Transcript SURAgrid Account Mmgt Tool Case Study: Kennesaw State University

SURAgrid Account Mgmt Tool
Case Study: Kennesaw State University
[email protected]
Graduate Research Assistant – Kennesaw State University
Overall Experience






Good
Approximately 3 weeks from Rocks ‘jumbo’
install to Bridge Cross-Certification
Documentation fairly good
Had to get a few answers from SURA support
team
Perl scripts are well-commented
A bit of bouncing between web sites
Which Tools We Use

All of them e.g.
–
–
–
–
SURA simpleCA Bundle
bridge.pl
homedir.pl
web interface https://www.pki.virginia.edu/suragrid/
– LDAP callout
KSU Starting Point

Hardware
– Dell PowerEdge 1855
– Intel Xeon x86_64

Software
– Rocks 4.1 ‘jumbo’ DVD
– CentOS
– Rocks Grid Roll 4.0.1


Zero Users
Skills
– 5+ years experience with certificates
– 10+ years UNIX experience
Install Bumps in the Road

Perl Open::LDAP Installation Fails
– Scripts require Open::LDAP module
– Solution: cpan>install Net::SSLeay
gsissh prompts for password – unresolved
 Users made by homedir.pl

– get no /etc/passwd entry
– If you want to assign a password, manually edit
/etc/passwd and then run pwconv
Web Interface

Worked well
 Wasn’t sure about ‘user password’ field
 Sites with lots of existing users may want a
bulk add feature. Right now web interface
only permits 1 user add at a time.
scratch.pl - Example LDAP Extension


Automates SCRATCH creation using LDAP
Modified homedir.pl Perl code
$search = $ldap->search(
"base" => $LDAP_BASE,
"scope" => "one",
"filter" => "(uid=*)",
"attrs" => [ "uid", "uidNumber", "gidNumber", "homeDirectory" ]
);
...snip…
# populate SURAGRID_SCRATCH_PARENT and
SURAGRID_SHARED_SCRATCH_PARENT
foreach $entry ($search->entries) {
$loginid = $entry->get_value("uid");
$scatchhomedir = $entry->get_value("homeDirectory");
$uid = $entry->get_value("uidNumber");
$gid = $entry->get_value("gidNumber");
next if -d "$SURAGRID_SCRATCH_PARENT/$loginid/.";
&make_scratchhomedir($scatchhomedir, $loginid, $uid, $gid);
}
scratch.pl - continued


Automates scratch directory creation on head and compute nodes
Uses Rocks-specific ‘cluster-fork’ python script
Additional Feedback

Unclear if current verification steps match typical grid use
– Current verification: gsissh / globus-url-copy
– Versus, typical use: myproxy and portal


Automate installation filesystem path setting Perl scripts and
ldap_authz_callout-0.2.tar.gz
Code repository
– Promote sharing of locally developed improvements and
enhancements
– Version control

Suggest
– user under which homedir.pl should run
– CRON entries

Unclear if when using Globus LDAP callout if the text “add your
DN to /etc/grid-security/grid-mapfile” still applies.
Questions or comments?
For more information…
[email protected]