Changes between Version 131 and Version 132 of Doc/gLite/TemplateCustomization


Ignore:
Timestamp:
Sep 22, 2009, 8:01:39 PM (16 years ago)
Author:
/O=GRID-FR/C=FR/O=CNRS/OU=LAL/CN=Michel Jouvin
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • Doc/gLite/TemplateCustomization

    v131 v132  
    281281grid-mapfile is used as a source of mapping information between users DN and Unix accounts when this cannot be obtained from VOMS.
    282282
    283 Default behaviour for describing user mapping in grid-mapfile used to be to map users with a specific role to the account corresponding to this role. Unfortunatly, the result is unpredictable if a user has several roles in the VO. The default in QWG templates, starting with release [milestone:gLite-3.0.2-12 gLite-3.0.2-12], is to always map users to normal users in grid-mapfile. To obtain a mapping based on a specific role, users have to get a proxy with the required VOMS extensions using `voms-proxy-init --voms`.
    284 
    285 To revert to previous behaviour, you need to define variable `VO_GRIDMAPFILE_MAP_VOMS_ROLES` to `true` in your machine profile or one of your site specific templates.
     283Default behaviour for describing user mapping in grid-mapfile used to be mapping users with a specific role to the account corresponding to this role. Unfortunatly, the result is unpredictable if a user has several roles in the VO. The default in QWG templates, starting with release [milestone:gLite-3.0.2-12 gLite-3.0.2-12], is to always map users to normal users in grid-mapfile. To obtain a mapping based on a specific role, users have to get a proxy with the required VOMS extensions using `voms-proxy-init --voms`.
     284
     2852 variables allow to modify this default behaviour for generating grid-mapfile:
     286 * `VO_GRIDMAPFILE_MAP_VOMS_ROLES`: when set  to `true`, a grid-mapfile entry is added for each valid VO FQANs in addition to the VO members.
     287 * `VO_GRIDMAPFILE_FQAN_FILTER`: this nlist allows to define on a per-VO basis what are the VOMS FQANs to add to the grid-mapfile. The key is a VO name or `DEFAULT` for the default entry. Default entry if present is applied to all VOs without an explicit entry. If there is no entry for a VO and there is no default entry defined, all VO users and valid FQANs are added to the grid-mapfile. This variable is ignored if `VO_GRIDMAPFILE_MAP_VOMS_ROLES` is not true. The entry value must be either a FQAN declared in VO parameters (without the initial /voname), a VOMS mapping description as declared in the VO parameters or undef to allow all users and valid FQAN. '/' is interpreted as all normal users (without a specific group or role).
     288 
     289 These 2 variables are mainly used on VO boxes.
    286290
    287291== Allocation of Service Accounts ==
     
    908912__Base template__ : `machine-types/vobox`.
    909913
    910 There is no specific variable to configure a VOBOX. Most of the configuration variables available for the UI, in particular those related to gsissh server, apply for VOBOX too.
     914Most of the configuration variables available for the UI, in particular those related to gsissh server, apply for VOBOX too.
     915
     916To control access to the VO box, see section on [#MappingofVOMSgroupsrolesintogridmapfile VOMS groups/roles mapping]. By default, only VO SW manager and production role can log into the VO box.
    911917
    912918== UI ==