WLCG Workshop : VOM(R)S Groups/Roles - Jan, 23rd 2007 Andrea Sciaba (CERN) - Experiments Jeff Tamplon (NIKHEF) - Sites Chris Brew (RAL) - Tier2 Maarten Litmaath (CERN) - Deployment & Convenor David Kelsey (RAL) Andrea Sciaba : Usages of VOMS for the experiments ================================================== To implement fine-grained management of permissions and privileges : . job priorities - number of cpus for different activities - prioritization mechanisns - match making depending on VOMS-specific info . Data Management - VOMS aware storage and catalogues + quota, acl, ... - VOMS aware transfer tools + prioritization depending on groups/roles - Now + VOMS ACLs in LFC & DPM + only primary group is taken into account - Future + all user groups should be taken into account + VOMS support in all SRM systems . Software installation - special groups/roles to install VO software at sites . VO-specific services - roles to service admin to change service configuration . Accounting related to VOMS FQAN (not only VO) . VOMS group tree - regional groups - activity related groups Jeff Tamplon : site perspective =============================== . Where we are : - VOMS work for SW installation - Elementary separation of storage - Web sites access via cert . Where we are almost : - Basic job priorities + separation of shares via groups/roles + publishing of ERTs per groups/roles +match making using groups/roles . Where we ain't : - Accounting via groups/roles - Information management : explosion of group/role combination ? - More flexible DM VOMSification (better than all or nothing !) . Lots of decision to make - how to choose most appropriate group/role in case of multiple matches ? - how to make sure all subsystems make the same choice ? - how to limit damage if they don't ? . Make sure mapping VOMS to unix doesn't create 'hidden' limitations Chris Brew : A Tier2's concerns =============================== . proposal for VOMS based scheduling - voms groups => unix groups => MAUI . on CE - proliferation of pools accounts & groups - frequency of updates for maui.cfg - maintainability . on SE - separate pools/endpoints for each groups ? Maarten Litmaath : VOMS & Deployment ==================================== . schedules must be driven by EMT & TCG - experiments have to ensure the right issues are on agenda . new yaim on CTB allows for special cases other than sgm and prd - allow new groups and roles to be mapped differently - none has been added so far . job priorities WG batch system recipe - documentation - needs new torque+maui, in certification - needs new lcg-info-dynamic-scheduler rpms, in certification - needs changes in YAIM . accounting for groups and roles almost ready - lcg-ce awaiting YAIM update - APEL patch expected in few days . Data Management : - supported by lfc & dpm - supported by dCache to some extent, via gPlazma callout - not yet supported by castor, still using grid-mapfile - not seen as a priority for this year - FTS 2.0 supports voms, to be released in few weeks Questions ====== > To Marteen : what in case of multi group VOMS proxy ? => in lfc/dpm only the primary group is taken into account