Full registration in LFC

Introduction

Currently the names are recorded in LFC with the short URL. In US-ATLAS

Permission Tests

Testing the ability of writing in a directory created by another user or with other permissions. Production jobs are migrating from /atlas/usatlas/Role=production to /atlas/Role=production.

Proxies can have more extended attributes:

• some are added by default
• if more than 1 are requested on the command line, the first one is the first on the list, the others come after the default attributes
• Behavior of VOMS server differs:
  • v2 server at CERN keeps all the attributes
  • v1.X at BNL keeps only the first one and cuts the rest

Most of the servers in OSG consider only the first extended attribute:

• Gatekeeper (Globus, GUMS, ...)
• dCache (Prima, Authz, ...)

A different system in LGC can map to multiple users

LFC recognizes all the extended attributes. They can be used as groups in the ACL of an entry and define permissions.

Crosswrite Test1

Somehow on the production disk of AGLT2 both atlas_only and usatlas were able to write

Crosswrite Test2

In the USERDISK area, used by Pathena, it was necessary to set the ACL correctly (add write access for both /atlas/usatlas/Role=production and /atlas/Role=production) to allow both to write. Before tests were failing (only /atlas/usatlas/Role=production, group of the owner could write), after were successful. Proxies with multiple attributes carry all the identities and the order of the attributes is not important. In the default configuration voms-proxy-init can contact any of the servers. When it ends up contacting the BNL one only the first extension on the command line is added.

Solution

URL Preservation test

dq2-put has a command line option

-- MarcoMambelli - 22 Oct 2008