Andreas Haupt wrote:
> On Mon, 2007-07-02 at 20:13 +0200, EGEE BROADCAST wrote:
>
>>If some VO should use pool accounts for sgm, prd or both at your site, please beware of
>>the following limitation for the LCG-CE:
>>
>> the sgm/prd prefix must NOT be an extension
>> of the generic prefix for the VO
>>
>>Otherwise the sgm/prd accounts can also be taken by ordinary users.
>>
>>For example, if the generic prefix is "alice", the sgm prefix must NOT be "alicesgm".
>>Instead it could be "alisgm" or "sgmalice" or ...
>
>
> What does this actually mean? Where do the problems appear? We have been
> (and are!) using e.g. atlassgm as SGM account for atlas for a very long
> time - without any problems (apart from the crude introduction of pool
> accounts for special groups/roles that broke our complete authentication
> system temporary).
>
> Do I need to change everything now i.e give all files in Atlas' software
> area a new owner, deploy new users.conf / passwd files, etc.?
Hi Andreas,
the _static_ accounts like "atlassgm" are OK.
If you decide to start using sgm/prd _pool_ accounts for some of your VOs,
the _prefix_ of those new accounts must not be an extension of the prefix
used for ordinary pool accounts in that VO.
The problem is described in this old, low-priority bug that was overlooked
when the sgm/prd pool account functionality was tested on the certification
testbeds:
https://savannah.cern.ch/bugs/?18906
Thanks to Valentin Vidic for reminding us! Unfortunately, in certification
everything worked fine, because the sgm/prd accounts got created after all
the normal pool accounts, and since there was a sufficient number of normal
accounts, the pool account mapping never "overflowed" into the accounts for
sgm/prd users...
|