[log in to unmask]" type="cite">Hi Daniela, Simon,

I've done this for Liverpool, as you asked. To re-iterate, I updated groups.conf, users.conf, site-info.def, the Argus policy, the Maui config, the PBS (qmgr) config. Then I had to do much yaiming on the CEs, PBS, WNs, and reload a few servers (Argus, Maui, PBS, ...) We don't think it impacts storage. One thing to watch - make sure to use unique numbers for the new users and (esp) groups. It's easy for one system in a cluster of service nodes and WNs to have (say) a single weird numbered group amongst all that, and it would take quite a bit of backing out if you hit one. Can you test it now? Try (say) these CEs:

  hepgrid2.ph.liv.ac.uk:2811/nordugrid-Condor-grid
  hepgrid5.ph.liv.ac.uk:8443/cream-pbs-long

Cheers,

Steve



On 08/04/2015 12:33 PM, Daniela Bauer wrote:

Hi All,

As discussed in the ops meeting we would like sites to enable glexec for small VOs. The setup would be identical to CMS, Atlas and LHCb, i.e. jobs arrive under a pilot proxy (mapped to a pilot account) and then switch to a user account (using the user proxy that is shipped with the pilot).
We think this is necessary as otherwise it would be feasible for users to steal a copy of the pilot proxy. As this proxy is used by multiple VO in principle a user might access a different VO's data (or get up to other shenanigans using a proxy that isn't their own).
Note that we cannot enable glexec per site/VO, it has to be enabled for all VOs/sites or none. That means if you do not want to enable glexec for a VO, you need to stop supporting the VO altogether as otherwise dirac will try and run (and fail) jobs at your site.

Regards,
Daniela and Simon

-- 
Sent from the pit of despair

-----------------------------------------------------------
[log in to unmask] <mailto:[log in to unmask]>
HEP Group/Physics Dep
Imperial College
London, SW7 2BW
Tel: +44-(0)20-75947810
http://www.hep.ph.ic.ac.uk/~dbauer/ <http://www.hep.ph.ic.ac.uk/%7Edbauer/>