Notes on VOMRS

On 29-March-2006, Tim and Alain had a discussion with Tanya Levshina from Fermilab about VOMRS. These are Alain's notes from that discussion.

• It is pronounced as three syllables: VOM-R-S.
• It started about two years ago, because VOMS Admin does meet the needs of VO administrators that need to deal with the entire registration process that users go through when joining a VO. For a small VO, it might not matter, but for a large VO, it can be a lot of work. So VOMRS provided a process flow for registering and approving VO members. It also provides more information about VO members than VOMS Admin (phone number, SSN, or whatever the VO Administrator wants). It also allows for members to be suspended (temporarily lose all privileges) without losing all information about the person, for when you resume their membership.
• Each VO member can have multiple certificates. VOMS doesn't allow this, so internally it's mapped to multiple users in VOMS, but VOMRS shows it as one user.
• Membership can expire, and users must re-sign the usage rules before they can be allowed to do anything more. (They are temporarily removed from VOMS, just like suspension.)
• We still need VOMS Admin: VOMRS uses the VOMS Admin API to communicate with VOMS.
• VOMRS is not a 24/7 critical service (so what if someone's registration is delayed a few hours?), but VOMS Admin is considered a critical 24/7 service because it affects clients like edg-mkgridmap and GUMS that query VOMS. Theoretically, VOMRS can be run on a different host than VOMS Admin.
• VOMRS has additional databases on top of what VOMS Admin has, but these can be in the same MySQL instance.
• LCG uses VOMRS, but does not use the personal information aspects of VOMRS. Instead, VOMRS contacts the CERN personnel database to get that information, and to do some sort of approval (if you're in the CERN database, you're approved. If you're not, get in the database.)
• There is a nice process flow for registration. Tanya walked us through it in test VO she has set up. I applied for membership. It sent me an email with a link, so I could confirm that the email was correct. She approved me, then I signed the usage rules, (well, clicked the checkbox anyway) and was a member of the VO. I got to choose which groups I would be in: this was a request from LCG to simplify administration (just trust your users) but people tended to just click all groups. This might change in the future.
• VOMRS Admin is a Tomcat web application. There is one VOMRS server per VO that runs at all times.
• VOMRS is packaged in RPMs and in Pacman.
• More stuff about VOMRS:
  • PowerPoint presesntation from CHEP 2006
  • A test VO
  • Installation instructions