Goncalo,
DPM uses direct VOMS-based mapping through so called virtual IDs (sort of
uid/gid created on the fly and associated with a FQAN) to allow ACLs to be
independent of pool accounts. The pseudo grid-mapfile used just map a DN to
a default VO in case a proxy doesn't contain the VOMS extension. It is
ignored if the extension is present and valid : this is in fact what should
happened normally.
In the DPM/LFC grid-mapfile, the second parameter is a VO name.
Cheers,
Michel
--On jeudi 26 février 2009 19:06 +0000 Gonçalo Borges <[log in to unmask]>
wrote:
> Hi Alessandra...
>
> So, what you say is that the local mapping in the DPM server is
> "grid-mapfile / lcgdm-mapfile" based... Is that it?
>
> Cheers
> Goncalo
>
> Alessandra Forti wrote:
>> Hi Goncalo,
>>
>> no, the authentication is not like the CE one.
>>
>> DPM has its own gridmapfile also with edg-mkgridmap.pl:
>>
>> /opt/lcg/etc/lcgdm-mapfile
>>
>> you can look at the cron job
>>
>> /etc/cron.d/lcgdm-mkgridmap
>>
>> cheers
>> alessandra
>> Gonçalo Borges wrote:
>>> Hi...
>>>
>>> Some issues regarding DPM. Maybe someone can answer my questions
>>> (posted along the text)...
>>> I've looked in
>>>
>>> https://twiki.cern.ch/twiki/bin/view/LCG/LfcTroubleshooting
>>>
>>> and in
>>>
>>> https://twiki.cern.ch/twiki/bin/view/LCG/DpmAdminGuide
>>>
>>> but didn't find any point explaining how the DPM authentication is
>>> really done (or it least, I didn't understood what I read :) )
>>>
>>>
>>> 1) These are the versions of the metapackages I'm using for the
>>> server/client
>>>
>>> [root@ui01 ~] rpm -qa | grep UI
>>> glite-UI-3.1.25-0
>>>
>>> [root@se05 ~]# rpm -qa | grep SE
>>> glite-SE_dpm_disk-3.1.11-0.x86_64
>>> glite-SE_dpm_mysql-3.1.12-0.x86_64
>>>
>>>
>>> ---*---
>>>
>>> 2) This is my proxy-info:
>>>
>>> -bash-3.00$ voms-proxy-info --all
>>> subject : /C=PT/O=LIPCA/O=LIP/OU=Lisboa/CN=Goncalo Borges/CN=proxy
>>> issuer : /C=PT/O=LIPCA/O=LIP/OU=Lisboa/CN=Goncalo Borges
>>> identity : /C=PT/O=LIPCA/O=LIP/OU=Lisboa/CN=Goncalo Borges
>>> type : proxy
>>> strength : 1024 bits
>>> path : /tmp/x509up_u266
>>> timeleft : 11:24:29
>>> === VO dteam extension information ===
>>> VO : dteam
>>> subject : /C=PT/O=LIPCA/O=LIP/OU=Lisboa/CN=Goncalo Borges
>>> issuer : /DC=ch/DC=cern/OU=computers/CN=voms.cern.ch
>>> attribute : /dteam/Role=NULL/Capability=NULL
>>> attribute : /dteam/swe/Role=NULL/Capability=NULL
>>> attribute : /dteam/swe/lip/Role=NULL/Capability=NULL
>>> timeleft : 11:24:29
>>> uri : voms.cern.ch:15004
>>>
>>> ---*---
>>>
>>> 3) I can perform an lcg-cr perfectly:
>>>
>>> -bash-3.00$ lcg-cr -v -d se05.lip.pt -l
>>> lfn:/grid/dteam/goncalo/teste2.txt file:/home/csys/goncalo/sleep.sh
>>> Using grid catalog type: lfc
>>> Using grid catalog : prod-lfc-shared-central.cern.ch
>>> Using LFN : /grid/dteam/goncalo/teste2.txt
>>> [BDII] ii02.lip.pt:2170: Warning, no GlueVOInfo information found
>>> about SE 'se05.lip.pt' (with no tag)
>>> SE type: SRMv1
>>> Using SURL :
>>> srm://se05.lip.pt/dpm/lip.pt/home/dteam/generated/2009-02-26/fileed524a
>>> ca-f315-4422-afb7-9c0145291ef3
>>>
>>> Alias registered in Catalog: lfn:/grid/dteam/goncalo/teste2.txt
>>> SRM Request Token: 166066
>>> Source URL: file:/home/csys/goncalo/sleep.sh
>>> File size: 122
>>> VO name: dteam
>>> Destination specified: se05.lip.pt
>>> Destination URL for copy:
>>> gsiftp://se05.lip.pt/se05.lip.pt:/dpm1/dteam/2009-02-26/fileed524aca-f3
>>> 15-4422-afb7-9c0145291ef3.166066.0
>>>
>>> # streams: 1
>>> # set timeout to 0 seconds
>>> 122 bytes 0.21 KB/sec avg 0.21 KB/sec inst
>>> Transfer took 1020 ms
>>> Destination URL registered in Catalog:
>>> srm://se05.lip.pt/dpm/lip.pt/home/dteam/generated/2009-02-26/fileed524a
>>> ca-f315-4422-afb7-9c0145291ef3
>>>
>>> guid:7ed07047-5e04-401b-9267-edb46c2a3646
>>>
>>> ---*---
>>>
>>> 4) I can perform an lcg-cr requesting VO SWETEST and registering the
>>> file on DTEAM catalogue (neither LFC or DPM complain about the
>>> incoherence):
>>>
>>> -bash-3.00$ lcg-cr -v --vo swetest -d se05.lip.pt -l
>>> lfn:/grid/dteam/goncalo/teste3.txt file:/home/csys/goncalo/sleep.sh
>>> Using grid catalog type: lfc
>>> Using grid catalog : prod-lfc-shared-central.cern.ch
>>> Using LFN : /grid/dteam/goncalo/teste3.txt
>>> [BDII] ii02.lip.pt:2170: Warning, no GlueVOInfo information found
>>> about SE 'se05.lip.pt' (with no tag)
>>> SE type: SRMv1
>>> Using SURL :
>>> srm://se05.lip.pt/dpm/lip.pt/home/swetest/generated/2009-02-26/filefe63
>>> 1748-d9e5-458c-819f-30920e5371df
>>>
>>> Alias registered in Catalog: lfn:/grid/dteam/goncalo/teste3.txt
>>> SRM Request Token: 166071
>>> Source URL: file:/home/csys/goncalo/sleep.sh
>>> File size: 122
>>> VO name: swetest
>>> Destination specified: se05.lip.pt
>>> Destination URL for copy:
>>> gsiftp://se05.lip.pt/se05.lip.pt:/dpm1/dteam/2009-02-26/filefe631748-d9
>>> e5-458c-819f-30920e5371df.166071.0
>>>
>>> # streams: 1
>>> # set timeout to 0 seconds
>>> 122 bytes 0.13 KB/sec avg 0.13 KB/sec inst
>>> Transfer took 2030 ms
>>> Destination URL registered in Catalog:
>>> srm://se05.lip.pt/dpm/lip.pt/home/swetest/generated/2009-02-26/filefe63
>>> 1748-d9e5-458c-819f-30920e5371df
>>>
>>> guid:bbaa307f-3c10-4e82-abd1-c30936175e81
>>>
>>> QUESTION 1: I guess that this is only possible because the
>>> permissions are OK at the LFC level and DPM doesn't recognize that
>>> I'm running with the DTEAM extension... Is it really like this or do
>>> I have something incorrectly configured.
>>>
>>> ---*---
>>>
>>> 5) I have removed myself from the grid-mapfile in the DPM server, and
>>> tried to perform an lcg-cr as in step 3. I didn't succeed:
>>>
>>> -bash-3.00$ lcg-cr -v -d se05.lip.pt -l
>>> lfn:/grid/dteam/goncalo/teste5.txt file:/home/csys/goncalo/sleep.sh
>>> Using grid catalog type: lfc
>>> Using grid catalog : prod-lfc-shared-central.cern.ch
>>> Using LFN : /grid/dteam/goncalo/teste5.txt
>>> [BDII] ii02.lip.pt:2170: Warning, no GlueVOInfo information found
>>> about SE 'se05.lip.pt' (with no tag)
>>> SE type: SRMv1
>>> Using SURL :
>>> srm://se05.lip.pt/dpm/lip.pt/home/dteam/generated/2009-02-26/file596bf6
>>> e9-ea45-491e-b6cf-9faf29da1d71
>>>
>>> Alias registered in Catalog: lfn:/grid/dteam/goncalo/teste5.txt
>>> [SE][put] httpg://se05.lip.pt:8443/srm/managerv1: CGSI-gSOAP: Error
>>> reading token data header: Connection closed
>>>
>>> lcg_cr: Operation now in progress
>>>
>>> QUESTION 2: I though the authentication in DPM server was done as in
>>> CE but it seems it is done still base on grid-mapfile (if I have
>>> everything configuredOK!). Is it really like this?
>>>
>>> Cheers
>>> Gonçalo
>>
*************************************************************
* Michel Jouvin Email : [log in to unmask] *
* LAL / CNRS Tel : +33 1 64468932 *
* B.P. 34 Fax : +33 1 69079404 *
* 91898 Orsay Cedex *
* France *
*************************************************************
|