Difference between revisions of "Tools/Manuals/TS193"
(Created page with '{{TOC_right}} Category:FAQ ------ Back to Administration FAQ ------ = How to publish queues with access restricted to a VOMS FQAN = Inst…') |
|||
Line 1: | Line 1: | ||
{{Template:Op menubar}} | |||
{{Template:Doc_menubar}} | |||
[[Category:Operations Manuals]] | |||
{{TOC_right}} | {{TOC_right}} | ||
------ | ------ | ||
Back to [[Tools/Manuals/AdministrationFaq|Administration FAQ]] | Back to [[Tools/Manuals/AdministrationFaq|Administration FAQ]] |
Latest revision as of 13:42, 23 November 2012
Main | EGI.eu operations services | Support | Documentation | Tools | Activities | Performance | Technology | Catch-all Services | Resource Allocation | Security |
Documentation menu: | Home • | Manuals • | Procedures • | Training • | Other • | Contact ► | For: | VO managers • | Administrators |
Back to Administration FAQ
How to publish queues with access restricted to a VOMS FQAN
Instead of giving the whole VO access to some queue, you may want to restrict access to a subset of the VO, identified by a particular VOMS FQAN like /foo/Role=production.
First, it would be normal for that FQAN to be mapped to its own set of accounts and to configure the batch system for those accounts to have access to the queue, while denying other accounts for that VO.
Second, one should take care that the information system (BDII) reflects the restricted access, to prevent the WMS from considering the queue for jobs submitted by other groups in the VO: those jobs would fail immediately and lead to a waste of resources.
There are 2 information system objects to be configured according to the desired restriction: the GlueCE describing the generic properties of the queue and the GlueVOView describing the VO-specific properties.
YAIM allows that to be done through a corresponding definition of the Q_GROUP_ENABLE variable for the queue in question. For example, for a queue called "express" one can obtain access rules for the aforementioned role as well as the whole "ops" VO as follows:
EXPRESS_GROUP_ENABLE=' /foo/Role=production ops '
Example result in the BDII
dn: GlueCEUniqueID=my-CE.my-domain:8443/cream-pbs-express,Mds-Vo-name=MY-SITE, Mds-Vo-name=local,o=grid [...] GlueCEAccessControlBaseRule: VOMS:/foo/Role=production GlueCEAccessControlBaseRule: VO:ops [...]
dn: GlueVOViewLocalID=/foo/Role_production,GlueCEUniqueID=my-CE.my-domain:8443/ cream-pbs-express,Mds-Vo-name=MY-SITE,Mds-Vo-name=local,o=grid [...] GlueCEAccessControlBaseRule: VOMS:/foo/Role=production [...]
dn: GlueVOViewLocalID=ops,GlueCEUniqueID=my-CE.my-domain:8443/cream-pbs-express, Mds-Vo-name=MY-SITE,Mds-Vo-name=local,o=grid [...] GlueCEAccessControlBaseRule: VO:ops [...]