From Akos.Frohner@cern.ch Thu Nov 13 10:59:30 2003 Date: Tue, 11 Nov 2003 15:23:29 +0100 From: FROHNER Akos To: Zdenek Sekera Cc: Maria Dimou , Di Qing , Markus Schulz , Ian Neilson , Chih-Chiang Chang , Maarten Litmaath , Marco Serra , Ian Bird , David Groep Subject: Re: decisions/actions from the VOMS discussion (fwd) Dear All, Followup on the topics of "VOMS vs. gridftp" and "unix groups from VO groups (http://cern.ch/dimou/lcg/voms.2003-10-29.html). David Groep wrote: | I expect the GridFTP patch to be about 1 week worth of code analysis, | coding and making the patch, PLUS about 1 week of testing, by someone | familiar with the LCMAPS interface and the Globus build framework. | (that's half a man-month in total). Then the patch needs to be integrated | in the VDT distribution and tested again. | | The JR is still 4-6 weeks of coding and testing away (so about a full | 1-1.5 man-month by a similarly qualified person). JR is JobRepository --- see the emails below. Please tell your priorities to David (Cc-d)! (my opinion: gridftp patch is simpler and easier to deploy, because it only affects an existing service, unlike JR, which requires new DB and service on the CE. The gridftp patch would also help solving the lack of more sophisticated authorization in an SE for the basic cases) Cheers, Ákos On Sun, 2003-11-09 14:18:18 +0100, David Groep wrote: > Hi Akos, > > Wouldn't "groups (1)" do the trick for you? The fist groupname > returned is your primary gid, the rest are the supplementary gids > for this process. > > Also, in a few weeks, the JobRepository will be available. This > database will record everything you ever wanted to know about > your jkob but were afraid to ask. Like: for this batch job, what > is the current list of VO group names (as seen from the VOMS > cert extension); what is the cert chain back to the CA; etc.etc. > We are experimenting with the scalability of the Job Repository > right now (how many jobs per second can a CE enter into the JobRep > database, database size vs. time, etc). > > Oscar can give you the prelimirary database schema we have in mind. > The job can retrieve this iniformation via a JobRep handle that is > passed to the job via the environment (like the GASS-URL and > jobmanager ID). > > DavidG. > > At 22:37 08-11-03, FROHNER Akos wrote: > >Hi David and Martijn, > > > >I was talking with some LCG guys about the actual deployment > >steps around VOMS and the related components. One point was > >the configuration and usage of LCAS and LCMAPS. > > > >They understood the configuration and the mapping process, > >but there is a small problem: a job running on the worker > >node wants to change the group of a file to a mapped VO group. > >For example a CMS job wants to make the output file readable > >by /CMS/Production group. > > > >How can they figure out the UNIX groupname on the WN? > >(the LCMAPS configuration may be different on every site) > >Is there a tool for this? > > > >I can imagine a simple program, which uses the LCMAPS > >library and the LCMAPS configuration file to return the > >UNIX groupname as it happened at the job entering the site. > >But I don't know, if such a program exists, or is it feasible? > >(e.g. is the LCMAPS lib installed on WNs and is the LCMAPS > >config readable for jobs?) > > > > > >For the background: > > > >After evaluating the possibilites we decided to set a simple > >goal: only two or three mapped VO groups per VO. LCG cannot > >deploy that dynamic mapping solution via LDAP nameservices > >to all the farms, so they have to prepare them with some > >statically configured pools, with the all the possible > >combinations of all the possible VO groups mapped into UNIX > >groups. Supporting more than 3 groups would lead to too many > >groups quickly. > > > >Cheers, > > Ákos > >-- > >FROHNER Ákos/CSO/IT/CERN -- http://cern.ch/hep-project-grid-scg > > -- > David Groep > > ** National Institute for Nuclear and High Energy Physics, Grid/VL group > ** > ** Room: H1.57 Phone: +31 20 592 2179, PObox 41882, NL-1009 DB Amsterdam NL > ** On Sun, 2003-11-09 18:28:35 +0100, FROHNER Akos wrote: > Hi David, > > On Sun, 2003-11-09 14:18:18 +0100, David Groep wrote: > > Wouldn't "groups (1)" do the trick for you? The fist groupname > > returned is your primary gid, the rest are the supplementary gids > > for this process. > > No, it is not enough. It is exactly one of the secondary groups > we are interested. For example the job arrives with > /CMS > /CMS/User > /CMS/Role=Production > > You map them at one site into 'cms', 'cmsuser' and 'cmsprod' groups. > The primary group will be 'cms', but it is not sufficient, if the > job wants to make the output files writeable by /CMS/Role=Production. > (assuming that the order of VO and UNIX groups are not predictable) > I expect something like this (running on the WN): > > prodgroup=`edg-lcmaps-vo-to-unix '/CMS/Role=Production'` > echo "Hi David!" >output.file > chmod g+w output.file > chgrp $prodgroup output.file > > For the implementation we were also thinking of the LCMAPS putting > these mappings in envinormental variables, which would be sent with > the job by the jobwrapper. We can also imagine a small mappingfile, > like the brokerinfo was, which also travels with the job to the WN. > > > Also, in a few weeks, the JobRepository will be available. This > > database will record everything you ever wanted to know about > > your jkob but were afraid to ask. Like: for this batch job, what > > is the current list of VO group names (as seen from the VOMS > > cert extension); what is the cert chain back to the CA; etc.etc. > > We are experimenting with the scalability of the Job Repository > > right now (how many jobs per second can a CE enter into the JobRep > > database, database size vs. time, etc). > > > > Oscar can give you the prelimirary database schema we have in mind. > > The job can retrieve this iniformation via a JobRep handle that is > > passed to the job via the environment (like the GASS-URL and > > jobmanager ID). > > So in the example above that theoretical edg-lcmaps-vo-to-unix command > could ask the JobRepository the UNIX groupname for a given VO group? > That seems to be fine. > > Does this mean another service on the CE? If yes, then who could contact > that service and access the information for a given job? > > Cheers, > Ákos > > PS: I am afraid Oscar's email address was cut off. On Mon, 2003-11-10 09:21:58 +0100, David Groep wrote: > Hi Akos, > > At 18:28 09-11-03, FROHNER Akos wrote: > >[... lots of interesting text ...] > > > >So in the example above that theoretical edg-lcmaps-vo-to-unix command > >could ask the JobRepository the UNIX groupname for a given VO group? > >That seems to be fine. > > You can do that, as long as you are "inside the job", i.e. have access > to the JodRepository ID as issues to you via the job environment. > The generic table "(uid,pgid,sgid*)" -> VOMS-triplet is not indexed in > the Job Repository and thus haerder to extract. > But you need this mapping only whilst executing your job, and there you > have the JRID available. > So indeed, this will do the job. > > >Does this mean another service on the CE? If yes, then who could contact > >that service and access the information for a given job? > > The "service" is an ODBC entrypoint ot the datadase, and you can only > retrieve job information based on yuour own unique JRID (passed to you > via the environment of the job). There are no provisions for access control > to the JR (apart from you having to guess the valid and proper JRID). > That will be for a next release :-) .... EGEE time, I think. > > Cheers, > DavidG. > > > >PS: I am afraid Oscar's email address was cut off. > > I bounced your mail to Oscar, and he is now properly CCed at > "Oscar Koeroo" > > > -- > David Groep > > ** National Institute for Nuclear and High Energy Physics, Grid/VL group > ** > ** Room: H1.57 Phone: +31 20 592 2179, PObox 41882, NL-1009 DB Amsterdam NL > ** -- FROHNER Ákos/CSO/IT/CERN -- http://cern.ch/hep-project-grid-scg