On Wed, 15 Feb 2012 11:38:45 +0000
Stephen Burke wrote:
[...]
> groups.conf and *_GROUP_ENABLE are doing different things; the first
> one is about unix group mapping
> and the second one is about access to
I though both files where somehow related (some kind of check which
sees if enabled group is at groups.conf too). For that reason I
was modifying both files for the test.
> the CE. For the GROUP_ENABLE, once you've specified a VO name then
> everyone in that VO is allowed access so allowing extra FQANS in the
> same VO doesn't add anything.
> So normally GROUP_ENABLE will just have
> VO names, unless you want to restrict access to particular groups or
> roles only. Hence using something like /atlas is fairly pointless
> since everyone in atlas is in the /atlas group, which is why yaim has
> the warning.
Does it mean that adding, i.e, 'atlas' will 'allow' all (defined and
not defined) ROLES?
from https://twiki.cern.ch/twiki/bin/view/LCG/YaimGuide400
<QUEUE-NAME>_GROUP_ENABLE variable should be named after short
VO name (in capital letters), but should contain full VO name, as well
as all roles and groups for that VO defined in groups.conf (except for
the root); example
TEST_GROUP_ENABLE="vo.test.domain.org
/vo.test.domain.org/ROLE=lcgadmin
/vo.test.domain.org/ROLE=production"
> However, there is an extra complication if you have FQANVOVIEWS
> set, which it seems that you have. In that case, instead of getting
> one VOView per VO you get one per FQAN. That option was introduced
> several years ago by the job priorities working group to allow
> publishing separate attributes (free slots etc) for e.g. production
> jobs and normal VO users. However I don't think it was ever tested
> very well or used by the VOs - by the time it came in they had mostly
> stopped using the WMS anyway. Do you have a good reason for doing
> that?
I think so. We suffered same issue as describe here:
https://ggus.eu/ws/ticket_info.php?ticket=49969
But I don't know what would happen if I reconfigure our site without
that option enabled.
> Jeff was involved with that so he may have more idea of how
> well it works and whether there are likely to be problems with it.
>
> Stephen
Cheers,
Arnau
|