VO Configuration guide

Summary of steps for configuring new VOs in OpenStack

In this page you can find a summary of the needed steps for supporting a new VO in your OpenStack infrastructure.

Local project creation

The usual method of supporting a VO is by creating a local project for it. You should assign quotas to this project as agreed in the OLA defining the support for the given VO.

Create a group where users belonging to the VO will be mapped to:
```
group_id=$(openstack group create -f value -c id <new_group>)
```

Add that group to the desired local project:

$ openstack role add member --group $group_id --project <your project>

Set the egi.VO property to the name of the VO that you are supporting:

$ openstack project set --property egi.VO=<name of the VO> <your project>

Keystone Mapping

Expand your mapping.json with the VO membership to the created group (substitute group_id and entitlement as appropriate). The expected mappings for the VOs are listed in vo-mappings.yaml of fedcloud-catchall-operations repository:

[
    <existing mappings>,
    {
        "local": [
            {
                "user": {
                    "name": "{0}",
                    "email": "{1}"
                },
                "group": {
                    "id": "<group_id>"
                }
            }
        ],
        "remote": [
            {
                "type": "HTTP_OIDC_SUB"
            },
            {
                "type": "HTTP_OIDC_EMAIL"
            },
            {
                "type": "HTTP_OIDC_ISS",
                "any_one_of": [
                    "https://aai.egi.eu/auth/realms/egi"
                ]
            },
            {
                "type": "OIDC-eduperson_entitlement",
                "regex": true,
                "any_one_of": [
                    "^<entitlement>$"
                ]
            }
        ]
    }
]

And update the mapping in your Keystone IdP:

$ openstack mapping set --rules mapping.json egi-mapping

You can include as many mappings as needed in the json file. Users will be members of all the matching groups.

Accounting

Add the project supporting the VO to cASO:

In the projects field of /etc/caso/caso.conf :

projects = vo_project1, vo_project2, <your_new_vo_project>

and as a new mapping in /etc/caso/voms.json :

{
  "<your new vo>": {
    "projects": ["<your new vo project>"]
  }
}

Be sure to include the user running cASO at least as reader of the project if it does not have admin privileges:

openstack role add --user <your caso user> --project <your new vo project> reader

Information system / VM Image management

If you are correctly setting the egi.VO property to your projects, the configuration will be automatically retrieved by the catch-all components.

Last modified March 14, 2024 by Enol Fernández : Fine tune the role for cASO (#642)