On Tue, Jul 03, 2007 at 10:59:21AM +0200, Maarten Litmaath wrote:
> Andreas Haupt wrote:
>
> >On Mon, 2007-07-02 at 20:13 +0200, EGEE BROADCAST wrote:
> >
> >>If some VO should use pool accounts for sgm, prd or both at your site,
> >>please beware of
> >>the following limitation for the LCG-CE:
> >>
> >> the sgm/prd prefix must NOT be an extension
> >> of the generic prefix for the VO
> >>
> >>Otherwise the sgm/prd accounts can also be taken by ordinary users.
> >>
> >>For example, if the generic prefix is "alice", the sgm prefix must NOT be
> >>"alicesgm".
> >>Instead it could be "alisgm" or "sgmalice" or ...
> >
> >
> >What does this actually mean? Where do the problems appear? We have been
> >(and are!) using e.g. atlassgm as SGM account for atlas for a very long
> >time - without any problems (apart from the crude introduction of pool
> >accounts for special groups/roles that broke our complete authentication
> >system temporary).
> >
> >Do I need to change everything now i.e give all files in Atlas' software
> >area a new owner, deploy new users.conf / passwd files, etc.?
>
> Hi Andreas,
> the _static_ accounts like "atlassgm" are OK.
>
> If you decide to start using sgm/prd _pool_ accounts for some of your VOs,
> the _prefix_ of those new accounts must not be an extension of the prefix
> used for ordinary pool accounts in that VO.
This matter had been discussed in the (distant) past in lcg-rollout and
in the SEE mailing list (egee-sa1-tech), but we thought that it had been
resolved in the meantime.
Anyway, does this affect only the lcg-CE as you mentioned in the
broadcasted message? What about other nodes that use lcmaps, like the
gLite-CE and the classic SE?
|