Changes between Version 1 and Version 2 of Doc/gLite/TemplateCustomization/Services
- Timestamp:
- Jan 17, 2011, 12:37:04 AM (13 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Doc/gLite/TemplateCustomization/Services
v1 v2 39 39 }}} 40 40 41 In addition, when using several CEs with the same WNs, it is necessary to configure a [ #SharedGridmapdir shared gridmapdir]. This is '''required''' to ensure consistency of DN/userid mapping across CEs.41 In addition, when using several CEs with the same WNs, it is necessary to configure a [/wiki/Doc/gLite/TemplateCustomization/General#SharedGridmapdir shared gridmapdir]. This is '''required''' to ensure consistency of DN/userid mapping across CEs. 42 42 43 43 === CREAM CE Specific Configuration === #CREAMConfig … … 255 255 === Restricting Access to CEs === 256 256 257 It is possible to ban some users or restrict time slots when the CEs are open for grid usage using LCAS middleware component. QWG allows to easily [ #LCAS-LCMAPS configure them].257 It is possible to ban some users or restrict time slots when the CEs are open for grid usage using LCAS middleware component. QWG allows to easily [/wiki/Doc/gLite/TemplateCustomization/General#LCAS-LCMAPS configure them]. 258 258 259 259 === Home Directory Purging === … … 639 639 The VOBOX is a machine '''dedicated to one VO''' running VO-specific services. In addition to the VO-specific services, this machine runs a service called ''proxy renewal'' in charge of renewing the grid proxy used by VO-specific services. 640 640 641 This is critical for the security to restrict the number of people allowed access to the VOBOX. By default, only people with the VO SW manager role can log into the VO box. To change this configuration, refer to section on [ #MappingofVOMSgroupsrolesintogrid-mapfile VOMS groups/roles mapping], but be sure you really need to allow other roles as it can give unwanted users access to privilege services.641 This is critical for the security to restrict the number of people allowed access to the VOBOX. By default, only people with the VO SW manager role can log into the VO box. To change this configuration, refer to section on [/wiki/Doc/gLite/TemplateCustomization/General#MappingofVOMS-gridmapfile VOMS groups/roles mapping], but be sure you really need to allow other roles as it can give unwanted users access to privilege services. 642 642 643 643 The configuration templates for the VOBOX enforce there is only one VO configured for acess to VOBOX-specific services. This VO must be declared using the `VOS` variable, as for other machine types. If you want to give other VOs access to the VOBOX for the management and operation of the VOBOX, you need to explicitly allow them using the variable `VOBOX_OPERATION_VOS`. This variable is a list of VOs considered as operation VOs. By default, this list is only VO `ops`. If the VOs listed in this variable are not listed in `VOS`, they are automatically added. 644 644 645 Only the enabled VO has a `gsissh` access to the VOBOX by default. If you want the operation VOs to also be enabled for `gsissh` access to the VOBOX, you need to define variable `VOBOX_OPERATION_VOS_GSISSH` to `true` in the VOBOX profile. Only the FQAN enabled by [ #MappingofVOMSgroupsrolesintogrid-mapfile VO_VOMS_FQAN_FILTER] will be enabled for each VO (default: SW manager).645 Only the enabled VO has a `gsissh` access to the VOBOX by default. If you want the operation VOs to also be enabled for `gsissh` access to the VOBOX, you need to define variable `VOBOX_OPERATION_VOS_GSISSH` to `true` in the VOBOX profile. Only the FQAN enabled by [/wiki/Doc/gLite/TemplateCustomization/General#MappingofVOMS-gridmapfile VO_VOMS_FQAN_FILTER] will be enabled for each VO (default: SW manager). 646 646 647 647 ''Note: if you add `dteam` VO to operation VOs and enable `gsissh` access for operation VOs, be sure to restrict the people who will be allowed interactive access to the VOBOX, as `dteam` is a very large VO with people from every grid site.''