So, just to be sure, the recommended configuration for dCache (or the
one production sites are using) is that all roles are mapped to the same
user, right?
.ops and .opssgm both to ops001
.cms, .cmssgm and .cmsprd all to cms001
And I understand this should be the same whether dcache.kpwd or
grid-vorolemap is used for the mapping.
So, there'll be no problems when accessing files within a VO (all users
read/write everywhere), but also there's no way to implement any
restrictions depending on roles, e.g. for special users. And, if I'm
right, this is the way it has been up to now also.
I wonder if dCache 1.8 will bring any changes on how this is handled...
Thanks,
Antonio.
Maarten Litmaath escribió:
> Yevgeniy Lyublev wrote:
>
>>> [...]
>>>
>>> Before we released the current version of YAIM, the dcache.kpwd file by
>>> default mapped every DN to the first pool account of the
>>> corresponding VO:
>>>
>>> ops001 used for: .ops opssgm
>>>
>>> With the current YAIM the dcache.kpwd ended up like this:
>>>
>>> ops001 used for: .ops
>>> opssgm001 used for: .opssgm
>>>
>>> I think the problem is due to
>>> /opt/d-cache/bin/grid-mapfile2dcache-kpwd.
>>> I have attached a new version that produces the following result:
>>>
>>> ops001 used for: .ops .opssgm
>>>
>>> Please undo the change you put in /etc/passwd and run the new script.
>>> If it works, you can already replace the old script with the new
>>> version,
>>> which I will submit as a patch for the release.
>>> Thanks,
>>> Maarten
>>>
>>
>> Alas, Maatren,
>>
>> it did not help.
>> $ cp grid-mapfile2dcache-kpwd.txt
>> /opt/d-cache/bin/grid-mapfile2dcache-kpwd
>> $ /opt/d-cache/bin/grid-mapfile2dcache-kpwd
>> $ groups opssgm001
>> opssgm001 : opssgm ops
>
> Yes, that is correct. Look into /opt/d-cache/etc/dcache.kpwd:
> are all "ops" members now mapped to ops001?
>
> Note that the opssgm001 will not be used.
|