Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @


From EGIWiki
Jump to navigation Jump to search
Main operations services Support Documentation Tools Activities Performance Technology Catch-all Services Resource Allocation Security

Documentation menu: Home Manuals Procedures Training Other Contact For: VO managers Administrators

Back to Administration FAQ

How to publish queues with access restricted to a VOMS FQAN

Instead of giving the whole VO access to some queue, you may want to restrict access to a subset of the VO, identified by a particular VOMS FQAN like /foo/Role=production.

First, it would be normal for that FQAN to be mapped to its own set of accounts and to configure the batch system for those accounts to have access to the queue, while denying other accounts for that VO.

Second, one should take care that the information system (BDII) reflects the restricted access, to prevent the WMS from considering the queue for jobs submitted by other groups in the VO: those jobs would fail immediately and lead to a waste of resources.

There are 2 information system objects to be configured according to the desired restriction: the GlueCE describing the generic properties of the queue and the GlueVOView describing the VO-specific properties.

YAIM allows that to be done through a corresponding definition of the Q_GROUP_ENABLE variable for the queue in question. For example, for a queue called "express" one can obtain access rules for the aforementioned role as well as the whole "ops" VO as follows:


Example result in the BDII

GlueCEAccessControlBaseRule: VOMS:/foo/Role=production
GlueCEAccessControlBaseRule: VO:ops
dn: GlueVOViewLocalID=/foo/Role_production,
GlueCEAccessControlBaseRule: VOMS:/foo/Role=production
dn: GlueVOViewLocalID=ops,,
GlueCEAccessControlBaseRule: VO:ops