The number of sites with LOCALGROUPDISK should be a higher.
The DPMs which should also have this are Oxford and QMUL.
Brian
-----Original Message-----
From: [log in to unmask] [mailto:[log in to unmask]] On
Behalf Of Graeme Stewart
Sent: 23 September 2008 14:06
To: Testbed Support for GridPP member institutes; GridPP Dteam; ATLAS UK
Ops
Subject: Urgent permissions problem on ATLASLOCALGROUPDISK areas
Hi All
A permissions problem has come to light on the ATLASLOCALGROUPDISK areas
at DPM Tier-2s. These have been setup as belonging to, and owned by, the
"atlas/uk" VOMS role. However, as datasets can be subscribed to this
area, an ACL has been set so that "atlas/Role=production"
could always write into this area (all subscriptions are done with the
production role).
However, this leads to a problem because when directories are created
with the production role they now belong to the atlas/Role=production
group and so users, who are in atlas/uk, can no longer write here.
For this reason we need sites to set ACLs on this namespace area to
ensure that, in addition to Role=production, the atlas/uk group also
always has group write permission. In practice this means setting the
ACLs "d:g:atlas/uk:7" and "g:atlas/uk:7" on every sub-directory of
/dpm/YOUR_DOMAIN_HERE/home/atlas/atlaslocalgroupdisk.
This is rather tedious to do by hand, so I put a script here:
http://www.physics.gla.ac.uk/~graeme/atlas/scripts/atlas-uk-local-dpm-to
ken-fix.sh
This needs to be run at all ATLAS T2 sites who have the
ATLASLOCALGROUPDISK space token for UK users. I think this means:
UKI-SCOTGRID-GLASGOW (done)
UKI-SOUTHGRID-CAM-HEP
UKI-NORTHGRID-LIV-HEP
UKI-SOUTHGRID-BHAM-HEP
UKI-LT2-RHUL
UKI-NORTHGRID-SHEF-HEP
UKI-NORTHGRID-LANCS-HEP
Sites which still need to setup this token should obviously create it
with the correct ACLs.
Thanks
Graeme
--
Dr Graeme Stewart http://www.physics.gla.ac.uk/~graeme/
Department of Physics and Astronomy, University of Glasgow, Scotland
|