This sounds very similar to Jon Churchill's script he used for logging onto the ngsui03 box.
You don't need any VOMS attributes in your "vanilla" proxy when you login, but you can then select which VO you want.
cheers
JK
> -----Original Message-----
> From: Testbed Support for GridPP member institutes [mailto:TB-
> [log in to unmask]] On Behalf Of Ewan MacMahon
> Sent: Monday, September 23, 2013 4:28 PM
> To: [log in to unmask]
> Subject: Re: Instant UI
>
> > -----Original Message-----
> > From: Testbed Support for GridPP member institutes [mailto:TB-
> > [log in to unmask]] On Behalf Of Stephen Jones
> > Sent: 06 September 2013 16:54
> >
> > Right, it's Friday, it's five-to-five so it's Crackjack! I'll round up
> > the requirements so far with a summary, and start again next week.
> > The first thing to say is that this work is eminently suitable for
> > incremental changes - we'll get the low hanging fruit first.
> >
>
> Afternoon all,
>
> I was hoping to be able to follow this up a bit further in advance of the GridPP
> meeting than this, but it's still in technically in advance.
> I've hacked together a little proof-of-concept for the 'other VO users central UI
> box' idea.
>
> It's essentially a slightly modified WLCG VO box, but the effect is of a UI that
> takes gsi ssh logins from people in one particular VO, but then can be used as a
> UI for other VOs once you're logged in.
>
> The idea is that anyone who would need access to a central UI machine (so,
> mostly not people in PP depts.) would join a special-purpose VO, the "UI users'
> VO", which would then give them access to the box.
> While that VO wouldn't be supported on any other services like a normal one
> would be, that allows us to use our existing VOMS service to maintain the user
> list - we'd get a web interface, more-or-less automatic signups, the ability to
> force them to agree to an AUP, and automatic expiration of old accounts, all
> for free. I think that should deal with the concern that Martin raised about
> managing and keeping track of the remote users.
>
> Once you're in, you can then retrieve a proxy from a myproxy server and add
> VOMS extensions for any VO you're a member of, as we discussed earlier in
> this thread. In use, it keeps the users' grid certificates on their local machines
> where they belong, but doesn't require any locally installed client tools - all you
> need is CertWizard and the Java GSI-SSH terminal, both of which run straight
> from Java Web Start links.
>
> If anyone would like to have a look at the proof-of-concept box, it's
> t2ui04.physicss.ox.ac.uk, and should accept gsi-ssh logins on port 1975 from
> anyone in the GridPP VO. I hope to bend the ear of anyone who stands still long
> enough tomorrow about this, but in the meantime, if you want to give it a go,
> you'll need to:
>
> - Join/be in the GridPP VO,
> - Get your certificate into CertWizard if it's not already,
> - Then upload a proxy (a grid proxy, no VOMS required) to the NGS myproxy
> server,
> - Run the Java GSI-SSH terminal, open a new connection, and under 'advanced',
> set the port to 1975 and the GSI Defaults->Authentication Order to
> 'other methods',
> - Open the connection and put the appropriate myproxy details in,
> - Then you should be into the UI, and can retrieve a copy of the proxy from
> the myproxy server, and VOMS-ify it to taste.
>
> As John noted, there are some scripts already around to make some of those
> steps even smoother, but I do think the principle is sound.
>
> Ewan
--
Scanned by iCritical.
|