CreateLocalUserAndGroup < IGIRelease

Tags: , view all tags
%TOC%

---++ Whole site: How to create local users.conf and configure users

---+++ Preamble

Since ''glite-yaim-3.0.1-22'' (gLite 3.0 Update 27) the use of ''sgm''/''prd'' pool (e.g. ''sgmatlas001'') or static (e.g. ''sgmatlas'') accounts is allowed to be configured per VO and per account type.

*IMPORTANT!*

If some VO should use pool accounts for ''sgm'', ''prd'' or both at your site, please beware that the ''sgm'' and ''prd'' prefixes must *NOT* be an extension of the generic prefix for the VO!. This means that you can't use, e.g. ''atlassgm'' but ''sgmatlas''.\\
*Otherwise the ''sgm''/''prd'' accounts can also be taken by ordinary users!*

In order to avoid problems with the existing pool accounts, we suggest that sites follow these steps.

---+++ Instruction

---++++ Formal steps

*1)* contact CMT ([[grid-manager@infn.it]]) communicating the updating period.

*2)* create a downtime in the [[https://goc.egi.eu][GOCDB]].

---++++ Batch system steps

*3)* close all queues.

*4)* wait until all jobs queued at your site are finished.

---++++ Users steps

*5)* on all your nodes (except BDII, LB, HLR, VOMS, UI) remove all the users you want to update/modify; you may decide to proceed A) manually or B) using a script:

*Removing by hand the users.*
<pre>
  * Remove from the following files the selected users:
    * ''/etc/passwd''
    * ''/etc/shadow''
    * ''/etc/gshadow''
    * ''/etc/group''
  * Delete the related home directory
</pre>

*Using a Script*
Prepare a file that contains the list of VOs you want to delete (a VO name per rows)

After that you can use the script "''ig-delete-users.sh''" from "//[[https://forge.cnaf.infn.it/frs/?group_id=30 | Users Management tools]]//" section to delete all the users of the selected VOs:

<pre>
# ./ig-delete-users.sh <vo-file>
</pre>

*6)* on CE, SE, RB and WMS remove all related entries in ''/etc/grid-security/gridmapdir''.

*7)* generate your new **local** ''users.conf'' as explained in the "[[#Local users.conf generation]]" section; this file must be used **site-wide**;

*8)* on all your nodes (except BDII, LB, HLR, VOMS, UI) create the users on the base of your new local ''users.conf'' running the following function (first of all check that ''USERS_CONF'' variable on ''<your-site-info.def>'' is correctly set):

<pre>
/opt/glite/yaim/bin/yaim -r -s <your-site-info.def> -f config_users
</pre>

*9)* on all your nodes (except BDII, LB, HLR, VOMS, UI, WN) generate the new configuration for gridmapfile running the following function:

<pre>
/opt/glite/yaim/bin/yaim -r -s <your-site-info.def> -f config_mkgridmap
</pre>

*10)* on your software server (usually on CE or SE) check and eventually fix the ownership of software directories; they should be like the following:

<pre>
drwxrwxr-x    7 sgmalice001 sgmalice     4096 Nov 16 05:36 alice
drwxrwxr-x   10 sgmatlas001 sgmatlas     4096 Dec 15  2006 atlas
drwxrwxr-x   51 sgmcms      sgmcms       4096 Jun 27  2007 cms
...
</pre>

----+++ Local users.conf generation

The file ''users.conf'' is a sequence of rows that lists the users settings for your site profiles.

Each row provides all the needed information on the user that will be created; detailed information on the row format can be found on "[[https://twiki.cern.ch/twiki/bin/view/LCG/YaimGuide400#users_conf][YAIM 4 guide for sysadmins]]".

In order to help on the creation of the users rows (both for normal and ''sgm''/''prd'' users) are available:

----++++A) "comprehensive" generation script (suggested way)

The script "''ig-generate-users-conf.sh''" create the a complete "''local-users.conf''" *for all VOs you support*.

  * Download the "per-vo" ''ig-generate-vo-users-conf.sh'' script from [[https://forge.cnaf.infn.it/frs/?group_id=30][Users Management tools]] section;
  * Download the "comprehensive" ''ig-generate-users-conf.sh'' script from [[https://forge.cnaf.infn.it/frs/?group_id=30][Users Management tools]] section;
  * Create your ''<vo-file>'' that has a list of rows (one per VO you support) each of the following format:

<verbatim>
<vo>:<grp1>,<grp2>,...:<nrm_grp1>,<nrm_grp2>,...:<pil_grp1>,<pil_grp2>,...:<prd_grp1>,<prd_grp2>,...:<sgm_grp1>,<sgm_grp2>,...:[<vo.dom>]
</verbatim>

Please carefully use the following parameters (you may find an example [[https://forge.cnaf.infn.it/frs/?group_id=30][here]]; take the *ig-vo-list.template* file

  * ''&lt;vo&gt;'' is VO name *without* the eventual domain (e.g. ''enmr'' for ''enmr.eu'' VO);<BR/>
  * ''<grp#>'' is the group defined for the VO (for example ''cirmmp'' for ''/enmr.eu/cirmmp/Role=NULL/Capability=NULL'' FQAN); *for "standard" group set ''<grp#>'' as ''&lt;vo&gt;'' or ''NULL''*;<BR/>
  * ''<nrm_grp#>'' is the number of normal pool account for the VO, one for each group defined;<BR/>
  * ''<pil_grp#>'' is the number of special "''pil''" (pilot) pool account for the VO (write ''1'' if you want a single account), one for each group defined;<BR/>
  * ''<prd_grp#>'' is the number of special "''prd''" (production) pool account for the VO (write ''1'' if you want a single account), one for each group defined;<BR/>
  * ''<sgm_grp#>'' is the number of special "''sgm''" (software manager) pool account for the VO (write ''1'' if you want a single account), one for each group defined;<BR/>
  * ''<vo.dom>'' is the complete VO name **with** the eventual domain (e.g. ''enmr.eu''); leave empty if the VO has no domain.<BR/>


  * Run the following command:

<verbatim>
./ig-generate-users-conf.sh <vo-file>
</verbatim>

Finally you will have your brand new "''local-users.conf''" file!


----++++ B) A "per-vo" generation script

The script "''ig-generate-vo-users-conf.sh''" create a section of your "''local-users.conf''" *for one VO*.

  * Download the "per-vo" ''ig-generate-vo-users-conf.sh'' script from [[https://forge.cnaf.infn.it/frs/?group_id=30][Users Management tools]] section.

  * Run the following command:

<verbatim>
./ig-generate-vo-users-conf.sh <vo> <grp1>,<grp2>,... <base_uid> <base_guid> <nrm_grp1>,<nrm_grp2>,... <pil_grp1>,<pil_grp2>,... <prd_grp1>,<prd_grp2>,... <sgm_grp1>,<sgm_grp2>,... [<vo.dom>] >> local-users.conf
</verbatim>

*Please carefully use the following parameters*

  *  ''&lt;vo&gt;'' is VO name **without** the eventual domain (e.g. ''enmr'' for ''enmr.eu'' VO);<BR/>
  * ''<grp#>'' is the group defined for the VO (for example ''cirmmp'' for ''/enmr.eu/cirmmp/Role=NULL/Capability=NULL'' FQAN); *for "standard" group set ''<grp#>'' as ''&lt;vo&gt;'' or ''NULL''*;<BR/>
  * ''&lt;base_uid&gt;'' is the first UID used for accounts that will be created;<BR/>
  * ''&lt;base_gid&gt;'' is the firs GID used for accounts that will be created;<BR/>
  * ''<nrm_grp#>'' is the number of normal pool account for the VO, one for each group defined;<BR/>
  * ''<pil_grp#>'' is the number of special "''pil''" (pilot) pool account for the VO (write ''1'' if you want a single account), one for each group defined;<BR/>
  * ''<prd_grp#>'' is the number of special "''prd''" (production) pool account for the VO (write ''1'' if you want a single account), one for each group defined;<BR/>
  * ''<sgm_grp#>'' is the number of special "''sgm''" (software manager) pool account for the VO (write ''1'' if you want a single account), one for each group defined;<BR/>
  * ''<vo.dom>'' is the complete VO name **with** the eventual domain (e.g. ''enmr.eu''); leave empty if the VO has no domain.<BR/>

  * Repeat for each VO you support.

Finally you will have your brand new "''local-users.conf''" file!


----++++ C) A template file

An example file (''/opt/glite/yaim/examples/ig-users.conf'') is deployed with ''ig-yaim''.
Please consider that *this file is just a template*: each site manager has to fit it with his site policy!

Copy that file in your local configuration directory, edit it and properly set the ''USERS_CONF'' variable in your ''site-info.def''.
Topic revision: r2 - 2012-01-05 - CristinaAiftimiei
Account
- Log In
Edit
Attach