Context Navigation

General

Timestamp:: Jan 17, 2011, 12:34:18 AM (15 years ago)
Author:: /O=GRID-FR/C=FR/O=CNRS/OU=LAL/CN=Michel Jouvin
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

Doc/gLite/TemplateCustomization/General

-              v2
+              v3
 === Overriding default VO Parameters === #VOSpecificParams
+In addition to define [#VODefaultParams default values] for VO parameters, it is possible to override default VO parameters, as specified in templates located in [source:trunk/grid/glite-3.2/vo/params vo/params], with site-specific values. This is possible to do it on a per-VO basis or for all VOs configured on a machine. This is done using the same variable (nlist) as for [#VODefaultParams default parameters], `VOS_SITE_PARAMS`. To override default parameters for one specific VO, the key must be the VO name, as used in `VOS` variable. To override default parameters for all configured VOs, use special entry `LOCAL`.
+''Note: if a template `vo/site/VONAME` can be located, it'll be loaded even though there is no explicit entry for the VO into variable `VOS_SITE_PARAMS`.''
+In addition to define [#VODefaultParams default values] for VO parameters, it is possible to override default VO parameters, as specified in templates located in [source:trunk/grid/glite-3.2/vo/params vo/params], with site-specific values. This can be done on a per-VO basis or for all VOs configured on a machine, using the [#VODefaultParams previously described] variable (nlist), `VOS_SITE_PARAMS`:
+ * To override default parameters for one specific VO, the key must be the VO name, as used in `VOS` variable.
+ * To override default parameters for all configured VOs, use special entry `LOCAL`.
+The value can be either a nlist defining the site-specific parameters or a string referring to a template. When the entry for a VO is a nlist or is not defined, if a template `vo/site/`''voname'' can be located, it'll be loaded before applying parameters specified in `VOS_SITE_PARAMS`.''
 The allowed properties are the same as for [#VODefaultParams default parameters].
+''Note: some properties are invalid in the context of the `LOCAL` entry (as with `DEFAULT`), in particular: `account_prefix`, `base_uid`, `gid`, `name`, `voms_servers`, `voms_roles`.''
+For example, to define a site-specific WMS for VO Alice, create a template `vo/site/alice.tpl` in your site directory like :
+''Note: some properties are invalid in the context of the `LOCAL` entry (as with `DEFAULT`), in particular: `account_prefix`, `base_uid`, `gid`, `name`, `voms_servers`, `voms_mappings`.''
+The site-specific parameters are merged with default ones for each VO. They never replace default parameters. In particular, for `voms_servers` and `voms_mappings`, attributes specified into site-specific parameters are merged with attributes specified in the standard parameters for the same VOMS server or VOMS mapping. Site parameters need only to specify non default attributes, not the whole list of servers or roles with all their attributes.
+For `voms_servers`, if the entry in site-specific parameters has the attribute `host` defined and if there is not matching entry in standard parameters, a new VOMS server is added. If the entry in site parameters has no `host` attribute defined but the `name` attribute is present, the site parameters are taken into account only if there is a matching entry in standard parameters.
+For example, to define a site-specific WMS for VO Alice, the recommended solution is to create a template `vo/site/alice.tpl` in your site directory like :
 {{{
 structure template vo/site/alice;
 …
 === Site-specific parameters for VOMS role accounts === #VOMSSiteParams
 VOs often define roles in VOMS for specific purposes. For example, the ATLAS VO defines the role `production` which can only be used by users allowed to run production jobs. The roles defined for a VO are automatically retrieved by the `update.vo.config` and task. By default, a single account with an arbitrary suffix is automatically generated for each role found. For example, the following is an extract of the accounts generated for roles in the ATLAS VO:
 {{{
 "voms_roles" ?= list(
+VOs often define roles in VOMS for specific purposes. For example, the ATLAS VO defines the role `production` which is used by users in charge of running production jobs. The roles defined for a VO in its VO ID card (see https://cic.gridops.org) are automatically retrieved by the SCDB `update.vo.config` ant task. By default, a single account with an arbitrary suffix is automatically generated for each role found. For example, the following is an extract of the mapping information generated for roles in the ATLAS VO:
+{{{
+"voms_mappings" ?= list(
      nlist("description", "SW manager",
        "fqan", "/atlas/Role=lcgadmin",
 …
 }}}
+A particular site may wish to define its own parameters for a particular VOMS role. This can be done with nlist variable VOMS_ROLE_CONFIG_SITE. In this variable the key is a VO name and the value a nlist where the key is the role. The value of this second nlist has the same format as `VOS_SITE_PARAMS`.
+In this example, the Atlas role `production` is configured to use pool accounts:
+{{{
+variable
+  VOMS_ROLE_CONFIG_SITE =
+   nlist("atlas",                            # VO
+     nlist(escape("/atlas/Role=production"),             # role FQAN
+        nlist("pool_size", 20,
+              "suffix", "prd") ));
+}}}
+To use pool accounts with all the specific FQANs declared in VO parameters, using the same number of accounts in the pool for each FQAN, it is possible to define propery `fqan_pool_size` in the [#VOSpecificParams VO-specific] entry or in the [#VODefaultParams DEFAULT] entry of `VOS_SITE_PARAMS` variable. For example, to use pool accounts for each specific FQAN of each VO, creating 10 accounts per FQAN, except for Atlas where 20 accounts per FQAN are created:
+A particular site may wish to define its own parameters for a particular VOMS role. This can be done easily defining the attribute `voms_mappings` in VO site-specific parameters. If the entry in site-specific parameters has the attribute `fqan` defined and if there is not matching entry in standard parameters, a new VOMS mapping is added at the end of the list of standard mappings. If the entry in site parameters has no `fqan` attribute defined but the `description` attribute is present, the site parameters are taken into account only if there is a matching entry in standard parameters.
+''Note: in previous versions of the QWG templates, there used to be a variable VOMS_ROLE_CONFIG_SITE to do the site-specific configuration of VOMS mappings. This variable is now ignored and must be replaced by `voms_mappings` definition into VO site-specific parameters, as explained above.''
+For each mapping, in addition to the standard attributes (`description`, `fqan`, `suffix`, `suffix2`), the following attributes can be used:
+ * `enabled`. When defined to `false`, the matching mapping in standard templates is ignored.
+ * `pool_size`: if greater than 1, the number of pool accounts to create for this mapping. If 1, disable the use of pool accounts for this mapping.
+For example, to configure the CMS role `production` to use pool accounts (with 20 accounts) and disable the role `t1production`, you may add the following to your `vo/site/cms.tpl` (or directly in `VOS_SITE_PARAMS` variable):
+{{{
+'voms_mappings' = list(
+     nlist('description', 'production',
+           'pool_size', 20,
+          ),
+     nlist('fqan', '/cms/Role=t1production',
+           'enabled', false,
+          ),
+);
+}}}
+To use pool accounts with all the specific FQANs declared in VO parameters, using the same number of accounts in the pool for each FQAN, it is possible to define propery `fqan_pool_size` in the [#VOSpecificParams VO-specific] entry or in the [#VODefaultParams DEFAULT] entry of `VOS_SITE_PARAMS` variable. In addition, it is possible to exclude the use of pool accounts for the software manager (as it has implications on software area permissions), even if pool accounts are enabled for other FQANs, by defining VO attribute `swmgr_pool_accounts_disabled` to `true`, either in a [#VOSpecificParams VO-specific] entry or in the [#VODefaultParams DEFAULT] entry.
+For example, to use pool accounts for each specific FQAN (except software manager) of each VO, creating 10 accounts per FQAN, except for Atlas where 20 accounts per FQAN are created:
 {{{
 variable VOS_SITE_PARAMS ?= nlist(
+  'DEFAULT', nlist('fqan_pool_size', 10),
+  'DEFAULT', nlist('fqan_pool_size', 10,
+                   'swmgr_pool_accounts_disabled, true,
+                  ),
   'atlas',   nlist('fqan_pool_size', 20),
 );
 …
 === Mapping of VOMS groups/roles into grid-mapfile ===
+=== Mapping of VOMS groups/roles into grid-mapfile === #VOMS-gridmapfile
 grid-mapfile is used as a source of mapping information between users DN and Unix accounts when this cannot be obtained from VOMS.
 …
 LCAS and LCMAPS are 2 underlying services, generally used together, by most grid services to manage authorization and user mapping. LCAS is responsible for managing authorization based on configured policies (banned users, timeslots permitted...) and LCMAPS is responsible for mapping a grid DN to a Unix user account.
 LCMAPS configuration is based on VO configured and on VOMS [#VOMSSiteParams group/role mapping] rules.
+LCMAPS configuration is based on VO configured and on VOMS [#VOMS-gridmapfile group/role mapping] rules.
 LCAS can be configured with the following variables to restrict access to a grid resource like a CE: