS is not used by they LSC and is strictly used to manage access to OSG sites.

In short, LAMS manages user applications for LSC computing resources and VOMS manages user authorization to user OSG resources under the LIGO Virtual Organization. The relationship between them is that a LAMS/VOMS administrator will manually update the VOMS database as user applications in VOMS change state. That is, as accounts are approved or rejected in LAMS, they are manually added and deleted in VOMS.

Note that neither LAMS nor VOMS are directly used to authorize users. In the case of LAMS, it us up to individual site administrators to manually synchronize their grid-mapfiles with LAMS. As for the OSG, there are a number of tools, notably GUMS and edg-mkgridmap, which access LIGO's VOMS server to construct individual OSG site grid-mapfiles.

LAMS User Application States

There are 5 basic states (and 2 special states) associated with a LAMS user application. They are: PENDING, APPROVED, REJECTED, HELD and EXPIRED, with the 2 special states being OLD and DUPLICATE.

PENDING
When a user applies for an account, the application status is PENDING. This is the only time an application is in this state. Once an application leaves this state, it does not ever return.
EXPIRED
An approved user application may contain an expiration date. When this date is reached, the application is transitioned to an EXPIRED state. This is the only route by which an application can reach this state. NOTE: By default an application does not have an expiration date and this feature is not used in practice.
APPROVED / REJECTED / HELD
An authorized LSC agent may change the state of an application to any of these states from any other state.
OLD / DUPLICATE
These states are not reachable through the LAMS web interface, but may be set manually through SQL by a LAMS administrator. The reason for doing so appears to be to avoid clutter and confusion on the LAMS web admin page. OLD indicates that the certificate DN associtated with this application is no longer in use by the user. DUPLICATE indicates that this application is a duplicate and can be ignored. Any user application in one of these states will not appear on the web admin page and is (currently) only accessible through direct SQL queries to the database.

Administrative Duties

A LAMS/VOMS administrator will monitor both the LAMS and VOMS web front ends to ensure they are running. If there are problems that require site admin assistance, contact the site administrator.

Whenever a LAMS user application is modified for any reason, an email is sent to the LAMS/VOMS administrators. (an email alias on gravity.phys.uwm.edu called lamsadmin) The administrator will monitor these emails and act on them appropriately. Note that email is not secure. Always be sure to verify the contents of any email. If it is automatically generated, verify the contents on the LAMS web page before updating VOMS. If it is from a person, it must be signed or verified by some other means, such as as phone call.

VOMS updates need to be done when the following state transitions are noticed:

Old State New State Action
PENDING APPROVED     Add the user to VOMS unless this is a Virgo user or you have been given direction otherwise by someone to whom you know you should listen. Of course, if the user is already in VOMS, do not add them again.
REJECTED APPROVED
APPROVED REJECTED     Remove the user from VOMS, if they are present there.

The LAMS/VOMS administrator will respond to requests to fix any problems with either system. Generally, these will require manual intervention in the LAMS or VOMS database. An admin familiar with MySQL should be able to address any simple problem that arises.

The LAMS/VOMS administrator will not change the state on LAMS user applications.

The LAMS Admin Web Interface and the VOMS Admin Web Interface are straightforward in their use.

Important Note: On 12 February 2009, the LIGO VOMS service officially moved from server in the psu.edu domain to voms.ligo.org. For a transitional period, up to approximately 13 April 2009, there will be two (2) LIGO VOMS services running in parallel, one at PSU and one at voms.ligo.org. It is up to the VOMS administrator to make sure these two services are kept in synch.

Database / CGI

Both the LAMS and VOMS databases reside on voms.phys.uwm.edu. The CGI scripts that comprise the LAMS web frontend reside in /var/www/lams. The CGI scripts should really be left alone, if it can be helped. For information about and access to this machine, database and other PSU resources, contact the site admin.

Database Tips

There are few reasons access the database and fewer for altering it. One might access it in order to verify that the LAMS and VOMS databases are consistent. One might alter it to change an application's status to OLD or DUPLICATE.

To change the status of an application to DUPLICATE:

    First find the id associated with the record you want to change:

    SELECT * from userapp.application app
    WHERE certificate = 'DN of user you are looking for';

    Note the id column and use it in place of user_id below:

    UPDATE userapp.application app
    SET app.status TO 'DUPLICATE'
    WHERE id = user_id;

To list DNs that are in VOMS, but have no corresponding application records in LAMS:

    SELECT usr.dn
    FROM userapp.application app
    RIGHT JOIN voms_LIGO.usr usr
    ON app.certificate = usr.dn
    WHERE app.certificate IS NULL;

To list DNs which have applications in LAMS, but are not in VOMS:

    SELECT app.certificate, app.status
    FROM userapp.application app
    LEFT JOIN voms_LIGO.usr usr
    ON app.certificate = usr.dn
    WHERE usr.dn IS NULL
    ORDER BY app.status;

To list DNs in VOMS which have no corresponding LAMS application with an APPROVED status:

    CREATE TEMPORARY TABLE t
    AS SELECT app.certificate, app.status
    FROM userapp.application app
    LEFT JOIN voms_LIGO.usr usr
    ON app.certificate = usr.dn
    WHERE usr.dn IS NOT NULL AND app.status <> 'APPROVED'
    ORDER BY app.certificate;

    CREATE TEMPORARY TABLE u
    AS SELECT t.certificate, a.status
    FROM t
    JOIN application a
    ON t.certificate = a.certificate AND a.status = 'APPROVED'
    ORDER BY certificate;

    SELECT t.certificate
    FROM t
    LEFT JOIN u
    ON t.certificate = u.certificate
    WHERE u.certificate IS NULL;

To discover LAMS applications with non-unique DNs:

    SELECT a.certificate, a.status, b.status
    FROM application a
    LEFT JOIN application b
    ON a.certificate = b.certificate
    WHERE a.status <> b.status AND a.status < b.status
    ORDER BY a.status, b.status;

Adding an Authorizing Institution

If there needs to be a new authorizing institution added to the LAMS application page, the following steps are to be followed:

  1. Add the institution's name, the PI's name and PI's email address to the file /var/www/html/lams/cgi-bin/authInstitution. The format of the line to add is:
    instid--Full Name of PI--piaddress@inst.edu
    
  2. In the LAMS application form itself, /var/www/html/lams/account_form.shtml, look for a select tag with the id _principal. Searching for "Authorizing Institution" will take you near to that. Now add an "option" line similar to the others that are there. eg:
    <option value='INSTID'>Name of Authorizing Institution
    
Note that INSTID and instid must be new, unique ids, and must match each other, except for case.

LAMS Site Admin

The site admin is responsible for maintaining the hardware and software environment where the LAMS and VOMS systems reside, including backups.

For information or help regarding access or other issues with computing resources at UWM related to LAMS and VOMS, please contact lamsadmin@gravity.phys.uwm.edu"

LSC Admins

There is a web page for for LSC site admins to verify account information contained in LAMS at https://voms.phys.uwm.edu/secure/cgi-bin/sites.cgi.

Links

Supported by the National Science Foundation. Any opinions, findings and conclusions or recomendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation (NSF)
$Id$