EGI-Foundation.voms-client

Panoramica Versioni Approfondimenti

EGI VOMS Client

Docker Repository on Quay

General Information

What is VOMS and VOs?

This is an Ansible role to set up VOMS clients. VOMS stands for Virtual Organization Membership Service. It's a web service used to manage who belongs to Virtual Organizations (VOs). VOMS clients help users get authorization (in the form of temporary access tokens) to use specific services based on their VO membership. These clients are command-line tools that send authorized requests to the VOMS server for access.

To use the VOMS client, you must:

  • Have a personal x.509 certificate.
  • Be registered with the VO you want to access.

VOMS clients are usually installed on user interfaces or worker nodes.

Configuration

Configuring VOMS clients involves a couple of files:

  1. .lsc files
  2. vomses files

For more detailed guidance, check out the VOMS documentation.

For each VO you want to use, you need the relevant configuration. This can be time-consuming, especially if a site admin isn't sure which VOs to set up.

To simplify this, we use a data-driven approach.

The required data comes from the EGI Operations Portal API, which this role uses as a data source. This enables us to configure all registered VOs at once. There are two methods for generating the configuration:

  1. Pulling raw data from Lavoisier during Ansible runtime.
  2. Using filtered data from Lavoisier before Ansible runtime.

In the first method, a well-designed json_query would process the data from Lavoisier. This query has to match the data structure Lavoisier returns, which may not always be straightforward. The second method uses simpler code to go through pre-filtered cached data, making it easier to manage. A simple Python script - files/create_clean_vo_data.py - can create this cached data, which is saved in YAML format for easier tracking of changes.

We chose the second option (see 4215026e18c) for a couple of reasons:

  1. It's easier to maintain a simple, well-documented script than a complex JSON query.
  2. It's easier to read a well-documented script than a complex JSON query.
  3. If this role is included in playbooks (which will likely happen since VOMS clients are widely used), the data needs to be ready.

However, there is a downside: the data in the repository might not match the actual data on Lavoisier quickly. This can happen if the cache is manually edited or if the script isn't run when needed. The best way to ensure accuracy is to have a robust testing procedure.

Updating VO Data

To update VO data using files/create_clean_vo_data.py, you'll need an authentication token to access the EGI Operations Portal API.

You can generate the token by logging in through EGI Check-in and visiting the Operations Portal API documentation page. Follow the instructions there, then export the token into your environment before running files/create_clean_vo_data.py.

You can test if the token works using a curl command:

# Exporting Operations Portal API token
$ export OPS_PORTAL_API_TOKEN='...'
# Testing an API call using curl
$ curl -X GET "https://operations-portal.egi.eu/api/vo-voms/json" \
    -H "Accept: application/json" \
    -H "X-API-Key: $OPS_PORTAL_API_TOKEN"

Once the curl command is confirmed to work, you can use the script:

# Exporting Operations Portal API token
$ export OPS_PORTAL_API_TOKEN='...'
# Updating the VO data
$ ./files/create_clean_vo_data.py

Testing

This role is tested using molecule for various scenarios:

These tests include unit and integration tests, but not functional tests as a personal certificate is needed for the VOMS client. Tests include:

  • Checking the presence of binary executables.
  • Verifying configuration directory existence.
  • Ensuring configuration files have the correct contents for selected VOs.

Requirements

Check requirements.txt for details.

Role Variables

Role variables found in defaults/main.yml include:

  • prerequisites - necessary packages based on your OS.
  • voms_dir, vomses_dir - locations on the target host for VOMS information.
  • lavoisier - endpoints for fetching required data.

There's no need to change the default variables.

Dependencies

Dependencies aren't explicitly listed in the metadata, but this role depends on the UMD role:

- { role: EGI-Foundation.umd, release: 4 }

Example Playbook

- hosts: servers
  roles:
    - { role: EGI-Foundation.umd, release: 4 }
    - { role: EGI-Foundation.voms-client }

License

Apache-2.0

Author Information

For author details, see AUTHORS.md.

Informazioni sul progetto

VOMS client role for the hpcgridcloud

role egi umd voms
Installa
ansible-galaxy install EGI-Foundation.voms-client
GitHub repository
2 stelle
2 fork
4 problemi aperti
Licenza
apache-2.0
Download
224
Proprietario
EGI Foundation
Advanced Computing for Research