arc-vomsac-check(8)

1arc-vomsac-check(8)            NorduGrid Toolkit           arc-vomsac-check(8)
2
3
4

NAME

6       arc-vomsac-check - ARC VOMS AC-based queue policy enforcing plugin
7
8
9

DESCRIPTION

11       ARC  VOMS  AC-based  queue  policy  enforcing  plugin perfors per-queue
12       authorization based on information stored in VOMS AC.
13
14
15

SYNOPSIS

17       arc-vomsac-check [-N] -P <user proxy> -L  <A-REX  local>  [-c  <config‐
18       file>] [-d <loglevel>]
19
20
21

OPTIONS

23       -N     treat absence of VOMS AC as allowed access (deny by default)
24
25       -P user proxy
26              path to user proxy certificate file to get VOMS AC from
27
28       -L A-REX local
29              A-REX jobstatus .local file (used to determine submission queue)
30
31       -c configfile
32              plugin   configuration  file  (/etc/arc.conf  will  be  used  by
33              default)
34
35       -d loglevel
36              logging level from 0(ERROR) to 5(DEBUG)
37
38
39

GETTING A-REX TO WORK WITH PLUGIN

41       You must attach plugin as handler for ACCEPTED state:
42
43       authplugin="ACCEPTED   60   /opt/arc/libexec/arc/arc-vomsac-check    -L
44       %C/job.%I.local -P %C/job.%I.proxy"
45
46
47

CONFIGURATION

49       Queue policies need to be written into plain text configuration file of
50       the same format as arc.conf.  The plugin expects several  configuration
51       blocks for every queue identified by [queue] or [queue/name] section.
52
53       The  attribute  value  pairs identified by 'ac_policy' keyword within a
54       queue configuration block represent rules for allowing or denying users
55       to utilize queue. These rules are processed in order of specification.
56
57       The  first rule that matches the VOMS AC presented by a user stops fur‐
58       ther processing of remaining rules in the block. If no one rule  mathes
59       VOMS  AC,  access  is  denied.  If no 'ac_policy' rules supplied in the
60       queue block, access is granted.
61
62       Matching rules has the following format:
63
64        ac_policy="[+/-]VOMS: <mathing FQAN>"
65
66       Prepending '+' indicate positive  match  (users  with  FQAN  match  are
67       allowed).   Prepending  '-'  or '!' indicate negative match (users with
68       FQAN match are prohibited).  Without  any  prefix  character,  rule  is
69       treated as positive match.
70
71       FQAN  format can be specified either in ARC format or general VOMS for‐
72       mat: '/VO=students/Group=physics/Role=production' is the same as '/stu‐
73       dents/physics/Role=production' or '/students/Group=physics/Role=produc‐
74       tion/Capability=NULL' or any other combinations.   Regalar  expressions
75       syntax can be used in FQAN specification.
76
77
78

EXAMPLE CONFIGURATION

80        [queue/general]
81        ac_policy="-VOMS: /students/Role=production"
82        ac_policy="-VOMS: /students/Group=nosubmission"
83        ac_policy="VOMS: /VO=students"
84
85        [queue]
86        name="production"
87        ac_policy="VOMS: /students/Role=production"
88        ac_policy="-VOMS: /badvo"
89        ac_policy="VOMS: /.*/Role=production"
90
91       In  the  example  configuration,  queue "general" can NOT be used by VO
92       "students" users with Role "production" and  VO  "students"  "nosubmis‐
93       sion" Group. It CAN be used by any other members of VO "students".
94
95       Queue  "production" allow access to VO "students" users with Role "pro‐
96       duction", prohibit some VO "badvo" and allow any  VO  users  with  Role
97       "production".  First rule may be omitted due to common regex.
98
99
100

AUTHOR

102       Andrii Salnikov <manf at grid dot org dot ua>
103
104
105
106
107NorduGrid 5.4.4                   2011-11-17               arc-vomsac-check(8)