Hola Arnau,
> The scenario: We have a CMS user that is being mapped to a sgm account
> when we think he doesn't want a sgm Role.
> We have single cms sgm "pool" account.
>
> We think he's doing something worng cause he sends lots of jobs, so
> seems a production user with wrong Role. And, also, that we usually
> recieve CMS SGM jobs from Andrea Sciaba's DN.
>
> So I start thinking that maybe the problem is in our mapping (cause
> it's the second time it happens this week), and I was checking so.
>
> from logs I see his mapping:
> /O=GermanGrid/OU=Uni Karlsruhe/CN=Klaus Rabbertz" mapped to sgmcm001 (22001/50052)
>
> Gridmapfile shows next:
>
> # grep Rabbertz /etc/grid-security/grid-mapfile
> "/O=GermanGrid/OU=Uni Karlsruhe/CN=Klaus Rabbertz" sgmcm001
>
> and gridmapfile conf file:
>
> # CMS
> # Map VO members (prd)
> group vomss://voms.cern.ch:8443/voms/cms?/cms/Role=production .cmprd
> # Map VO members (sgm)
> group vomss://voms.cern.ch:8443/voms/cms?/cms/Role=lcgadmin sgmcm001
> # Map VO members (root group)
> group vomss://voms.cern.ch:8443/voms/cms?/cms .cms
>
> So, only sgm Role will be mapped to sgmcm001, so grid-mapfile is
> correct.
>
>
> we use yaim for configuring our CEs.
> # grep cms groups.conf
> "/cms"::::
> "/cms/ROLE=production":::prd:
> "/cms/ROLE=lcgadmin":::sgm:
>
> # grep sgmcm users.conf
> 22001:sgmcm001:50052:sgmcm:cms:sgm:
>
> # grep cmprd users.conf
> 24001:cmprd001:50051,1399:cmprd,cms:cms:prd:
> [...]
> 24049:cmprd049:50051,1399:cmprd,cms:cms:prd:
>
>
> So, is he using a plain proxy and for that reason is being mapped to
Possibly, but most probably not. I suspect his proxy contains a primary
FQAN that your CE does not support, and hence it will fall back on mapping
the DN instead!
You can add a line to groups.conf:
"/cms"::::
"/cms/ROLE=production":::prd:
"/cms/ROLE=lcgadmin":::sgm:
"/cms/*"::::
LHCb and Jeff have asked for the grid-mapfile not to contain any privileged
DN mappings: if your primary FQAN is unsupported, you just get an ordinary
pool account.
This idea is supported by YAIM via the UNPRIVILEGED_MKGRIDMAP variable as
described here:
https://twiki.cern.ch/twiki/bin/view/LCG/Site-info_configuration_variables
Warning 1: it will affect all VOs. RFE:
https://savannah.cern.ch/bugs/index.php?49511
Warning 2: only make such changes in scheduled downtime after the CE has
been drained.
> sgm account? Without knowing user's proxy, may I discover it from CE?
Yes, all VOMS extensions, if any, are logged along with the DN, local
job ID, WMS job ID (if found) etc. in the accounting files:
/opt/edg/var/gatekeeper/grid-jobmap_*
> Cause if I check gridmapdir:
>
> gridmapdir:
> 43121 0 -rw-r--r-- 2 root root 0 May 30 16:56 %2fo%3dgermangrid%2fou%3duni%20karlsruhe%2fcn%3dklaus%20rabbertz:cms
> 43121 0 -rw-r--r-- 2 root root 0 May 30 16:56 cms009
>
> seems correct for me.
That is a correct mapping for an ordinary CMS VOMS proxy.
|