PHP VOMS-Admin(PVA) have been crated as a lightweight solution to accomplish the functions of virtual organization(VO) membership management.
Early releases implement the same operations as Java-based VOMS-Admin v.2.0.18 for Apache Tomcat, but designed to be more flexible and stable, provide good scalability and consume less resources. PVA works on any web-server with SSL and PHP. Support of MySQL
database backend with backward compatible database schema allows PVA to co-operate with original credential signing daemon (vomsd) and provides easy migration from Java-based solution. In opposite to Java VOMS-Admin, PVA have a much fewer dependencies found in any UNIX-like operation system.
In further PVA development new functions have been implemented. Major highlights are interface enhancements, database transaction handling and multi-master replication.
PVA is able to scale to serve hundreds of VOs on a single server and used in production in Ukrainian National Grid infrastructure.
PVA is successfully deployed in production infrastructure of UNG. A single instance of PVA hosted by Taras Shevchenko National University of Kyiv (http://grid.org.ua/voms/) handles all ukrainian VOs. Several VOs use application level transaction replication with own PVA servers.
PVA distribution includes files for DEB and RPM packaging, providing the easiest way to install it on most popular Linux distributions. Tickets are pending for PVA inclusion into Fedora repositories.
Low resource usage and minimalistic dependencies that are available as a standard packages on most systems allow integration of PVA to VO web-site without installing a separate web server.
PVA is user-friendly and does not require any other specialized components either for installation or configuration, just a single clear configuration file.
Deployment of PVA in the UNG infrastructure led to emerging of new VOs and simplified process of integration of VOs into the infrastructure. Currently there are 12 national-level VOs in the UNG.
More information about PHP VOMS-Admin can be found on the project web-site: http://grid.org.ua/development/pva
Description of the work
Java-based VOMS-Admin instances run as separate web-applications for each new VO, consuming more and more server resources on every new VO being served.
This fact limits number of VOs that server is able to serve, and when memory runs out - server become unstable and this impacts all VOs operation.
Consolidated serving of many VOs on a single server in Ukrainian National Grid (UNG) infrastructure was required due to absence of specialized dedicated resources for VOMSes in VOs. That was the main PVA design goal. PVA utilize single instance of code, and just use different database
configs for each VO, thus able to serve more and more VOs without significant increase of resource usage, thus providing great scalability.
Major interface enhancements in latest version include support of multilingual user interface (english and ukrainian translations are available), ability for user to leave VO, an option to contact VOMS server administrator and automation of new VO deployment.
Backend improvements include changing VO preferences information (e.g. description, home page and rules of usage URLs) and implementation of transactional model - database change sets are handled in single transactions, that additionally can be logged. Any transaction
logging applied to write operations only made for user interface operations and do not impact performance of grid software SOAP queries.
Replication mechanism synchronize and merge transactions made on different servers. It works on application layer and does not require administrator access to the PVA hosting machines. Replication agreement configuration available through PVA web-interface on per-VO basis on demand of VO administrator.
Investigating server response time on getGridmapUsers request of PVA solution vs. Java VOMS-Admin shown that PVA more stable and about ten-fold times faster, especially on concurrent connections.
PHP VOMS Admin has been created to provide web-based interface to control virtual organization membership, that is able to consolidate dozens of VOs on a single server with minimal dependency and resource requirements and easy scalability.
- rely on standard tools only, which are available on most systems;
- works on any web-server and any operating system with PHP support;
- is fully compatible with database schema of standard credential signing daemon (vomsd);
- enhance functions of user interface in contrast to Java-based solution;
- automate process of adding new VO to the server;
- uses transactional function calls;
- supports per-VO multi-master replication;
- provides easy installation via RPM or DEB packages;
PVA is user-friendly and reliable solution for VO administration.