1. status of vomrs/voms at CERN (hardware, software upgrade, problems, etc)
-
current installation voms-admin 2.0, voms-core 1.8, vomrs-1.3.4a on 4 SL4 nodes (see https://twiki.cern.ch/twiki/bin/view/LCG/VomsNodes)
-
two nodes SL5 – test installation of voms 2.5.5 and voms-core 1.9.19
-
next release voms-admin 2.6, voms 2.0 will go to EMI 1 (April) –contains most of features needed for vom(r)s convergence
-
glite will only include important bug fixes for voms 2.0, 2.5 until October, 2011. The definition of important is negotiated between VOMS clients, the EMI project and INFN.
-
security fixes will be continued on glite versions until April 2012
-
it makes sense for VDT to wait for EMI release (new packaging and convergence features)
2. lcg-registration lib, source code owner, maintenance
-
This code belongs to CERN. Source code is written by Karoly Lorenty, had been maintained by Laxin Ma. The code is in CERN CVS. Steve will look at the code and will try to make changes requested by CERN dba.
-
VOMRS is using this lcg-registration lib to access CERN orgdb, the new lib could be included in 1.3.4b release and tested on voms200
3. vomrs 1.3.4b release
-
fixes for email synchronization for LHC VOs
-
changes to handle csrf enabled voms
-
new glite-trustmanager and utils-java libs. Action for Tanya to verify that these are the right jars to use (new one should be released shortly according to Andrea)
-
could include lcg-registration jar if available
4. voms-admin -2.6(?) vs vomrs (what features are implemented, missing etc)
The following features, needed for convergence, are missing from the current version but will be implemented:
-
a user can not select an Institutional Representative (showstopper)
-
a group description is available but is not displayed in user/admin interface
-
the “bulk” actions could be taken only for status changes, not for requests or group assignment
-
the search should be more sophisticated (e.g allow to select user by specified criteria – Institution, group, status) etc
-
for LCG VOs – institutional membership is not restored when it is restored in CERN HRdb
-
it should be possible to plugin event listener to make thirdparty actions if needed (D0 case)
-
there is no means to add additional personal information to registration (needed by D0, OSG VO, may be others). Not fully understand so far, will need more discussion – could implement simplified version. Andrea: this will not come in the first 2.6 release but afterwards.
-
a user that is denied the access to a VO should not be able to keep reapplying
-
need customizable email subject per vo set in configuration, as in VOMRS the template of the subject should be manually modified by VO admin
-
add role description
-
The following features will not be implemented unless requested by multiple VOs:
-
role association with a group Andrea: this behaviour can be implemented today with ACLs.
-
events are only generated from the user requests and VO Admin actions upon the requests, the events subscription will not be implemented. Andrea’s opinion that it is not needed for the small set of events. He will work on ability to switch email notification off (not actually needed if the user registration in disabled). Non-requested VO admin actions are not considered as events: e.g if a VO admin registers a user or assigns a user to a group voms will not sent an email to the user
-
customizable on-line help could be implemented only for user registration
Andrea: This *can* be done today for user registration, and there is no problem in doing it also for other parts of the web interface where needed since the template engine
used in VOMS Admin makes it quite easy to do this stuff.
5. D0 and dteam cases and voms-admin-2.6
-
Looks like D0 registration case could be implemented with available plugins mechanism, need fully implemented Event Listener in order to keep synchronization with SAM
-
Dteam – hierarchical approval from bottom up – we need to discuss it more during the meeting
6. security patches and how to enable them:
-
Patches are not for voms2.0 but only for VOMS 2.5
-
It is configurable via (voms.csrf.log_only = true)
-
If csrf is enabled then voms-admin client should be updated but not edg-mkgridmap script
-
Action: Andrea will send a link to a paper that describes the standard way of handling csrf for webservices.
7. voms core and globus libraries
-
voms-core 2.0 (emi 1) will not have globus lib dependency
8. voms, voms-client, voms-admin backward compatibility
-
All old voms-core clients will work with 2.0, voms-admin (see 6) and Andrea's talk on Wednesday
9. vomrs-voms migration plans
-
install voms 2.6 on test node at CERN (all 11 VOs)
-
notify VO admins of test availability
-
use test installation for migration test
-
implement missing voms-admin apis that should be provided before full migration is possible. The new voms-admin rpms should be released for testing that contains webservices for :
-
personal info management
-
aup management
