Hi Antun,
> Thanks, now I see what creates the problem. When I remove grid-mapfile and
> grid-mapfile.1, and execute by hand cron job that generates grid-mapfile, then
> everything is fine, and at the end of grid-mapfile I have OK mappings:
>
> "/aegis/Role=VO-Admin/Capability=NULL" .sgmaegis
> "/aegis/Role=VO-Admin" .sgmaegis
> "/aegis/Role=sgmadmin/Capability=NULL" .sgmaegis
> "/aegis/Role=sgmadmin" .sgmaegis
> "/aegis/Role=production/Capability=NULL" .prdaegis
> "/aegis/Role=production" .prdaegis
> "/aegis/Role=NULL/Capability=NULL" .aegis
> "/aegis" .aegis
> "/aegis/*/Role=NULL/Capability=NULL" .aegis
> "/aegis/*" .aegis
> "/atlas/Role=lcgadmin/Capability=NULL" .sgmatlas
> "/atlas/Role=lcgadmin" .sgmatlas
> "/atlas/Role=production/Capability=NULL" .prdatlas
> "/atlas/Role=production" .prdatlas
> "/atlas/Role=NULL/Capability=NULL" .atlas
> "/atlas" .atlas
> "/atlas/*/Role=NULL/Capability=NULL" .atlas
> "/atlas/*" .atlas
> "/cms/Role=lcgadmin/Capability=NULL" .sgmcms
> "/cms/Role=lcgadmin" .sgmcms
> "/cms/Role=production/Capability=NULL" .prdcms
> "/cms/Role=production" .prdcms
> "/cms/Role=NULL/Capability=NULL" .cms
> "/cms" .cms
> "/cms/*/Role=NULL/Capability=NULL" .cms
> "/cms/*" .cms
> "/see/Role=seeadmin/Capability=NULL" .sgmseevo
> "/see/Role=seeadmin" .sgmseevo
> "/see/Role=NULL/Capability=NULL" .seevo
> "/see" .seevo
> "/see/*/Role=NULL/Capability=NULL" .seevo
> "/see/*" .seevo
> "/seegrid/Role=sgmadmin/Capability=NULL" .sgmseegrid
> "/seegrid/Role=sgmadmin" .sgmseegrid
> "/seegrid/Role=ops/Capability=NULL" .prdseegrid
> "/seegrid/Role=ops" .prdseegrid
> "/seegrid/Role=NULL/Capability=NULL" .seegrid
> "/seegrid" .seegrid
> "/seegrid/*/Role=NULL/Capability=NULL" .seegrid
> "/seegrid/*" .seegrid
> "/ops/Role=lcgadmin/Capability=NULL" .sgmops
> "/ops/Role=lcgadmin" .sgmops
> "/ops/Role=NULL/Capability=NULL" .ops
> "/ops" .ops
> "/ops/*/Role=NULL/Capability=NULL" .ops
> "/ops/*" .ops
>
> However, when I run again the cron job, the problem is created: at the
> beginning of FQAN section, the following lines are prepended:
>
> "/seegrid" .seegrid
> "/seegrid/*" .seegrid
> "/seegrid/*/Role=NULL/Capability=NULL" .seegrid
> "/seegrid/Role=NULL/Capability=NULL" .seegrid
> "/seegrid/Role=ops" .prdseegrid
> "/seegrid/Role=ops/Capability=NULL" .prdseegrid
> "/seegrid/Role=sgmadmin" .sgmseegrid
> "/seegrid/Role=sgmadmin/Capability=NULL" .sgmseegrid
>
> And then naturally for seegrid vo whatever proxy I use it is mapped to a
> regular pool account, and not to .prdseegrid etc.
>
> Now the question is why
>
> /opt/edg/sbin/edg-mkgridmap --output=/etc/grid-security/grid-mapfile --safe
>
> in subsequent executions adds the above inverted seegrid section after DN
> mappings?
What do you have in /etc/grid-security/voms-grid-mapfile?
|