Durham doesn't have ATLASLOCALGROUPDISK, but in checking it did
highlight that our SpaceToken publishing wasn't working since running
yaim last week! I've fixed it and will be adding monitoring (probably
to nagios) for this tomorrow as this is the second time this has hit us.
We have spare disk space, with more soon to deploy. Would the space
token be useful at Durham and do you want me to create it?
Thanks,
Phil
---
Phil Roffe - [log in to unmask]
IPPP, Department of Physics, Durham University,
Science Laboratories, South Road, Durham, DH1 3LE
Direct Dial: +44 (0)191 3343704
Office: +44 (0)191 334 3811
Graeme Stewart wrote:
> Hi All
>
> A permissions problem has come to light on the ATLASLOCALGROUPDISK
> areas at DPM Tier-2s. These have been setup as belonging to, and owned
> by, the "atlas/uk" VOMS role. However, as datasets can be subscribed
> to this area, an ACL has been set so that "atlas/Role=production"
> could always write into this area (all subscriptions are done with the
> production role).
>
> However, this leads to a problem because when directories are created
> with the production role they now belong to the atlas/Role=production
> group and so users, who are in atlas/uk, can no longer write here.
>
> For this reason we need sites to set ACLs on this namespace area to
> ensure that, in addition to Role=production, the atlas/uk group also
> always has group write permission. In practice this means setting the
> ACLs "d:g:atlas/uk:7" and "g:atlas/uk:7" on every sub-directory of
> /dpm/YOUR_DOMAIN_HERE/home/atlas/atlaslocalgroupdisk.
>
> This is rather tedious to do by hand, so I put a script here:
>
> http://www.physics.gla.ac.uk/~graeme/atlas/scripts/atlas-uk-local-dpm-token-fix.sh
>
> This needs to be run at all ATLAS T2 sites who have the
> ATLASLOCALGROUPDISK space token for UK users. I think this means:
>
> UKI-SCOTGRID-GLASGOW (done)
> UKI-SOUTHGRID-CAM-HEP
> UKI-NORTHGRID-LIV-HEP
> UKI-SOUTHGRID-BHAM-HEP
> UKI-LT2-RHUL
> UKI-NORTHGRID-SHEF-HEP
> UKI-NORTHGRID-LANCS-HEP
>
> Sites which still need to setup this token should obviously create it
> with the correct ACLs.
>
> Thanks
>
> Graeme
>
>
|