The Grouper Developers are seeking practical use cases that will contribute to the development and enhancement of the Grouper product, in turn benefiting those institutions that plan to deploy Grouper.
To participate in the development of this work, we ask that you add details of your proposed use case below, as thoroughly as possible.
LIGO provisioning Use Case
Author: Scott Koranda
Brief Description of the LIGO VO
LIGO, the Laser Interferometer Gravitational-wave Observatory seeks to detect gravitational waves--ripples in the fabric of spacetime. The LIGO Scientific Collaboration (LSC), a self-governing collaboration, was founded in 1997
and currently has more than 800 members from 70 institutions worldwide. LIGO is the funded by the NSF.
Sketch of LIGO provisioning
Consider the case of a new data analyst, named Scott Koranda, joining the collaboration by joining the LSC group at the University of Wisconsin-Milwaukee. The following types of resources must be provisioned:
- the Kerberos principal scott.koranda@LIGO.ORG is created in the master KDC and replicated to the slave KDCs
- in the LIGO master LDAP server the following dn is created:
- Additionally the following dn is created:
- the subject (in Grouper terms)
scott.koranda@LIGO.ORGis added in Grouper to the Group
Communities:LVC:LSC:MOU:UWM:UWMGroupMembersand because of that becomes a member of a number of composite groups. These are provisioned into LDAP so that the dn above also has attributes
scott.koranda@LIGO.ORGis in the LDAP then that Kerberos principal can be used to login to various SSH servers that have been configured appropriately to pull uids and gids from LDAP.
- newer version control systems like git do not require any further provisioning in order for the user to push into the central repository since they can ride over SSH...
- but a legacy CVS system requires provisioning an account in the CVS writers file in various places
- a login account for a Linux cluster at each of the 10 LIGO Data Grid computing sites is provisioned, usually the account is hosted on storage exposed via NFS. These are separate logins managed by 10 distinct sets of administrators.
- each of the computing sites provisions some type of local storage on each of the cluster head nodes and also a user-dedicated local scratch space on each of the cluster worker nodes. For example on the cluster at Milwaukee we would have
/people/scott.korandaon the head node(s) and
/localscratch/scott.korandaon each of the worker nodes.
- a number of grid tools including GridFTP, Grid-enabled OpenSSH, and others use a type of ACL file called a grid-mapfile. These files need to be provisioned with an entry like
Typically there should be a grid-mapfile for each instance of each service at each site. The composition of the grid-mapfiles could depend on the groups to which a user belongs. For example, Scott Koranda only gets an entry for one particular GridFTP server because he is in the group that analyzes a particular type of data.
- Since LIGO members are automatically qualified to run on the Open Science Grid there is also a provisioning of the DN above into the LIGO VOMS server (only used for accessing OSG resources, not LIGO resources).