guide:Users
From Dgiref
Contents |
Configuration
CA-certificates update
It must be ensured that all nodes except torque and NFS server, have a current version of CA certificates available. In the D-Grid reference installation this actualization is done by the cfengine automated configuration tool. For this you have to install the Cfengine client using the instructions here and to configure it as here.
Users / VOs update
In order to enable all new users and VOs for accessing the grid services, it must be ensured that all nodes except torque and NFS server, have a current version of the passwd and group files. In the D-Grid reference installation this actualization is done by the cfengine automated configuration tool. For this you have to install the Cfengine client using the instructions here and to configure it as here.
Authorization
Introduction
The Virtual Organisation Membership Service (VOMS) is a system which allows a proxy to have extensions containing information about the VO, the groups the user belongs to in the VO, and any roles the user is entitled to have. The groups and roles are defined by each VO; they may be assigned to a user at the initial registration, or added subsequently. In VOMS terminology:
- a group is a subset of the VO containing members who share some responsibilites or privileges in the project. Groups are organised hierarchically like a directory tree, starting from a VO-wide root group. A user can be a member of any number of groups, and a VOMS proxy contains the list of all groups the user belongs to, but when the VOMS proxy is created the user can choose one of these groups as the "primary" group.
- a role is an attribute which typically allows a user to acquire special privileges to perform specific tasks. In principle, groups are associated to privileges that the user always has, while roles are associated to privileges that a user needs to have only from time to time. Note that roles are attached to groups, i.e. roles in different groups with the same role name are distinct.
To map groups and roles to specific privileges, what counts is the group/role combination, which is sometimes referred to as an Fully Qualified Attribute Name (FQAN). The format is:
FQAN = <group name>[/Role=<role name>], for example, /cms/HeavyIons/Role=production.
