SIMPLE SOLUTIONS

ARC-VOMSAC-CHECK(8) - Linux man page online | Administration and privileged commands

ARC VOMS AC-based queue policy enforcing plugin.

Chapter
2011-11-17
arc-vomsac-check(8) NorduGrid Toolkit arc-vomsac-check(8)

NAME

arc-vomsac-check - ARC VOMS AC-based queue policy enforcing plugin

DESCRIPTION

ARC VOMS AC-based queue policy enforcing plugin perfors per-queue authorization based on information stored in VOMS AC.

SYNOPSIS

arc-vomsac-check [-N] -P <user proxy> -L <A-REX local> [-c <configfile>] [-d <loglevel>]

OPTIONS

-N treat absence of VOMS AC as allowed access (deny by default) -P user proxy path to user proxy certificate file to get VOMS AC from -L A-REX local A-REX jobstatus .local file (used to determine submission queue) -c configfile plugin configuration file (/etc/arc.conf will be used by default) -d loglevel logging level from 0(ERROR) to 5(DEBUG) GETTING A-REX TO WORK WITH PLUGIN You must attach plugin as handler for ACCEPTED state: authplugin="ACCEPTED 60 /opt/arc/libexec/arc/arc-vomsac-check -L %C/job.%I.local -P %C/job.%I.proxy"

CONFIGURATION

Queue policies need to be written into plain text configuration file of the same format as arc.conf. The plugin expects several configuration blocks for every queue identified by [queue] or [queue/name] section. The attribute value pairs identified by 'ac_policy' keyword within a queue configuration block represent rules for allowing or denying users to utilize queue. These rules are pro‐ cessed in order of specification. The first rule that matches the VOMS AC presented by a user stops further processing of remaining rules in the block. If no one rule mathes VOMS AC, access is denied. If no 'ac_policy' rules supplied in the queue block, access is granted. Matching rules has the following format: ac_policy="[+/-]VOMS: <mathing FQAN>" Prepending '+' indicate positive match (users with FQAN match are allowed). Prepending '-' or '!' indicate negative match (users with FQAN match are prohibited). Without any prefix character, rule is treated as positive match. FQAN format can be specified either in ARC format or general VOMS format: '/VO=stu‐ dents/Group=physics/Role=production' is the same as '/students/physics/Role=production' or '/students/Group=physics/Role=production/Capability=NULL' or any other combinations. Regalar expressions syntax can be used in FQAN specification.

EXAMPLE CONFIGURATION

[queue/general] ac_policy="-VOMS: /students/Role=production" ac_policy="-VOMS: /students/Group=nosubmission" ac_policy="VOMS: /VO=students" [queue] name="production" ac_policy="VOMS: /students/Role=production" ac_policy="-VOMS: /badvo" ac_policy="VOMS: /.*/Role=production" In the example configuration, queue "general" can NOT be used by VO "students" users with Role "production" and VO "students" "nosubmission" Group. It CAN be used by any other mem‐ bers of VO "students". Queue "production" allow access to VO "students" users with Role "production", prohibit some VO "badvo" and allow any VO users with Role "production". First rule may be omitted due to common regex.

AUTHOR

Andrii Salnikov <manf at grid dot org dot ua>
NorduGrid 5.4.2 2011-11-17 arc-vomsac-check(8)
Download raw manual
Main page NorduGrid Toolkit (+7) NorduGrid 5.4.2 (+7) № 8 (+5755)
Go top