Task Force (TF) meeting of 2005-04-28
Participants:
Miguel Anjo (CERN Physics Database Consultant), Vincenzo Ciaschini (on the
telephone), Maria Dimou, Joni Hahkala, Tanya Levshina (on the telephone),
Karoly Lorentey,
Ian Neilson,
John Weigand
(on
the telephone).
Apologies: .
Agenda:
1. Comments on the previous meeting's notes
http://cern.ch/dimou/lcg/registrar/TF/meetings/2005-03-22 - All
2. voms ORACLE Port status:
This should be discussed first because Miguel Anjo, invited database
expert, may have to leave early. - Vincenzo, Karoly
3. Discussion on voms code versions:
In view of the need to move to gLite a.s.a.p. lets repeate again which
version from which CVS we should install. Is the OSG problem solved?
- Vincenzo, Karoly
4. Action list review - All
5. A.O.B.
6. Select date for next meeting. Please remember Tanya will visit in the
week of May 23rd. We should plan the agenda for that workshop now.
1. Comments on the previous meeting's notes:
The notes were accepted without changes.
2. voms ORACLE Port status:
Vincenzo reported that the port is ready, as described in savannah
task 1376. The database choice is separate from
the server code. The db type (Oracle or MySQL) to use must be specified during
initial voms configuration through the --db-type option. Due
to many reserved
names in
Oracle (more than in MySQL), UID couldn't
be used
in the Oracle port. This is why UID was changed to userid.
The general db structure needed to be changed. The new db structure shouldn't
be considered final. All
new code is now in the INFNforge CVS.
For other VOMS server installers in other domains, who wish to configure
the voms-oracle package, Miguel said that Oracle use by Tier 1 sites is allowed
(no
licence problems) but with no
support.
Next step will be to have vomrs installed on lcg-voms.cern.ch with the current
voms-core (glite-voms 1.2.37 and glite-voms-admin 1.0.6). This is now done
in occurences: https://lcg-voms.cern.ch:8443/vo-LCG_Test/vomrs and https://lcg-voms.cern.ch:8443/vo-Test/vomrs.
The latter is a test, so it is general type of registration (no connection to
lcg)
and it doesn't synchronize with voms.
Tanya asked about real ORGDB access and VO
mgrs' involvement. Karoly said that ORGDB access is allowed for a generic 'voms'
account so there should be no problem, no matter where we install the software.
Maria sent the ORGDB-VODB discrepancies on April 18th 2005. A copy was sent
to the TF but is not included in these publicly accessible web pages for personal
user data privacy reasons. By the time these notes are written, Maria has on-going
exchanges with the LHC exp. VO managers for new users' update in ORGDB. http://cern.ch/dimou/lcg/registrar/TF/lhc-vos-transition-FAQ.txt
voms-admin port to Oracle is not yet done. In addition, VOMRS only supports
MySQL today. Its port to Oracle is planned but resources are not committed
yet. Tanya asked about the deadline we require for vomrs-oracle. Ian said that
SC3 in September seems a natural target.
3. Discussion on voms code versions:
Which voms-core versions we find in which CVS:
voms 1.5 with Oracle support can only be found on
INFNforge. (gLite 1.1 is closed)
At the meeting it seemed that voms 1.5 can't make it into the next gLite
release (R1.2?) due for the end of May. Karoly suggested that we test 1.5
from the nightly builds a.s.a.p.They appear as http://cern.ch/glite/packages/R1.2/NYYYYMMDD,
e.g. http://cern.ch/glite/packages/R1.2/N20050502/
Vincenzo said that what voms 1.2.3x, that we find on the gLite repository
is functionally equivalent to 1.4.x in INFNforge, mirrored on LCG CVS.
Joni said that the EMT (EGEE Middlewear Team) meeting decides on Wednesday
May 4th, when the next gLite release will be (end of May?), code freeze by
May 15. By the time these notes are published we have the following news:
Date: Fri, 13 May 2005 12:09:23 +0200
From: Joni Hahkala
To: Maria.Dimou@cern.ch
Cc: Vincenzo Ciaschini ,
Karoly Lorentey ,
Maarten Litmaath ,
Ian Neilson
Subject: Re: VOMS in glite R1.2
Hi,
The VOMS 1.5 is already branched and included into the build, but the subpackages
might be missing from the sec subsystem, we'll fix is asap.
The bad news is that the official release of R1.2 seems to be postponed to the
end of June, but of course the builds on the url you mention are available all
the time.
Cheers,
Joni
Maria Dimou-Zacharova wrote:
> Ciao Vincenzo,
> We can use this opportunity to get rid of any multiplicity of CVS
> repositories and voms flavours. We have the mandate to go to glite
> a.s.a.p. so we'll only be using what is available on
> http://cern.ch/glite/packages/R1.2/N2005MMDD/
>
> It is important that when the glite R1.2 is officially out (end of May?)
> all voms-related rpms (server and client, oracle and mysql ports), present
> on the downloads page under "gLite VOMS Server and Administration Tools"
> hold the 1.5.x version number, and stop today's 1.2.3x numbering, please!
> Regards
> - maria
>
voms-admin 0.7.x on the LCG CVS is frozen. Karoly will put a note that voms-admin
1.0.6 in gLite should be used from now on. The voms-admin port to Oracle is
not yet done.
Concerning the OSG inter-operability issue Vincenzo observed that if the voms
server is on globus 2 with client on globus 3 no proper authentication is possible.
As a work-around he suggested to configure
the voms
server
on
GT3. As the gLite sw is
on GT3, there should be
no more such problem.
4. Action list review:
(*** ACTION 2004-09-17--4 ***) Tanya should re-open the savannah ticket 1141
if a more user friendly error message can be envisaged by the VOMRS developers
in case of expired user certificate.
Details by Tanya:
I have no clue how to do for now. It is interesting that VOMS admin (0.7.5
) behaves absolutely identical on our host (edg trust manager version is 1.5.6).
Any help is welcome.
Comments by Maria:
I had submitted that ticket originally because VOMRS was telling me "Cannot
find Server" which didn't help me at all to guess that my certificate
might have expired. If voms-admin and vomrs can find a way to present a text
listing possible reasons of failure, including possible certificate expiration,
it would be great.
Decided to open in savannah (Maria) and remove from this list
DONE IN https://savannah.cern.ch/task/?func=detailitem&item_id=1141Close
at the next meeting.
(*** ACTION 2004-09-17--6 ***) Tanya will enter in the savannah group lcgoperation
the bugs she has observed. Example: Simultaneous "commit" of changes
via the User Interface and the VOMS db API causes the db tables to go out of
sync. This is, most probably not a database problem but an application problem
of voms-admin.
This problem may have gone away with the latest release. Maybe close this action
after the next meeting?
Decided to open in savannah (Tanya, if she sees the symptom again) and remove
from
this
list Close
at
the next
meeting.
(*** ACTION 2004-09-17--7 ***) Maria to write a recommendation
for the CERN IT Management on information quality improvement for CERN HR db.
. (Maria feels
this can only be done when the ORGDB content quality is fully understood but
Ian in the 2005-01-18 meeting recommended that we move ahead with this action
already now).
Comment just before the 2005-04-28 meeting:
We can now do this, based on comments by the VO managers on their VO members
absent from ORGDB.
Decided to close. No recommendation needed. A 80% of the LHC VO members were
already in ORGDB. We have full collaboration by VO managers, experiment secretariats,
Users Office, CERN security team to
update the rest . Close
at
the next
meeting.
(*** ACTION 2004-09-17--9 ***) Maria will test VOMRS and
make available to the TF a list of features. By the time these notes are written,
Tanya announced
mid-December 2004 the pre-alpha version https://hotdog62.fnal.gov:8443/vo-LCG/vomrs
for testing. Also, early May Tanya brought up https://lcg-voms.cern.ch:8443/vo/Test/vomrs and https://lcg-voms.cern.ch:8443/vo-LCG_Test/vomrs . Maria should ask the
IT secr. to be put in all experiments to be able to test.
PENDING but request sent to the secretariat. Close
at
the next
meeting.
(*** ACTION 2004-09-17--10 ***) Tanya expressed worries that US-CMS users
won't accept to type their birthdate, even if it is only DDMM (no year) and
even if it is not logged in clear, simply a string saying that it was provided.
She also said they might be reluctant to register in CERN HR db, even if this
is LHC experiment policy. She should give the TF feedback from discussions
on this matter with her community.
Tanya said that nobody complained in US-CMS. Close at the next meeting.
(*** ACTION 2004-09-17--11 ***) Maria to create savannah
ticket for VOMS admin and VOMRS to set Return-email-address to the one of the
VO manager
for user
notifications that can't reach the recipients.
DONE The ticket already existed as https://savannah.cern.ch/task/?func=detailitem&item_id=1096 Close
at the next meeting.
(*** ACTION 2004-09-17--12 ***) TF to re-discuss the Usage Rules re-acceptance
prompt in more detail.
Comment just before the 2005-04-28 meeting:
Now that http://edms.cern.ch/document/573348 (VO Security Policy) should we
ask the LHC Experiment VO managers to prepare their AUPs and link them from
VOMRS (when installed at CERN)? The document is DRAFT.
PENDING Discuss on May 23rd
(*** ACTION 2004-09-17--13 ***) LCG deployment management has to plan for
VOMS admin software maintenance continuity after Karoly's departure from CERN
in April 2005. LCG/EGEE management has to plan for EDG trust manager support
continuity after Joni Hahkala's departure from CERN.
Not needed. Close at the next meeting.
(*** ACTION 2004-09-17--14 ***) Ian should investigate with the LCG Deployment
management whether resources could be found elsewhere in the community to assist
Tanya in the VOMRS development work.
Comment just before the 2005-04-28 meeting:
If John is assigned to other projects do we need to keep this action?
John will stay. Tanya will get another person. She 'll start another
project in June but will remain partially involved in this too.
Not needed. Close at next
meeting.
(*** ACTION 2004-10-28--1***) Tanya to make a UML diagram in addition to the
VOMRS Registration Process flow and to the VOMRS_new_req document they prepared
with John.
Comment just before the 2005-04-28 meeting:
Now that Karoly's ORGDB modules are ready, it would be more helpful to make
a diagram on each package involved where/when so that simple users/installers/VOmanagers
can understand how the new structure works.
PENDING
(*** ACTION 2004-11-29--1***) Karoly to make available a sceleton of Classes
for VOMRS developers to use when interfacing to the ORGDB.
Discuss it when Tanya comes. This should be part of
vomrs because it has nothing to do with gLite. Investigate if a CVS repository
is needed for the lcg-foundation
interface.
PENDING
(*** ACTION 2004-11-29--2***) John and Tanya to submit in savannah (project=lcgoperation)
the problems they mentioned at the meeting related to voms-core code when using "voms-proxy-init" and
anything else they want to report to the developers. Savannah is the communication
medium that helps the TF check where we stand in the process. All, please close
tickets when actions done.
DONE. Close after the next meeting
(*** ACTION 2005-01-18--1***) John and Tanya to update their CA management
paper.
Comment just before the 2005-04-28 meeting:
The document source appears "Last saved 2005-01-10". The updates
discussed are in the notes from the 2005-01-18 meeting.
PENDING
(*** ACTION 2005-02-22--1***) Karoly to test whether GT3 is the cause of interoperability
problems between what USATLAS uses and what the CERN VOMS server offers. John
to check and inform us on the exact VDT (1.3.1.?) release that works with voms
1.3.7. Vincenzo said that, if there is any inter-operability problem, then,
this is a bug and should be entered in savannah. Details in the notes of the
2005-02-22 TF meeting (section 2).
Not needed. Vincenzo diagnosed a GT2 vs GT3 problem as explained in
section 3 above. Close
at the next
meeting.
(*** ACTION 2005-02-22--3***) VOMRS developers to put the VOMRS rpms (no binaries!)
after test completion (mid-March 2005?) in the LCG operations CVS. Maria sent
their afs login id to Louis.Poncet@cern.ch. Louis created a directory called
'vomrs' under "Auth" in our (lcgware) CVS. To navigate via http://cern.ch/grid-deployment,
select "CVS development". Here is the CVS documentation and the developer's
guide.
Not needed. We 'll be using the FNAL web page for downloads. Close
at the next
meeting.
(*** ACTION 2005-02-22--4 ***) Tanya and John to install VOMRS on a FNAL SL3
host. Information on SL3 can be found Here.
Not needed. We 'll be using the CERN SL3 hosts. Close
at the next
meeting.
(*** ACTION 2005-03-22--1 ***) Karoly to create a CVS repository under LCG
for the ORGDB interface code he wrote.
Not needed. We 'll be using the FNAL web page for downloads. Close
at the next
meeting.
7. A.O.B.
8. Next checkpoint meeting:
The next meeting will be
held on 23 May for 4 days.
Maria Dimou, IT/GD,
Grid Infrastructure Services