Antonio Delgado Peris wrote:
> So, just to be sure, the recommended configuration for dCache (or the
> one production sites are using) is that all roles are mapped to the same
> user, right?
> .ops and .opssgm both to ops001
> .cms, .cmssgm and .cmsprd all to cms001
Ever since dCache was introduced in the LCG release, YAIM has configured it
like that. Big dCache installations do _not_ use YAIM to make dcache.kpwd,
because they do want to map the DNs of production managers to accounts that
have write access to directories where the default account for the VO only
has read access (at most).
> And I understand this should be the same whether dcache.kpwd or
> grid-vorolemap is used for the mapping.
With the grid-vorolemap there are more possibilities, but at the moment
there is no YAIM function to configure it at all.
> So, there'll be no problems when accessing files within a VO (all users
> read/write everywhere), but also there's no way to implement any
> restrictions depending on roles, e.g. for special users. And, if I'm
> right, this is the way it has been up to now also.
>
> I wonder if dCache 1.8 will bring any changes on how this is handled...
The way YAIM sets up the dcache.kpwd file is a historical hack that allows
one to operate a dCache SE in a simple manner, with known limitations.
As new functionality like the grid-vorolemap becomes available, YAIM
should be adapted to start using it. A boundary condition would be that
the SAM tests should not fail because some DNs are mapped to ops001 while
others are mapped, say, to opssgm001. So, either we use the same account
at least for the "ops" VO, or we make the relevant directories writable
for both GIDs (corresponding to the "ops" and "opssgm" groups).
|