On 10/21/2015 09:22 AM, Purahoo, Krishan wrote:
> Sometimes as a normal user (default Role) and sometimes with
> Role=lcgadmin.
> Will they have 2 different entries in /etc/grid-security/gridmapdir/
Using dteam as my example, here are the normal grid-mapfile entries at
Liverpool:
"/dteam/sgm/Role=NULL/Capability=NULL" .sgmdtm
"/dteam/sgm" .sgmdtm
"/dteam/lcgprod/Role=NULL/Capability=NULL" .prddtm
"/dteam/lcgprod" .prddtm
"/dteam/Role=lcgadmin/Capability=NULL" .sgmdtm
"/dteam/Role=lcgadmin" .sgmdtm
"/dteam/Role=production/Capability=NULL" .prddtm
"/dteam/Role=production" .prddtm
"/dteam/Role=NULL/Capability=NULL" .dteam
"/dteam" .dteam
"/dteam/*/Role=NULL/Capability=NULL" .dteam
"/dteam/*" .dteam
Plain users get .dteam (which means any account called dteam[0-9]+ as a
regex). Those with Role=lcgadmin get .sgmdtm (e.g. sgmdtm072)
> This is what is happening in our case. The biomed users uses different
> roles for different jobs, using their DN.
Same here. The mapping is defined in grid-mapfile, and recorded in
gridmapdir.
> E.g, I can see this only mapping for the biomed user
>
> 36664 -rw-r--r-- 2 root root 0 Oct 21 09:00 bio012
> 36664 -rw-r--r-- 2 root root 0 Oct 21 09:00
> %2fo%3dgrid%2dfr%2fc%3dfr%2fo%3dcnrs%2fou%3di3s%2fcn%3dfranck%20michel:biomed
Hm .. this means that a user with a biomed proxy came along at 9am, and
got mapped to bio012. Let's look on my system and check what I see (I
can get lcgadmin role now). I make and look at a proxy without any
lcgadmin rule, like this:
# voms-proxy-init --voms dteam
# voms-proxy-info -all | grep attribute
attribute : /dteam/Role=NULL/Capability=NULL
attribute : /dteam/NGI_UK/Role=NULL/Capability=NULL
So, no lcgadmin role. Now I'll start a job and see what happens on the
ARGUS server (having cleared out gridmapdir first).
# glite-wms-job-submit -e
https://lcgwms05.gridpp.rl.ac.uk:7443/glite_wms_wmproxy_server -a -r
hepgrid97.ph.liv.ac.uk:8443/cream-pbs-long testJob.jdl
# cd /etc/grid-security/gridmapdir
# find . -name "*jones*"
./%2fc%3duk%2fo%3descience%2fou%3dliverpool%2fl%3dcsd%2fcn%3dstephen%20jones:dteam
Now I'll do the same thing with the lcgadmin role.
# voms-proxy-init --voms dteam:/dteam/Role=lcgadmin
# voms-proxy-info -all | grep attribute
attribute : /dteam/Role=lcgadmin/Capability=NULL
attribute : /dteam/NGI_UK/Role=NULL/Capability=NULL
attribute : /dteam/Role=NULL/Capability=NULL
# glite-wms-job-submit -e
https://lcgwms05.gridpp.rl.ac.uk:7443/glite_wms_wmproxy_server -a -r
hepgrid97.ph.liv.ac.uk:8443/cream-pbs-long testJob.jdl
# cd /etc/grid-security/gridmapdir
# find . -name "*jones*"
./%2fc%3duk%2fo%3descience%2fou%3dliverpool%2fl%3dcsd%2fcn%3dstephen%20jones:dteamsgm:dteam
./%2fc%3duk%2fo%3descience%2fou%3dliverpool%2fl%3dcsd%2fcn%3dstephen%20jones:dteam
And there's the new mapping, reflecting the user's credentials.
# ls -lrti | grep 110916
110916 -rw-r--r-- 2 root root 0 Oct 21 10:46 sgmdtm81
110916 -rw-r--r-- 2 root root 0 Oct 21 10:46
%2fc%3duk%2fo%3descience%2fou%3dliverpool%2fl%3dcsd%2fcn%3dstephen%20jones:dteamsgm:dteam
And he's mapped to an sgm account, which, by another mechanism, will
allow him to write tags.
Cheers,
Steve
--
Steve Jones [log in to unmask]
Grid System Administrator office: 220
High Energy Physics Division tel (int): 43396
Oliver Lodge Laboratory tel (ext): +44 (0)151 794 3396
University of Liverpool http://www.liv.ac.uk/physics/hep/
|