• Start
• About SMSCG
• Partners
• For Users
• For Site Admins
  • Troubleshooting
  • SMSCG Resources
• Services
• Links
• Intranet
• Glossary
• Contact

Site Local Configuration Issues

Author(s): Heinz, Placi
Reviewer: to be specified
Last modified: 18.3.2009
ToDo(s):

Table of Contents

• Introduction
• Local Access for non VO Users
• Local Data Access for non VO Users (Data Management)

Introduction

Sites joining the Grid make substantial efforts to comply with the requirements, the procedures and the policies imposed by such an inter-organizational resource sharing endeavor. We must however ensure that their daily business is not disrupted and that local issues can be accomodated. This sites collects local configuration issues that go beyond normal Grid operation, but nevertheless might show up at several sites.

Local Data Access for non VO Users (Data Management)

The following use case describes a scenario with a single storage service provider and several groups consisting of one or more users located at different sites.

Basic Scenario

We assume that there is a single site that provides storage resources which are accessible via Grid transfer tools such as the ARC Storage Element. Several different user groups at different sites want to have read/write access to the Grid enable storage system.

Actors

• Storage provider (hosts the ARC storage/transfer service)
• User group: A user group consists of one or several users that want to transfer files to the Storage Provider. The users in the same group all have the same access writes and therefore want to write to the same directory at the storage provider.
  There are different user groups at different sites. One user group is not allowed to write data into the directory of another group. Read access might be available for certain cases.

Current technology requirements

SMSCG release 1.1 foresees that each user is registered with a VO. Grid authentication only works properly if one obtains a VOMS proxy certificate.

Technical questions

1. Do we create a single VO for such data transfers? If yes, can we assign the necessary roles/groups to satisfy the above requirements on access permissions?
2. Can we allow users to be registered with a site without being part of a VO and not using voms-proxy-init?
3. How to configure an ARC Storage System to allow for the given scenario? In clear text, the following should be supported

        /data/group1    ... read/write access for all user in group1
                        ... potentially: read access for other groups
       
        /data/group2    ... read/write access for all user in group2
   

Solutions

1. There is no need to create a separate VO since users can be added without using VOMS and VOs (see below).
2. In order to allow a user to be authenticated, its fully qualified distinguished name (FQDN) needs to be added to the file /etc/grid-security/fqan_mappings.def including the user name it should be mapped to. For instance:

   "/O=GRID-FR/C=CH/O=SIB/OU=LAUSANNE/CN=First Last" userid
   

3. [gridftpd/userhomes]
   plugin="fileplugin.so"
   path="/userhome"
   mount="/home/%U"
   dir="/ owner read cd dirlist delete create *:* 664:664 mkdir *:* 775:775"