From: Zdeněk Šustr Date: Wed, 15 Jun 2011 14:43:20 +0000 (+0000) Subject: New FAQ on WMS and LB_SUPER_USERS X-Git-Tag: glite-lb-doc_R_1_2_9_1~7 X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=ed8b1f42b35b5f4130b15b8b52f583570e75fcf3;p=jra1mw.git New FAQ on WMS and LB_SUPER_USERS --- diff --git a/org.glite.lb.doc/src/LBAG-Installation.tex b/org.glite.lb.doc/src/LBAG-Installation.tex index c3bc5a4..76bb361 100644 --- a/org.glite.lb.doc/src/LBAG-Installation.tex +++ b/org.glite.lb.doc/src/LBAG-Installation.tex @@ -224,11 +224,11 @@ According to local retention policy you may want to use different purge timeouts Authorization: \begin{itemize} -\item \texttt{GLITE\_LB\_SUPER\_USERS} -- additional super-users (default: empty) -\item \texttt{GLITE\_LB\_WMS\_DN} -- DNs of WMS servers (default: empty) +\item \texttt{GLITE\_LB\_SUPER\_USERS} -- additional super-users (default: empty)\footnote{The use of this parameter is a FAQ. See section \ref{FAQ:WMS_superusers}.} +\item \texttt{GLITE\_LB\_WMS\_DN} -- DNs of WMS servers (default: empty)\footnotemark[\thefootnote] \item \texttt{GLITE\_LB\_RTM\_DN} -- DNs using to get notifications from \LB server\\ (default: \texttt{heppc24.hep.ph.ic.ac.uk} machine certificate) -\item \texttt{GLITE\_LB\_AUTHZ\_} -- more detailed tuning of access grants, see Section~\ref{inst:authz} (default: empty, '.*' for logging and job registrations) +\item \texttt{GLITE\_LB\_AUTHZ\_} -- more detailed tuning of access grants, see Section~\ref{inst:authz} (default: empty, '\texttt{.*}' for logging and job registrations) \end{itemize} Additional helper or legacy parameters: diff --git a/org.glite.lb.doc/src/faq.tex b/org.glite.lb.doc/src/faq.tex index 9fb76d0..64e8c52 100644 --- a/org.glite.lb.doc/src/faq.tex +++ b/org.glite.lb.doc/src/faq.tex @@ -22,3 +22,56 @@ Jobs stay in state \emph{Running} until a \emph{Done} event is received from the workload management system. \emph{Done} events from local resource managers are not enough since the job in question may have been resubmitted in the meantime. +\subsection{WMS Cannot Purge Jobs or Perform Other Privileged Tasks} +\label{FAQ:WMS_superusers} + +In short, WMS has not been given adequate permissions when configuring the \LB server. You need to modify your configuration and restart the server: + +\subsubsection{For \LBver {3.0.11 or higher}, using YAIM} +\label{FAQ:WMS_superusers_3_0_11} +Modify your \texttt{siteinfo.def}, specifying the DN of your WMS server in YAIM parameter \texttt{GLITE\_LB\_WMS\_DN}; for instance: + +\begin{center} +\texttt{GLITE\_LB\_WMS\_DN=/DC=cz/DC=cesnet-ca/O=CESNET/CN=wms01.cesnet.cz} +\end{center} + +Then rerun YAIM: +\texttt{/opt/glite/yaim/bin/yaim -c -s site-info.def -n glite-LB} + + This will give your WMS exactly the right permissions to carry out all required operations. + +\subsubsection{For all versions of \LB, using YAIM} + +Modify your \texttt{siteinfo.def}, specifying the DN of your WMS server in YAIM parameter \texttt{GLITE\_LB\_SUPER\_USERS}; for instance: + +\begin{center} +\texttt{GLITE\_LB\_SUPER\_USERS=/DC=cz/DC=cesnet-ca/O=CESNET/CN=wms01.cesnet.cz} +\end{center} + +Then rerun YAIM: +\texttt{/opt/glite/yaim/bin/yaim -c -s site-info.def -n glite-LB} + +This will give your WMS adequate rights to perform its operations and requests (running purge, querying for statistics, etc.) but it will also grant it additional administrator rights (such as granting job ownership). On newer installations, the method explained in section \ref{FAQ:WMS_superusers_3_0_11} is preferrable. + +\subsubsection{For \LBver {2.1 or higher}, without YAIM} + +\LB{}'s authorization settings can be found in file \texttt{[/opt/glite]/etc/glite-lb/glite-lb-authz.conf} + +Permit actions \texttt{PURGE} and \texttt{READ\_ALL} for your WMS and restart the \LB server. +This will lead to results equivalent to \ref{FAQ:WMS_superusers_3_0_11}. +For instance, change the adequate sections in \texttt{glite-lb-authz.conf} to: + +\begin{verbatim} +action "READ_ALL" { + rule permit { + subject = "/DC=cz/DC=cesnet-ca/O=CESNET/CN=wms01.cesnet.cz" + } +} + +action "PURGE" { + rule permit { + subject = "/DC=cz/DC=cesnet-ca/O=CESNET/CN=wms01.cesnet.cz" + } +} +\end{verbatim} +