Hi All
A permissions problem has come to light on the ATLASLOCALGROUPDISK
areas at DPM Tier-2s. These have been setup as belonging to, and owned
by, the "atlas/uk" VOMS role. However, as datasets can be subscribed
to this area, an ACL has been set so that "atlas/Role=production"
could always write into this area (all subscriptions are done with the
production role).
However, this leads to a problem because when directories are created
with the production role they now belong to the atlas/Role=production
group and so users, who are in atlas/uk, can no longer write here.
For this reason we need sites to set ACLs on this namespace area to
ensure that, in addition to Role=production, the atlas/uk group also
always has group write permission. In practice this means setting the
ACLs "d:g:atlas/uk:7" and "g:atlas/uk:7" on every sub-directory of
/dpm/YOUR_DOMAIN_HERE/home/atlas/atlaslocalgroupdisk.
This is rather tedious to do by hand, so I put a script here:
http://www.physics.gla.ac.uk/~graeme/atlas/scripts/atlas-uk-local-dpm-token-fix.sh
This needs to be run at all ATLAS T2 sites who have the
ATLASLOCALGROUPDISK space token for UK users. I think this means:
UKI-SCOTGRID-GLASGOW (done)
UKI-SOUTHGRID-CAM-HEP
UKI-NORTHGRID-LIV-HEP
UKI-SOUTHGRID-BHAM-HEP
UKI-LT2-RHUL
UKI-NORTHGRID-SHEF-HEP
UKI-NORTHGRID-LANCS-HEP
Sites which still need to setup this token should obviously create it
with the correct ACLs.
Thanks
Graeme
--
Dr Graeme Stewart http://www.physics.gla.ac.uk/~graeme/
Department of Physics and Astronomy, University of Glasgow, Scotland
|