Whole site: How to create local users.conf and configure users
Preamble
Since ''glite-yaim-3.0.1-22'' (gLite 3.0 Update 27) the use of ''sgm''/''prd'' pool (e.g. ''sgmatlas001'') or static (e.g. ''sgmatlas'') accounts is allowed to be configured per VO and per account type.
IMPORTANT!
If some VO should use pool accounts for ''sgm'', ''prd'' or both at your site, please beware that the ''sgm'' and ''prd'' prefixes must
NOT be an extension of the generic prefix for the VO!. This means that you can't use, e.g. ''atlassgm'' but ''sgmatlas''.\*Otherwise the ''sgm''/''prd'' accounts can also be taken by ordinary users!*
In order to avoid problems with the existing pool accounts, we suggest that sites follow these steps.
Instruction
Formal steps
1) contact CMT (
grid-manager@infn.it) communicating the updating period.
2) create a downtime in the
GOCDB.
Batch system steps
3) close all queues.
4) wait until all jobs queued at your site are finished.
Users steps
5) on all your nodes (except BDII, LB, HLR, VOMS, UI) remove all the users you want to update/modify; you may decide to proceed A) manually or B) using a script:
Removing by hand the users.
* Remove from the following files the selected users:
* ''/etc/passwd''
* ''/etc/shadow''
* ''/etc/gshadow''
* ''/etc/group''
* Delete the related home directory
Using a Script
Prepare a file that contains the list of VOs you want to delete (a VO name per rows)
After that you can use the script "''ig-delete-users.sh''" from "//
| Users Management tools//" section to delete all the users of the selected VOs:
# ./ig-delete-users.sh
6) on CE, SE, RB and WMS remove all related entries in ''/etc/grid-security/gridmapdir''.
7) generate your new
*local* ''users.conf'' as explained in the "
#Local users.conf generation" section; this file must be used
*site-wide*;
8) on all your nodes (except BDII, LB, HLR, VOMS, UI) create the users on the base of your new local ''users.conf'' running the following function (first of all check that ''USERS_CONF'' variable on ''<your-site-info.def>'' is correctly set):
/opt/glite/yaim/bin/yaim -r -s -f config_users
9) on all your nodes (except BDII, LB, HLR, VOMS, UI, WN) generate the new configuration for gridmapfile running the following function:
/opt/glite/yaim/bin/yaim -r -s -f config_mkgridmap
10) on your software server (usually on CE or SE) check and eventually fix the ownership of software directories; they should be like the following:
drwxrwxr-x 7 sgmalice001 sgmalice 4096 Nov 16 05:36 alice
drwxrwxr-x 10 sgmatlas001 sgmatlas 4096 Dec 15 2006 atlas
drwxrwxr-x 51 sgmcms sgmcms 4096 Jun 27 2007 cms
...
Local users.conf generation
The file ''users.conf'' is a sequence of rows that lists the users settings for your site profiles.
Each row provides all the needed information on the user that will be created; detailed information on the row format can be found on "
YAIM 4 guide for sysadmins".
In order to help on the creation of the users rows (both for normal and ''sgm''/''prd'' users) are available:
A) "comprehensive" generation script (suggested way)
The script "''ig-generate-users-conf.sh''" create the a complete "''local-users.conf''"
for all VOs you support.
* Download the "per-vo" ''ig-generate-vo-users-conf.sh'' script from
Users Management tools section;
* Download the "comprehensive" ''ig-generate-users-conf.sh'' script from
Users Management tools section;
* Create your ''<vo-file>'' that has a list of rows (one per VO you support) each of the following format:
<vo>:<grp1>,<grp2>,...:<nrm_grp1>,<nrm_grp2>,...:<pil_grp1>,<pil_grp2>,...:<prd_grp1>,<prd_grp2>,...:<sgm_grp1>,<sgm_grp2>,...:[<vo.dom>]
Please carefully use the following parameters (you may find an example
here; take the
ig-vo-list.template file
* ''<vo>'' is VO name
without the eventual domain (e.g. ''enmr'' for ''enmr.eu'' VO);
* ''<grp#>'' is the group defined for the VO (for example ''cirmmp'' for ''/enmr.eu/cirmmp/Role=NULL/Capability=NULL'' FQAN);
for "standard" group set ''<grp#>'' as ''<vo>'' or ''NULL'';
* ''<nrm_grp#>'' is the number of normal pool account for the VO, one for each group defined;
* ''<pil_grp#>'' is the number of special "''pil''" (pilot) pool account for the VO (write ''1'' if you want a single account), one for each group defined;
* ''<prd_grp#>'' is the number of special "''prd''" (production) pool account for the VO (write ''1'' if you want a single account), one for each group defined;
* ''<sgm_grp#>'' is the number of special "''sgm''" (software manager) pool account for the VO (write ''1'' if you want a single account), one for each group defined;
* ''<vo.dom>'' is the complete VO name
*with* the eventual domain (e.g. ''enmr.eu''); leave empty if the VO has no domain.
* Run the following command:
./ig-generate-users-conf.sh <vo-file>
Finally you will have your brand new "''local-users.conf''" file!
B) A "per-vo" generation script
The script "''ig-generate-vo-users-conf.sh''" create a section of your "''local-users.conf''"
for one VO.
* Download the "per-vo" ''ig-generate-vo-users-conf.sh'' script from
Users Management tools section.
* Run the following command:
./ig-generate-vo-users-conf.sh <vo> <grp1>,<grp2>,... <base_uid> <base_guid> <nrm_grp1>,<nrm_grp2>,... <pil_grp1>,<pil_grp2>,... <prd_grp1>,<prd_grp2>,... <sgm_grp1>,<sgm_grp2>,... [<vo.dom>] >> local-users.conf
Please carefully use the following parameters
* ''<vo>'' is VO name
*without* the eventual domain (e.g. ''enmr'' for ''enmr.eu'' VO);
* ''<grp#>'' is the group defined for the VO (for example ''cirmmp'' for ''/enmr.eu/cirmmp/Role=NULL/Capability=NULL'' FQAN);
for "standard" group set ''<grp#>'' as ''<vo>'' or ''NULL'';
* ''<base_uid>'' is the first UID used for accounts that will be created;
* ''<base_gid>'' is the firs GID used for accounts that will be created;
* ''<nrm_grp#>'' is the number of normal pool account for the VO, one for each group defined;
* ''<pil_grp#>'' is the number of special "''pil''" (pilot) pool account for the VO (write ''1'' if you want a single account), one for each group defined;
* ''<prd_grp#>'' is the number of special "''prd''" (production) pool account for the VO (write ''1'' if you want a single account), one for each group defined;
* ''<sgm_grp#>'' is the number of special "''sgm''" (software manager) pool account for the VO (write ''1'' if you want a single account), one for each group defined;
* ''<vo.dom>'' is the complete VO name
*with* the eventual domain (e.g. ''enmr.eu''); leave empty if the VO has no domain.
* Repeat for each VO you support.
Finally you will have your brand new "''local-users.conf''" file!
C) A template file
An example file (''/opt/glite/yaim/examples/ig-users.conf'') is deployed with ''ig-yaim''.
Please consider that
this file is just a template: each site manager has to fit it with his site policy!
Copy that file in your local configuration directory, edit it and properly set the ''USERS_CONF'' variable in your ''site-info.def''.