Hi all,
The scenario: We have a CMS user that is being mapped to a sgm account
when we think he doesn't want a sgm Role.
We have single cms sgm "pool" account.
We think he's doing something worng cause he sends lots of jobs, so
seems a production user with wrong Role. And, also, that we usually
recieve CMS SGM jobs from Andrea Sciaba's DN.
So I start thinking that maybe the problem is in our mapping (cause
it's the second time it happens this week), and I was checking so.
from logs I see his mapping:
/O=GermanGrid/OU=Uni Karlsruhe/CN=Klaus Rabbertz" mapped to sgmcm001 (22001/50052)
Gridmapfile shows next:
# grep Rabbertz /etc/grid-security/grid-mapfile
"/O=GermanGrid/OU=Uni Karlsruhe/CN=Klaus Rabbertz" sgmcm001
and gridmapfile conf file:
# CMS
# Map VO members (prd)
group vomss://voms.cern.ch:8443/voms/cms?/cms/Role=production .cmprd
# Map VO members (sgm)
group vomss://voms.cern.ch:8443/voms/cms?/cms/Role=lcgadmin sgmcm001
# Map VO members (root group)
group vomss://voms.cern.ch:8443/voms/cms?/cms .cms
So, only sgm Role will be mapped to sgmcm001, so grid-mapfile is
correct.
we use yaim for configuring our CEs.
# grep cms groups.conf
"/cms"::::
"/cms/ROLE=production":::prd:
"/cms/ROLE=lcgadmin":::sgm:
# grep sgmcm users.conf
22001:sgmcm001:50052:sgmcm:cms:sgm:
# grep cmprd users.conf
24001:cmprd001:50051,1399:cmprd,cms:cms:prd:
[...]
24049:cmprd049:50051,1399:cmprd,cms:cms:prd:
So, is he using a plain proxy and for that reason is being mapped to
sgm account? Without knowing user's proxy, may I discover it from CE?
Cause if I check gridmapdir:
gridmapdir:
43121 0 -rw-r--r-- 2 root root 0 May 30 16:56 %2fo%3dgermangrid%2fou%3duni%20karlsruhe%2fcn%3dklaus%20rabbertz:cms
43121 0 -rw-r--r-- 2 root root 0 May 30 16:56 cms009
seems correct for me.
TIA and have a nice weekend,
Arnau
PS: as we have a single SGM node, we have banned the user.
|