Hi Gonçalo,
> I've been trying to help a site admin to set up some correct mappings
> for several groups VO. However, this doesn't seem possible. Basically,
> the site admins started with:
>
> 1) groups.conf:
>
> "/VO=vo.up.pt/GROUP=/vo.up.pt":uporto:10000::
> "/VO=vo.up.pt/GROUP=/vo.up.pt/feup":uportofe:10001::
> "/VO=vo.up.pt/GROUP=/vo.up.pt/fcup":uportofc:10002::
> "/VO=vo.up.pt/GROUP=/vo.up.pt/training":uportotr:10003::
Note that all of the above are mapped to the common pool accounts,
since the flag field is empty! This is a valid use case. See below.
> "/VO=vo.up.pt/GROUP=/vo.up.pt/ROLE=VO-Admin":uportosgm:10020:sgm:
> "/VO=vo.up.pt/GROUP=/vo.up.pt/ROLE=production":uportoprd:10019:prd:
>
> 2) users.conf:
>
> 10001:uporto001:10000:uporto:vo.up.pt:uprt:
> 10002:uporto002:10000:uporto:vo.up.pt:uprt:
> (...)
> 10051:uportofe001:10001:uportofe:vo.up.pt:upfe:
> 10052:uportofe002:10001:uportofe:vo.up.pt:upfe:
> (...)
> 10151:uportotr001:10003:uportotr:vo.up.pt:uptr:
> 10152:uportotr002:10003:uportotr:vo.up.pt:uptr:
> (...)
> 10999:uportosgm:10020:uportosgm:vo.up.pt:sgm:
> 10998:uportoprd:10019:uportoprd:vo.up.pt:prd:
>
> which seems as a completely coherent configuration according to the
> docs. However, after running yaim to configure the node, they would end
> with a /etc/grid-security/voms-grid.mapfile as:
>
> "/vo.up.pt/Role=NULL/Capability=NULL" .uportotr
> "/vo.up.pt" .uportotr
> "/vo.up.pt/feup/Role=NULL/Capability=NULL" .uportoftr
| ^
| typo?
> "/vo.up.pt/feup" .uportotr
> "/vo.up.pt/fcup/Role=NULL/Capability=NULL" .uportotr
> "/vo.up.pt/fcup" .uportotr
> "/vo.up.pt/training/Role=NULL/Capability=NULL" .uportotr
> "/vo.up.pt/training" .uportotr
> "/vo.up.pt/Role=VO-Admin/Capability=NULL" uportosgm
> "/vo.up.pt/Role=VO-Admin" uportosgm
> "/vo.up.pt/Role=production/Capability=NULL" uportoprd
> "/vo.up.pt/Role=production" uportoprd
>
> It seems the guilty function is config_vomsmap which is not able to
> recognize the different groups and just picks the last one (uportotr).
No, the behavior is correct. As noted above, the 4 groups are all
mapped to ordinary pool accounts, because that is what was "asked"!
See below.
> To put things working (without touching config_vomsmap) as the site
> admins whish, I had to define flags, clean the entries in
> /etc/grid-security/gridmapdir/*uporto* and reconfigure:
>
> 3) groups.conf:
>
> "/VO=vo.up.pt/GROUP=/vo.up.pt":uporto:10000:uprt:
> "/VO=vo.up.pt/GROUP=/vo.up.pt/feup":uportofe:10001:upfe:
> "/VO=vo.up.pt/GROUP=/vo.up.pt/fcup":uportofc:10002:upfc:
> "/VO=vo.up.pt/GROUP=/vo.up.pt/training":uportotr:10003:uptr:
> "/VO=vo.up.pt/GROUP=/vo.up.pt/ROLE=VO-Admin":uportosgm:10020:sgm:
> "/VO=vo.up.pt/GROUP=/vo.up.pt/ROLE=production":uportoprd:10019:prd:
Exactly: to split the account mappings you have to use flags like that.
Note that you can remove the obsolete "/VO=.../GROUP=" prefixes:
"/vo.up.pt":uporto:10000:uprt:
"/vo.up.pt/feup":uportofe:10001:upfe:
"/vo.up.pt/fcup":uportofc:10002:upfc:
"/vo.up.pt/training":uportotr:10003:uptr:
"/vo.up.pt/ROLE=VO-Admin":uportosgm:10020:sgm:
"/vo.up.pt/ROLE=production":uportoprd:10019:prd:
You might simplify the first line, for the ordinary accounts:
"/vo.up.pt"::::
Then in users.conf the corresponding lines would also have an empty flag:
10001:uporto001:10000,-:uporto,-:vo.up.pt::
[...]
> 4) users.conf:
>
> 10001:uporto001:10000,-:uporto,-:vo.up.pt:uprt:
> 10002:uporto002:10000,-:uporto,-:vo.up.pt:uprt:
> (...)
> 10051:uportofe001:10001,-:uportofe,-:vo.up.pt:upfe:
> 10052:uportofe002:10001,-:uportofe,-:vo.up.pt:upfe:
> (...)
> 10151:uportotr001:10003,-:uportotr,-:vo.up.pt:uptr:
> 10152:uportotr002:10003,-:uportotr,-:vo.up.pt:uptr:
> (...)
> 10999:uportosgm:10020,-:uportosgm,-:vo.up.pt:sgm:
> 10998:uportoprd:10019,-:uportoprd,-:vo.up.pt:prd:
>
> After that the /etc/grid-security/voms-grid.mapfile was correctly produced:
>
> "/vo.up.pt/Role=NULL/Capability=NULL" .uporto
> "/vo.up.pt" .uporto
> "/vo.up.pt/feup/Role=NULL/Capability=NULL" .uportofe
> "/vo.up.pt/feup" .uportofe
> "/vo.up.pt/fcup/Role=NULL/Capability=NULL" .uportofc
> "/vo.up.pt/fcup" .uportofc
> "/vo.up.pt/training/Role=NULL/Capability=NULL" .uportotr
> "/vo.up.pt/training" .uportotr
> "/vo.up.pt/Role=VO-Admin/Capability=NULL" uportosgm
> "/vo.up.pt/Role=VO-Admin" uportosgm
> "/vo.up.pt/Role=production/Capability=NULL" uportoprd
> "/vo.up.pt/Role=production" uportoprd
>
> My final conclusion is that yaim doesn't support correctly VOMS groups.
> I'm wrong? Should I open a bug?
It works as documented here:
https://twiki.cern.ch/twiki/bin/view/LCG/YaimGuide400#Group_configuration_in_YAIM
https://twiki.cern.ch/twiki/bin/view/LCG/YaimGuide400#User_configuration_in_YAIM
|