Alexander Piavka wrote:
> Hi,
>
> At IL-BGU it looks like all sgm & prd, and probably other aacounts
> with non default VO roles, get permission denied, probably since they are
> mapped to another gid.
>
>
> select * from Cns_groupinfo;
> +-------+------+---------------------+
> | rowid | gid | groupname |
> +-------+------+---------------------+
> | 1 | 102 | dteam |
> | 2 | 103 | ops |
> | 3 | 104 | ops/Role=lcgadmin |
> | 4 | 105 | alice |
> | 5 | 106 | atlas |
> | 6 | 107 | biomed |
> | 7 | 108 | cms |
> | 8 | 109 | lhcb |
> | 9 | 110 | atlas/Role=lcgadmin |
> +-------+------+---------------------+
>
> for the command , run from atlassgm001 aacount on WN with proxy i have caputured during atlas SAM test job running:
> [atlassgm001@wn01 ~]$ globus-url-copy file:/boot/vmlinuz-2.6.9-42.0.10.EL.cernsmp gsiftp://cs-grid2.bgu.ac.il/dpm/bgu.ac.il/home/atlas/kernel
> error: the server sent an error response: 553 553 /dpm/bgu.ac.il/home/atlas/kernel: Permission denied.
>
> the following info in dpns daemon log is logged:
> -------------------------------------------------------------------------------------
> 04/23 14:50:26 9860,0 Cns_srv_getidmap: NS092 - getidmap request by root (0,0) from cs-grid2.bgu.ac.il
> 04/23 14:50:26 9860,0 Cns_srv_getidmap: NS098 - getidmap /C=CH/O=CERN/OU=GRID/CN=Piotr Nyczyk 6217 - Atlas
> 04/23 14:50:26 9860,0 Cns_srv_getidmap: returns 0
> 04/23 14:50:26 9860,0 Cns_srv_stat: NS092 - stat request by
> /C=CH/O=CERN/OU=GRID/CN=Piotr Nyczyk 6217 - Atlas (113,110) from cs-grid2.bgu.ac.il
> 04/23 14:50:26 9860,0 Cns_srv_stat: NS098 - stat 0 /dpm/bgu.ac.il/home/atlas/kernel
> 04/23 14:50:26 9860,0 Cns_srv_stat: returns 2
> 04/23 14:50:26 9860,0 Cns_srv_getidmap: NS092 - getidmap request by
> /C=CH/O=CERN/OU=GRID/CN=Piotr Nyczyk 6217 - Atlas (113,106) from cs-grid2.bgu.ac.il
> 04/23 14:50:26 9860,0 Cns_srv_getidmap: NS098 - getidmap
> /C=CH/O=CERN/OU=GRID/CN=Piotr Nyczyk 6217 - Atlas
> 04/23 14:50:26 9860,0 Cns_srv_getidmap: returns 0
> 04/23 14:50:26 9860,0 Cns_srv_getgrpbygid: NS092 - getgrpbygid request by
> /C=CH/O=CERN/OU=GRID/CN=Piotr Nyczyk 6217 - Atlas (113,106) from cs-grid2.bgu.ac.il
> 04/23 14:50:26 9860,0 Cns_srv_getgrpbygid: NS098 - getgrpbygid 110
> 04/23 14:50:26 9860,0 Cns_srv_getgrpbygid: returns 0
> 04/23 14:50:26 9860,0 Cns_srv_getgrpbygid: NS092 - getgrpbygid request by
> /C=CH/O=CERN/OU=GRID/CN=Piotr Nyczyk 6217 - Atlas (113,110) from cs-grid2.bgu.ac.il
> 04/23 14:50:26 9860,0 Cns_srv_getgrpbygid: NS098 - getgrpbygid 110
> 04/23 14:50:26 9860,0 Cns_srv_getgrpbygid: returns 0
> 04/23 14:50:26 9860,0 Cns_srv_stat: NS092 - stat request by
> /C=CH/O=CERN/OU=GRID/CN=Piotr Nyczyk 6217 - Atlas (113,110) from cs-grid2.bgu.ac.il
> 04/23 14:50:26 9860,0 Cns_srv_stat: NS098 - stat 0 /dpm/bgu.ac.il/home/atlas/kernel
> 04/23 14:50:26 9860,0 Cns_srv_stat: returns 2
> 04/23 14:50:26 9860,0 Cns_srv_creat: NS092 - creat request by
> /C=CH/O=CERN/OU=GRID/CN=Piotr Nyczyk 6217 - Atlas (113,110) from cs-grid2.bgu.ac.il
> 04/23 14:50:26 9860,0 Cns_srv_creat: NS098 - creat /dpm/bgu.ac.il/home/atlas/kernel 664 0
> 04/23 14:50:26 9860,0 Cns_srv_creat: returns 13
> 04/23 14:50:27 9860,0 Cns_srv_getidmap: NS092 - getidmap request by
> /C=CH/O=CERN/OU=GRID/CN=Piotr Nyczyk 6217 - Atlas (113,106) from cs-grid2.bgu.ac.il
> 04/23 14:50:27 9860,0 Cns_srv_getidmap: NS098 - getidmap /C=CH/O=CERN/OU=GRID/CN=Piotr Nyczyk 6217 - Atlas
> 04/23 14:50:27 9860,0 Cns_srv_getidmap: returns 0
> -------------------------------------------------------------------------------------
>
> -------------------------------------------------------------------------------------
> $ dpns-ls -l /dpm/bgu.ac.il/home
> drwxrwxr-x 0 root 105 0 Apr 22 01:38 alice
> drwxrwxr-x 0 root 106 0 Apr 22 01:38 atlas
> drwxrwxr-x 0 root 107 0 Apr 22 01:38 biomed
> drwxrwxr-x 0 root 108 0 Apr 22 01:38 cms
> drwxrwxr-x 1 root 102 0 Apr 22 01:46 dteam
> drwxrwxr-x 0 root 109 0 Apr 22 01:38 lhcb
> drwxrwxr-x 1 root 103 0 Oct 06 2006 ops
> -------------------------------------------------------------------------------------
>
> Any ideas how this should be fixed?
On your DPM server as root run the attached script like this:
sh dpns-fix-acl.txt alice atlas biomed cms dteam lhcb ops
With DPM version 1.6.4 one will no longer need to do that.
#!/bin/sh
export DPNS_HOST=`hostname -f`
domain=`echo "$DPNS_HOST" | sed 's/[^.]*.//'`
date=`date +%Y-%m-%d`
for VO
do
dpns-entergrpmap --group "$VO/Role=production"
dpns-entergrpmap --group "$VO/Role=lcgadmin"
for dir in '' generated generated/$date
do
d=/dpm/$domain/home/$VO/$dir
dpns-setacl -m "g:$VO/Role=lcgadmin:rwx,m:rwx" $d
dpns-setacl -m "g:$VO/Role=production:rwx,m:rwx" $d
dpns-setacl -m "d:g:$VO/Role=lcgadmin:rwx,d:m:rwx" $d
dpns-setacl -m "d:g:$VO/Role=production:rwx,d:m:rwx" $d
done
done
|