Hi,
Sorry, for creating so much fuss. We just wanted to run CMS production test assignments on our CE for validation purposes. But our CE remains flooded with jobs submitted by several VOs. We were not getting enough time to re-run failed jobs due to long waiting queues.
It's strange that non of the cms-production jobs were landing on our site. So, to get speedy runs, we wanted to restrict our CE for VO=cms or restricted by DN.
Thanks for a lot of usefull comments, but mind it, it will be a requirement for our McRunjob test team all the time for every new release and there should be some safe way of imposing these restrictions.
Cheers,
Asif Osman
-----Original Message-----
From: LHC Computer Grid - Rollout on behalf of Rod Walker
Sent: Sun 5/15/2005 6:04 PM
To: [log in to unmask]
Cc:
Subject: Re: [LCG-ROLLOUT] How to restrict the CE
Stephen,
> Is it still supported that the accesscontrolbaserule can be a list of
> DNs rather than a VO name? I think it would be worth keeping that as an
> option. You could also think about defining a local VO.
I can confirm that this still works. lcgce02.triumf.ca accepts no VO's but
publishes a list of accepted DN's. These are selected dteam users for
SFT and the subset of the Atlas VO running the production. The RB deals
with this. It does cause problems for dteam and in particular cic members
though, and I suppose accepting all of the dteam VO should be a requirement.
Cheers,
Rod.
On Sun, 15 May 2005, Burke, S (Stephen) wrote:
> LHC Computer Grid - Rollout
> > [mailto:[log in to unmask]] On Behalf Of
> > Maarten Litmaath, CERN said:
> > On Sat, 14 May 2005, Jeff Templon wrote:
> > > 1) manually edit the grid-mapfile to include only the users
> > you like.
> > >
> > > 2) create your own "auth VO" and use that one instead of
> > the LCG one.
> >
> > NO! Both would cause other people's jobs to be still
> > directed to the site and subsequently unexpectedly fail!
>
> Is it still supported that the accesscontrolbaserule can be a list of
> DNs rather than a VO name? I think it would be worth keeping that as an
> option. You could also think about defining a local VO.
>
> However, I didn't suggest those because the original mail said "If
> site manajer wants to restrict the CE for the jobs of their own site" -
> I don't know if that's what was actually meant, but to me that's talking
> about *where* the jobs originate from rather than *who* they come from,
> and only an RB knows the "where".
>
> Stephen
>
>
--
Rod Walker +1 6042913051
|