Ciao Danilo, all,
> >> For example a single line expression on yaim groups file to
> >> abilitate all the following cms roles ?
> >> "/cms/twcms"::::
> >> "/cms/itcms"::::
> >> "/cms/WHATEVER"::::
> >> "/cms/Role=WHATEVER2":::WHATEVER2:
> >
> > This _should_ work:
> >
> > "/cms/*"::::
> >
> Unfortunately we tested many combinations of cms and "*" with cms people
> but it didn't work.
> Is that a yaim or wmproxy problem?
For me it works fine. The WMS groups.conf has these lines for "atlas":
----------------------------------------------------------------------
"/atlas/ROLE=lcgadmin":::sgm:
"/atlas/ROLE=production":::prd:
"/atlas"::::
"/atlas/*"::::
----------------------------------------------------------------------
Then YAIM put the following in /etc/grid-security/grid-mapfile:
----------------------------------------------------------------------
"/atlas/Role=lcgadmin/Capability=NULL" .sgmatl
"/atlas/Role=lcgadmin" .sgmatl
"/atlas/Role=production/Capability=NULL" .prdatl
"/atlas/Role=production" .prdatl
"/atlas/Role=NULL/Capability=NULL" .atlas
"/atlas" .atlas
"/atlas/*/Role=NULL/Capability=NULL" .atlas
"/atlas/*" .atlas
----------------------------------------------------------------------
In /etc/grid-security/groupmapfile:
----------------------------------------------------------------------
"/atlas/Role=lcgadmin/Capability=NULL" atlassgm
"/atlas/Role=lcgadmin" atlassgm
"/atlas/Role=production/Capability=NULL" atlasprd
"/atlas/Role=production" atlasprd
"/atlas/Role=NULL/Capability=NULL" atlas
"/atlas" atlas
"/atlas/*/Role=NULL/Capability=NULL" atlas
"/atlas/*" atlas
----------------------------------------------------------------------
In /opt/glite/etc/glite_wms_wmproxy.gacl:
----------------------------------------------------------------------
<entry>
<voms>
<fqan>atlas/ROLE=lcgadmin</fqan>
</voms>
<allow>
<exec/>
</allow>
</entry>
<entry>
<voms>
<fqan>atlas/ROLE=production</fqan>
</voms>
<allow>
<exec/>
</allow>
</entry>
<entry>
<voms>
<fqan>atlas</fqan>
</voms>
<allow>
<exec/>
</allow>
</entry>
<entry>
<voms>
<fqan>atlas/*</fqan>
</voms>
<allow>
<exec/>
</allow>
</entry>
----------------------------------------------------------------------
I created a test proxy asking for a primary group that only matches
the wildcard (and fails if the wildcard is not configured):
----------------------------------------------------------------------
subject :
/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=maart/CN=410032/CN=Maarten Litmaath/CN=proxy
issuer :
/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=maart/CN=410032/CN=Maarten Litmaath
identity :
/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=maart/CN=410032/CN=Maarten Litmaath
type : proxy
strength : 1024 bits
path : /tmp/x509up_u15876
timeleft : 8:42:34
=== VO atlas extension information ===
VO : atlas
subject :
/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=maart/CN=410032/CN=Maarten Litmaath
issuer : /DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch
attribute : /atlas/lcg1/Role=NULL/Capability=NULL
attribute : /atlas/Role=NULL/Capability=NULL
attribute : nickname = (atlas)
timeleft : 8:42:34
uri : lcg-voms.cern.ch:15001
----------------------------------------------------------------------
I had no problems submitting jobs via the test WMS.
|