Note: This web site is only kept up to date for OSG Software
1.2 (VDT 2.0.0). If you are looking for information for the most recent
release, the RPM-based OSG Software 3.0, please see
the OSG documentation web site
Notes on VOMRS
On 29-March-2006, Tim and Alain had a discussion with Tanya Levshina
from Fermilab about VOMRS. These are Alain's notes from that discussion.
- It is pronounced as three syllables: VOM-R-S.
- It started about two years ago, because VOMS Admin does meet the
needs of VO administrators that need to deal with the entire
registration process that users go through when joining a
VO. For a small VO, it might not matter, but for a large VO, it
can be a lot of work. So VOMRS provided a process flow for
registering and approving VO members. It also provides more
information about VO members than VOMS Admin (phone number, SSN,
or whatever the VO Administrator wants). It also allows for
members to be suspended (temporarily lose all privileges)
without losing all information about the person, for when you
resume their membership.
- Each VO member can have multiple certificates. VOMS doesn't
allow this, so internally it's mapped to multiple users in
VOMS, but VOMRS shows it as one user.
- Membership can expire, and users must re-sign the usage rules
before they can be allowed to do anything more. (They are
temporarily removed from VOMS, just like suspension.)
- We still need VOMS Admin: VOMRS uses the VOMS Admin API to
communicate with VOMS.
- VOMRS is not a 24/7 critical service (so what if someone's
registration is delayed a few hours?), but VOMS Admin is
considered a critical 24/7 service because it affects clients
like edg-mkgridmap and GUMS that query VOMS. Theoretically,
VOMRS can be run on a different host than VOMS Admin.
- VOMRS has additional databases on top of what VOMS Admin has,
but these can be in the same MySQL instance.
- LCG uses VOMRS, but does not use the personal information
aspects of VOMRS. Instead, VOMRS contacts the CERN personnel
database to get that information, and to do some sort of
approval (if you're in the CERN database, you're approved. If
you're not, get in the database.)
- There is a nice process flow for registration. Tanya walked us
through it in test VO she has set up. I applied for
membership. It sent me an email with a link, so I could confirm
that the email was correct. She approved me, then I signed the
usage rules, (well, clicked the checkbox anyway) and was a
member of the VO. I got to choose which groups I would be in:
this was a request from LCG to simplify administration (just
trust your users) but people tended to just click all groups.
This might change in the future.
- VOMRS Admin is a Tomcat web application. There is one VOMRS
server per VO that runs at all times.
- VOMRS is packaged in RPMs and in Pacman.
- More stuff about VOMRS: