Santanu,
the gridmapdir is only used for pool accounts. Please, check the
following (old) documentation:
http://www.gridsite.org/gridmapdir/
In general the file /opt/glite/etc/lcmaps/lcmaps.db and the file
/opt/edg/etc/lcmaps/lcmaps.db tell you what files and directories are
used for coming up with a mapping (proxy -> local UID/GID). These files
are normally generated by YAIM.
LCMAPS is a framework that can load and run one or more 'credential
mapping' plugins. The LCMAPS framework consists of the following
components:
* the /plugin manager/, which is responsible for managing, loading
and running the LCMAPS plugins.
* the /evaluation manager/, which is responsible for the order in
which the LCMAPS plugins are called.
You can find a nice description of LCMAPS here:
http://www.nikhef.nl/grid/lcaslcmaps/
http://www.dutchgrid.nl/DataGrid/wp4/lcmaps/edg-lcmaps_gcc3_2_2-0.0.23/node1.html
For a documentation of the plugins used, please refer to this URL:
http://www.nikhef.nl/grid/lcaslcmaps/lcmaps_apidoc/html/
The files that are generally used to define the voms mappings are:
/opt/edg/etc/lcmaps/gridmapfile
/opt/edg/etc/lcmaps/groupmapfile
The /etc/grid-security/grid-mapfile is used for simple DN mapping.
I therefore recommend you look at your configuration.
Hope this helps.
Flavia
Santanu Das wrote:
> Dear all,
>
> As the title says, can anyone please explain how does this work? I'm
> confused with the relation between voms role, grid-mapfile and the
> gridmapdir.
>
> As an example, I'm "dteamprd" in the grid-mapfile:
>
> [root@serv03 root]# egrep "santanu|Santanu"
> /etc/grid-security/grid-mapfile
> "/C=UK/O=eScience/OU=Cambridge/L=UCS/CN=santanu das" dteamprd
>
>
> But, I'm atlas148 and dteam062 according to the "gridmapdir" mapping:
>
> [root@serv03 root]# for iz in `ls -il
> /etc/grid-security/gridmapdir/*santanu* | awk '{print $1}'`; do ls
> -il /etc/grid-security/gridmapdir | grep ${iz}; done
> 14385754 -rw-r--r-- 1 root root 0 Feb 1 10:36
> %2fc%3duk%2fo%3descience%2fou%3dcambridge%2fl%3ducs%2fcn%3dsantanu%20das
> 14386591 -rw-r--r-- 2 root root 0 May 9 11:37
> %2fc%3duk%2fo%3descience%2fou%3dcambridge%2fl%3ducs%2fcn%3dsantanu%20das%3aatlas
>
> 14386591 -rw-r--r-- 2 root root 0 May 9 11:37 atlas148
> 14386123 -rw-r--r-- 2 root root 0 Jun 18 14:21
> %2fc%3duk%2fo%3descience%2fou%3dcambridge%2fl%3ducs%2fcn%3dsantanu%20das%3adteam
>
> 14386123 -rw-r--r-- 2 root root 0 Jun 18 14:21 dteam062
>
>
> When I submit jobs, I always mapped to "atlas148" when I use
> "voms-proxy-init -voms atlas" to create the proxy and to dteam062
> using my dteam certificate. So, doesn't it mean that grid-mapfile is
> completely ignored when user comes with a voms proxy.
>
> Now, if the proxy is created with the specific role, like this:
>
> voms-proxy-init -voms dteam:/dteam/Role=production
>
> I authorized and ran job as dteamprd but the local mapping in the
> gridmapdir still points to dteam062, which seem to make "use of
> gridmapdir" completely useless.
> Can anyone please explain this to me please? Having another look
> afterwards , I found that I'm not alone here; the grid-mapfile and
> gridmapdir entries are different for several other people as well.
>
> I've cc'd this to Jens, as I was talking to him regarding this
> yesterday, in case he is curious.
>
> Cheers,
> Santanu
|