Hi...
I've been trying to help a site admin to set up some correct mappings
for several groups VO. However, this doesn't seem possible. Basically,
the site admins started with:
1) groups.conf:
"/VO=vo.up.pt/GROUP=/vo.up.pt":uporto:10000::
"/VO=vo.up.pt/GROUP=/vo.up.pt/feup":uportofe:10001::
"/VO=vo.up.pt/GROUP=/vo.up.pt/fcup":uportofc:10002::
"/VO=vo.up.pt/GROUP=/vo.up.pt/training":uportotr:10003::
"/VO=vo.up.pt/GROUP=/vo.up.pt/ROLE=VO-Admin":uportosgm:10020:sgm:
"/VO=vo.up.pt/GROUP=/vo.up.pt/ROLE=production":uportoprd:10019:prd:
2) users.conf:
10001:uporto001:10000:uporto:vo.up.pt:uprt:
10002:uporto002:10000:uporto:vo.up.pt:uprt:
(...)
10051:uportofe001:10001:uportofe:vo.up.pt:upfe:
10052:uportofe002:10001:uportofe:vo.up.pt:upfe:
(...)
10151:uportotr001:10003:uportotr:vo.up.pt:uptr:
10152:uportotr002:10003:uportotr:vo.up.pt:uptr:
(...)
10999:uportosgm:10020:uportosgm:vo.up.pt:sgm:
10998:uportoprd:10019:uportoprd:vo.up.pt:prd:
which seems as a completely coherent configuration according to the
docs. However, after running yaim to configure the node, they would end
with a /etc/grid-security/voms-grid.mapfile as:
"/vo.up.pt/Role=NULL/Capability=NULL" .uportotr
"/vo.up.pt" .uportotr
"/vo.up.pt/feup/Role=NULL/Capability=NULL" .uportoftr
"/vo.up.pt/feup" .uportotr
"/vo.up.pt/fcup/Role=NULL/Capability=NULL" .uportotr
"/vo.up.pt/fcup" .uportotr
"/vo.up.pt/training/Role=NULL/Capability=NULL" .uportotr
"/vo.up.pt/training" .uportotr
"/vo.up.pt/Role=VO-Admin/Capability=NULL" uportosgm
"/vo.up.pt/Role=VO-Admin" uportosgm
"/vo.up.pt/Role=production/Capability=NULL" uportoprd
"/vo.up.pt/Role=production" uportoprd
It seems the guilty function is config_vomsmap which is not able to
recognize the different groups and just picks the last one (uportotr).
To put things working (without touching config_vomsmap) as the site
admins whish, I had to define flags, clean the entries in
/etc/grid-security/gridmapdir/*uporto* and reconfigure:
3) groups.conf:
"/VO=vo.up.pt/GROUP=/vo.up.pt":uporto:10000:uprt:
"/VO=vo.up.pt/GROUP=/vo.up.pt/feup":uportofe:10001:upfe:
"/VO=vo.up.pt/GROUP=/vo.up.pt/fcup":uportofc:10002:upfc:
"/VO=vo.up.pt/GROUP=/vo.up.pt/training":uportotr:10003:uptr:
"/VO=vo.up.pt/GROUP=/vo.up.pt/ROLE=VO-Admin":uportosgm:10020:sgm:
"/VO=vo.up.pt/GROUP=/vo.up.pt/ROLE=production":uportoprd:10019:prd:
4) users.conf:
10001:uporto001:10000,-:uporto,-:vo.up.pt:uprt:
10002:uporto002:10000,-:uporto,-:vo.up.pt:uprt:
(...)
10051:uportofe001:10001,-:uportofe,-:vo.up.pt:upfe:
10052:uportofe002:10001,-:uportofe,-:vo.up.pt:upfe:
(...)
10151:uportotr001:10003,-:uportotr,-:vo.up.pt:uptr:
10152:uportotr002:10003,-:uportotr,-:vo.up.pt:uptr:
(...)
10999:uportosgm:10020,-:uportosgm,-:vo.up.pt:sgm:
10998:uportoprd:10019,-:uportoprd,-:vo.up.pt:prd:
After that the /etc/grid-security/voms-grid.mapfile was correctly produced:
"/vo.up.pt/Role=NULL/Capability=NULL" .uporto
"/vo.up.pt" .uporto
"/vo.up.pt/feup/Role=NULL/Capability=NULL" .uportofe
"/vo.up.pt/feup" .uportofe
"/vo.up.pt/fcup/Role=NULL/Capability=NULL" .uportofc
"/vo.up.pt/fcup" .uportofc
"/vo.up.pt/training/Role=NULL/Capability=NULL" .uportotr
"/vo.up.pt/training" .uportotr
"/vo.up.pt/Role=VO-Admin/Capability=NULL" uportosgm
"/vo.up.pt/Role=VO-Admin" uportosgm
"/vo.up.pt/Role=production/Capability=NULL" uportoprd
"/vo.up.pt/Role=production" uportoprd
My final conclusion is that yaim doesn't support correctly VOMS groups.
I'm wrong? Should I open a bug?
Cheers
Gonçalo
|