Hi Steve,
Thanks. It's all fixed now. The user has now
redo his proxy with the correct role, and now lcg-tags
is all working OK for him.
Many Thanks again for your help.
krishan
On 21/10/15 11:24, Stephen Jones wrote:
> On 10/21/2015 09:22 AM, Purahoo, Krishan wrote:
>
>> Sometimes as a normal user (default Role) and sometimes with
>> Role=lcgadmin.
>> Will they have 2 different entries in /etc/grid-security/gridmapdir/
>
> Using dteam as my example, here are the normal grid-mapfile entries at
> Liverpool:
>
> "/dteam/sgm/Role=NULL/Capability=NULL" .sgmdtm
> "/dteam/sgm" .sgmdtm
> "/dteam/lcgprod/Role=NULL/Capability=NULL" .prddtm
> "/dteam/lcgprod" .prddtm
> "/dteam/Role=lcgadmin/Capability=NULL" .sgmdtm
> "/dteam/Role=lcgadmin" .sgmdtm
> "/dteam/Role=production/Capability=NULL" .prddtm
> "/dteam/Role=production" .prddtm
> "/dteam/Role=NULL/Capability=NULL" .dteam
> "/dteam" .dteam
> "/dteam/*/Role=NULL/Capability=NULL" .dteam
> "/dteam/*" .dteam
>
> Plain users get .dteam (which means any account called dteam[0-9]+ as a
> regex). Those with Role=lcgadmin get .sgmdtm (e.g. sgmdtm072)
>
>> This is what is happening in our case. The biomed users uses different
>> roles for different jobs, using their DN.
>
> Same here. The mapping is defined in grid-mapfile, and recorded in
> gridmapdir.
>
>> E.g, I can see this only mapping for the biomed user
>>
>> 36664 -rw-r--r-- 2 root root 0 Oct 21 09:00 bio012
>> 36664 -rw-r--r-- 2 root root 0 Oct 21 09:00
>> %2fo%3dgrid%2dfr%2fc%3dfr%2fo%3dcnrs%2fou%3di3s%2fcn%3dfranck%20michel:biomed
>>
>
> Hm .. this means that a user with a biomed proxy came along at 9am, and
> got mapped to bio012. Let's look on my system and check what I see (I
> can get lcgadmin role now). I make and look at a proxy without any
> lcgadmin rule, like this:
>
> # voms-proxy-init --voms dteam
> # voms-proxy-info -all | grep attribute
> attribute : /dteam/Role=NULL/Capability=NULL
> attribute : /dteam/NGI_UK/Role=NULL/Capability=NULL
>
> So, no lcgadmin role. Now I'll start a job and see what happens on the
> ARGUS server (having cleared out gridmapdir first).
>
> # glite-wms-job-submit -e
> https://lcgwms05.gridpp.rl.ac.uk:7443/glite_wms_wmproxy_server -a -r
> hepgrid97.ph.liv.ac.uk:8443/cream-pbs-long testJob.jdl
> # cd /etc/grid-security/gridmapdir
> # find . -name "*jones*"
> ./%2fc%3duk%2fo%3descience%2fou%3dliverpool%2fl%3dcsd%2fcn%3dstephen%20jones:dteam
>
>
> Now I'll do the same thing with the lcgadmin role.
>
> # voms-proxy-init --voms dteam:/dteam/Role=lcgadmin
> # voms-proxy-info -all | grep attribute
> attribute : /dteam/Role=lcgadmin/Capability=NULL
> attribute : /dteam/NGI_UK/Role=NULL/Capability=NULL
> attribute : /dteam/Role=NULL/Capability=NULL
>
> # glite-wms-job-submit -e
> https://lcgwms05.gridpp.rl.ac.uk:7443/glite_wms_wmproxy_server -a -r
> hepgrid97.ph.liv.ac.uk:8443/cream-pbs-long testJob.jdl
> # cd /etc/grid-security/gridmapdir
> # find . -name "*jones*"
> ./%2fc%3duk%2fo%3descience%2fou%3dliverpool%2fl%3dcsd%2fcn%3dstephen%20jones:dteamsgm:dteam
>
> ./%2fc%3duk%2fo%3descience%2fou%3dliverpool%2fl%3dcsd%2fcn%3dstephen%20jones:dteam
>
>
> And there's the new mapping, reflecting the user's credentials.
>
> # ls -lrti | grep 110916
> 110916 -rw-r--r-- 2 root root 0 Oct 21 10:46 sgmdtm81
> 110916 -rw-r--r-- 2 root root 0 Oct 21 10:46
> %2fc%3duk%2fo%3descience%2fou%3dliverpool%2fl%3dcsd%2fcn%3dstephen%20jones:dteamsgm:dteam
>
>
> And he's mapped to an sgm account, which, by another mechanism, will
> allow him to write tags.
>
> Cheers,
>
> Steve
>
>
>
|