--------------------------------------------------------------------------------------------------------------- EGI BROADCAST TOOL : https://operations-portal.egi.eu/broadcast
--------------------------------------------------------------------------------------------------------------- Publication from : Tiziana Ferrari Tiziana.Ferrari@egi.eu Targets : VO managers/vlemed vlemed-vo-managers@biggrid.nl ----------------------------------------------------------------------------------------------------------------
A bug [1] was recently found affecting the VOMS Admin process of sending warning messages when user membership is about to expire. The VOMS Admin versions affected by the bug are: - gLite 3.2: versions 2.5.3-1 and 2.5.5-1 - EMI 1: VOMS Admin 2.6.1
INTRODUCTION The membership expiration mechanism enforces that every VO member is actually known and approved by the VO manager in compliance to the Virtual Organisation Membership Management Policy [2]. Membership expiration and renewal is enforced in VOMS starting from VOMS Admin 2.5.3-1 (gLite 3.2).
When a user is registered in a VO, an expiration date is linked to his/her membership. The default lifetime for a VOMS membership is 12 months (in accordance with the policy, but can be extended using a configuration parameter).
ABOUT THE BUG The VOMS Admin bug prevents the sending of e-mail warnings to the VO manager before the user membership expires. The lack of this e-mail notification compromises the capability of the VO manager to renew membership in due time, especially in case of large-scale VOs, and when for many users membership expires at the same time. This case affects all VOs whose VOMS server was upgraded from gLite 3.1 to gLite 3.2 or EMI, as during migration the user membership date is reset for all to the same time.
CONSEQUENCES OF THE BUG In agreement with the VO membership management policy, if a user membership expires, VOMS suspends the user and sends a notification to the user and the relevant VO managers. Because of the bug the user and VO managers will be only notified when the user is already suspended.The user cannot extend his/her membership without the intervention of the VO managers.
HOW TO FIND IF A GIVEN VO IS AFFECTED BY THE BUG - for VOMS server administrators, check the VOMS Admin version: rpm -qa | grep voms-admin-server
- for VO Managers: go to https://<hostname>:8443/vomses where <hostname> is the hostname of the VOMS server supporting your VO, and check the VOMS Admin version reported at the bottom of the page.
The fix to this bug will be released with VOMS Admin 2.7.0 in EMI 1 update 16 (currently scheduled for release on the 17th of May).
IMMEDIATE WORKAROUNDS Different workarounds are possible. The choice depends on the scale of the VO. We suggest that VOMS server administrators contact their VO Manager to discuss how to proceed. VOMS administrators can extract information on which users are about to expire by following these instructions: https://wiki.italiangrid.it/twiki/bin/view/VOMS/KnownIssues#How_to_understan...
Workaround (1) Extension of user membership to 30 September 2012 The VOMS server administrators are recommended to extend the expiration of the membership to 30/09/2012 for all users whose membership expires before 30/09/2012. This workaround is recommended in case of large scale VOs. The extension to 30/09/2012 is recommended to allow time for an upgrade of VOMS Admin to a version which fixes the bug. Instructions: https://wiki.italiangrid.it/twiki/bin/view/VOMS/KnownIssues#How_to_extend_me...
Workaround (2) Manual notification of the list of users who are about to expire For all VOs hosted by the VOMS server, at the beginning of each month the administrators sends to VO managers a list of users that will be suspended in the next 30 days. This manual workaround replaces the missing e-mail notification to the VO manager. The VO managers will be responsible of checking users and of renewing membership according to the policy.
Whatever workaround is chosen, all VOMS server administrators are recommended to extend the grace period for signing the AUP for all VOs. The current default is 24 hours. Please extend it to 7 days. By doing so users are allowed for more time to sign the AUP (this is a necessary step to renew the membership). Instructions: https://wiki.italiangrid.it/twiki/bin/view/VOMS/KnownIssues#VOMS_Admin_Sign_...
Please contact your NGI/EIRO for further assistance, or send a support request to GGUS (http://helpdesk.egi.eu/).
Apologies for the inconvenience caused. Tiziana Ferrari - EGI Operations
[1] https://savannah.cern.ch/bugs/?93255 [2] https://documents.egi.eu/public/RetrieveFile?docid=79&version=6&file...
---------------------------------------------------------------------------------------------------------------- link to this broadcast : https://operations-portal.egi.eu/broadcast/archive/id/636 ----------------------------------------------------------------------------------------------------------------