JISCMail - LCG-ROLLOUT Archives

Hi Gonçalo,

> Sometime ago I started a thread asking for help on how to identify my 
> institution local users. As part of a T2+T3, I have to provide a share 
> of resources to my local users. Local users are here defined as users 
> which via grid will preferable run their jobs in a specific site... A 
> local user might be a person sitting in the office next to mine or 
> someone from other institution in my region or federation. The answer 
> was that a new tool was being developed but I'm not sure if it is 
> already in production.

The "tool" would be Argus:

     https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework

It is in certification, but only deals with glexec on the WN for now.
Development is in progress for CREAM to make use of it as well,
but there are no plans to adapt the LCG-CE.

> As you probably know, next week there will be a CMS exercise, and my 
> local CMS staff asked me to implement this reserved share of resources, 
> since this is exactly one of the issues they will try to exercise. 
> Searching a bit, I've seen that yaim supports a LOCAL_GROUPS_CONF 
> variable, but it doesn't fit my needs since that variable is based on 
> VOMS FQANs. There is no specific/dedicated VOMS FQAN to these local 
> users, and therefore, the only way I have to identify them is checking 
> their DNs.
> 
> The only way I can think on how proceed as requested is to configure 
> those DNs under the grid-mapfile-local file. However this raise me a 
> couple of questions:
> 
> 1./ Is this action sufficient? Is there an alternative way to do it?

It is not sufficient.  See below.

> 2./ Will the settings in  grid-mapfile-local be obeyed even if the user 
> proxy comes with a VOMS FQAN? I have the feeling that grid-mapfile is 
> only checked for proxies without VOMS FQANS... please correct me if i'm 
> wrong...

YAIM configures the LCG-CE to try a VOMS mapping first, with a fallback
on the classic grid-mapfile.  You would want that reversed:

1. In /opt/glite/etc/lcmaps/lcmaps.db change the order of the "withvoms"
    and "standard" sections.  Beware the file is written by YAIM.

2. Put your local users in /opt/edg/etc/grid-mapfile-local with their
    desired mappings.  Note 1: each user will have exactly 1 mapping,
    that is the limitation of the classic grid-mapfile.
    Note 2: a pool account mapping will be overridden by a mapping to
    a static account, if any.  For example, if grid-mapfile-local maps
    a DN to ".lipcms" and edg-mkgridmap.conf maps that DN to "cmssgm",
    the latter mapping wins!
    To avoid that: in /opt/edg/etc/edg-mkgridmap.conf comment out the
    lines for CMS.  Beware the file is written by YAIM.

3. Run the commands in /etc/cron.d/edg-mkgridmap and
    /etc/cron.d/lcg-ce-mkgridmap manually and check the resulting
    contents of /etc/grid-security/grid-mapfile.

If this works, we can cook up YAIM post-configuration functions that
will preserve the changes and maybe open an RFE in Savannah.