Hi Matt,
> Which matches the wiki mostly, but I don't have the 'Capability=NULL'
> part. Could I ask what that part relates to and should I add that in?
I think it’s another way of partitioning roles, you probably don’t need it we ended up with it as I cribbed the policies from our older authentication scheme… as long as you have the actual pilot role present that should be fine.
> So on the Argus server everything is showing as Permit at the moment,
> even around the time when the Nagios tests are failing.
>
> I know when running a manual test with my own cert as part of the dteam
> vo, that Argus would not allow me to run glexec, until I added the
> policy above to permit vo=dteam -- so I think at least partially the WNs
> and the argus server are working in *some* cases.
>
Hmm the fact that things seemed to be working was why I thought it may just be a missing policy statement but it appears that isn’t the case. Your policy looks right to me.
>> p.s Another thought is I see in your last set of emails you made sure
>> pilops mappings were right on the worker nodes, did the same thing
>> happen on the Argus server? It uses the grid map files to know which
>> pool accounts to map DN’s to so they need to be available on the Argus
>> server as well… something that always bites me :)
>
> I did need to update the worker nodes to have the same
> /etc/yaim/users.conf and groups.conf as the Argus and Cream servers - is
> that what you mean here? The /etc/grid-security/grid-mapfile is present
> on WNs, argus and cream and is the same on all too.
Yeah, so the voms,gird and group map files should be the same on all the machines… The easy way to see if the mappings are actually happening is to check /etc/grid-security/gridmapdir/ and see if mappings to the “pilops” (or whatever you’ve called yours) pool accounts are being made. For completeness here I do:
/etc/grid-security/gridmapdir# ls -ltri |grep pilops |cut -d' ' -f1|while read inode; do ls -ltri |grep $inode; done
To show all the “pilops" accounts and the associated DN mappings. If there are some actual mappings then Argus is doing it’s job and the break is back on the WN… if there are no mappings then Argus is having issues somehow.
Thanks,
Gareth
|