Difference: FacilitiesServicesSiteAuthorization (1 vs. 8)

Revision 82019-09-06 - StephanLammel

Line: 1 to 1
 
META TOPICPARENT name="FacilitiesServicesDocumentation"
Line: 72 to 72
 

Special/Secondary Facilities

The idea of facilities is to reduce/simplify the administration in case of multiple CMS sites at an institute. If one or more of the sites at an institute should have the same executive/site admin list BUT different PhEDEx/data managers, then a special arrangement with space character in the facility name supports this, i.e. "CH_CERN" and "CH_CERN Tier-2" facilities both using/sharing the above two e-groups, cms-CH_CERN-exec and cms-CH_CERN-admin. \ No newline at end of file
Added:
>
>

CRIC facility/site setup

After setting up the two facility e-groups, the next step is to setup the facility in CRIC:
  • Go to the CMS CRIC instance and select the "Auth Admin panel" from the "Admin" panel in the top menu bar.
  • Select "+ Add" in the "E-Groups" line.
  • Fill cms-<facility-name>-exec into the "E-group name" field and click "Save and add another"
  • Fill cms-<facility-name>-admin into the "E-group name" field and click "Save and add another"
  • (this makes the two facility e-groups known to CRIC)
  • Go back to the CMS CRIC instance home page and select "Create CMS Facility" from the "CMS" panel in the top menu bar.
  • Fill in the "Facility Name", i.e. CC_Name, "Full Facility Name", "Location", leave "Web Page" empty, select the proper "Timezone" (which can be tricky as CRIC uses weird names for Asian timezones), set "RC site" to NULL, "Object state" to ACTIVE, and leave "State comment" blank. Click on "Check input data" and the "Save & continue".
  • Click on the edit square button in the "Executive(s) e-groups" list
    • select cms-<facility-name>-exec in the left "E-groups" selector, move to the "Chosen E-groups" selector and click "SAVE" at the bottom of the page.
  • Click on the edit square button in the "Site Admin(s) e-groups" list
    • select cms-<facility-name>-admin in the left "E-groups" selector, move to the "Chosen E-groups" selector and click "SAVE" at the bottom of the page.
After this setup the site in CRIC:
  • Go back to the CMS CRIC instance home page and select "Create CMS Site" from the "CMS" panel in the top menu bar.
  • Fill in the "Site Name", i.e. Tn_CC_Name, "Tier level", set "RC site" to NULL, select the "Facility", i.e. CC_Name, leave the "VO name" as cms, set a random string for "SiteDB Title", leave "Status" as is, skip over the "Source Config" section", set "Object state" to ACTIVE, and leave the "State comment" as is. Click on "Check input data" and the "Save & continue".
 \ No newline at end of file

Revision 72019-09-05 - StephanLammel

Line: 1 to 1
 
META TOPICPARENT name="FacilitiesServicesDocumentation"
Line: 34 to 34
 then click on the "Insert" button.
After this switch to the "Owner, Admin & Privileges" tab and add read-only access for all of CMS and admin access for the facility executive team:
Deleted:
<
<
Change E-group owner Person Id "407390" click "Change"
 
Change e-group Administrator "cms-comp-ops-site-support-team" click "Change"
Added:
>
>
Change E-group owner Person Id "407390" click "Change"
 
Add e-group with privilege Privilege "Admin"   "cms-<facility-name>-exec" click "Add"
  Privilege "Can see members"   "cms-authorized-users" click "Add"

Revision 62019-08-30 - StephanLammel

Line: 1 to 1
 
META TOPICPARENT name="FacilitiesServicesDocumentation"
Line: 68 to 68
 

Site Admin/Exec E-groups Removal

The e-groups need to be deleted/removed from CRIC before removing them from the listserver!
Added:
>
>

Special/Secondary Facilities

The idea of facilities is to reduce/simplify the administration in case of multiple CMS sites at an institute. If one or more of the sites at an institute should have the same executive/site admin list BUT different PhEDEx/data managers, then a special arrangement with space character in the facility name supports this, i.e. "CH_CERN" and "CH_CERN Tier-2" facilities both using/sharing the above two e-groups, cms-CH_CERN-exec and cms-CH_CERN-admin.
  \ No newline at end of file

Revision 52019-08-28 - StephanLammel

Line: 1 to 1
 
META TOPICPARENT name="FacilitiesServicesDocumentation"
Line: 65 to 65
 
(Warning: The type resets, in case more than one facility is added.)
To delete an e-group, select the check box at the beginning of the line containing the facility e-group and click on "Delete Members" above the table.
Added:
>
>

Site Admin/Exec E-groups Removal

The e-groups need to be deleted/removed from CRIC before removing them from the listserver!
  \ No newline at end of file

Revision 42019-08-08 - StephanLammel

Line: 1 to 1
 
META TOPICPARENT name="FacilitiesServicesDocumentation"
Line: 16 to 16
 To delete a member, you need, in the "Members" tab, to select the box in the first column in the line of the user, and then click on the "Delete Members" button above the table.

Information for Site Support Members:

Added:
>
>

Facility E-groups setup

 As part of setting up a new facility/site, two e-groups need to be setup (and removed when a facility/site is decommissioned):
  • cms-<facility-name>-exec and
  • cms-<facility-name>-admin
Line: 54 to 55
 Inside CRIC go to "Admin" -> "Auth Admin panel" and click on the "+ Add" in the E-Groups row. Type in the newly created e-group, i.e. cms-<facility-name>-exec and click on "Save and add another". Type in the other e-group, i.e. cms-<facility-name>-admin and click on "Save".
On the CMS Facility page in CRIC for the facility under the "Authorization Groups" section, click on the paper+pen icon in the "Executive(s)" "e-groups::" line. Go to the bottom of the page and select the cms-<facility-name>-exec entry in the left "Available E-groups" list and click the -> error to move it to the "Chosen E-groups" list, then click on "Save" at the very bottom of the page.
Similarly for the admins, on the CMS Facility page for the facility under the "Authorization Groups" section, click on the paper+pen icon in the "Site Admin(s)" "e-groups::" line. Go to the bottom of the page and select the cms-<facility-name>-admin entry in the left "Available E-groups" list and click the -> error to move it to the "Chosen E-groups" list, then click on "Save" at the very bottom of the page.
Added:
>
>

Site Admin/Exec E-groups

We have to e-groups, cms-SITE-exec and cms-SITE-admin, that include all the individual facility exec and admin e-groups. The two e-groups are static and need to be updated whenever a facility is added or removed. Go to https://e-groups.cern.ch/ and search for "cms-SITE-" and select one then the other. Click on the "Members" tab. In the selection box on the right side:
Type: e-group
Name: enter facility name, click on the magnifying glass, and select the right e-group in the pop-up window
click on "Add new member"
(Warning: The type resets, in case more than one facility is added.)
To delete an e-group, select the check box at the beginning of the line containing the facility e-group and click on "Delete Members" above the table.
 

Revision 32019-06-06 - StephanLammel

Line: 1 to 1
 
META TOPICPARENT name="FacilitiesServicesDocumentation"

Facility/Site E-groups

Changed:
<
<
Modifying facility and site information in either GitLab (SITECONF), siteStatus (life-, prod-, CRAB-Status), or CRIC (grid resource information) is normally restricted to administrators of the facility. We are using CERN e-groups for the authorization of this, with two e-groups per facility. One e-group for the facility/site executives (unlimited modification authorization) and one for facility/site/service administrators. The two e-groups have slightly different privileges in CRIC and facility/site executives can add and delete members of the facility/site/service administrator e-group. In CMS terms a facility is normally an institute, e.g. CH_CERN with sites T0_CH_CERN and T2_CH_CERN. (For most institutes with one site there is a one-to-one correspondence and the facility name is the site name without the Tn_ prefix.) The facility is effectively the administrative unit of sites, processing, and/or storage services the experiment uses.
>
>
Modifying facility and site information in either GitLab (SITECONF), siteStatus (life-, prod-, CRAB-Status), or CRIC (grid resource information) is normally restricted to administrators of the facility. We are using CERN e-groups for the authorization of this, with two e-groups per facility. One e-group for the facility/site executives (unlimited modification authorization) and one for facility/site/service administrators. The two e-groups have slightly different privileges in CRIC and facility/site executives can add and delete members of the facility/site/service administrator e-group. In CMS terms a facility is normally an institute, e.g. CH_CERN with sites T0_CH_CERN and T2_CH_CERN. (For most institutes with one site there is a one-to-one correspondence and the facility name is the site name without the "Tn_" prefix.) The facility is effectively the administrative unit of sites, processing, and/or storage services the experiment uses.
 

Information for Facility/Site Executive:

The two e-groups for each facility are called
Line: 16 to 16
 To delete a member, you need, in the "Members" tab, to select the box in the first column in the line of the user, and then click on the "Delete Members" button above the table.

Information for Site Support Members:

Changed:
<
<
>
>
As part of setting up a new facility/site, two e-groups need to be setup (and removed when a facility/site is decommissioned):
  • cms-<facility-name>-exec and
  • cms-<facility-name>-admin
with the facility name being the approved site name without the "Tn_" prefix, i.e. a format of two letter country code, underscore, plus name of the institute/university/laboratory. To setup the two e-groups, go to https://e-groups.cern.ch/ and click on "Create new static group":
Name: cms-<facility-name>-exec
Topic: CMS Facilities and Services
Usage: Security/Mailing
Description: <facility-name> facility executives
Expiration date: match expiration date of existing facility e-groups, so we prolong all together
Comments:  
Self-Subscription Policy: Closed
Privacy Policy: e-group Owner/Admins
then click on the "Insert" button.
After this switch to the "Owner, Admin & Privileges" tab and add read-only access for all of CMS and admin access for the facility executive team:
Change E-group owner Person Id "407390" click "Change"
Change e-group Administrator "cms-comp-ops-site-support-team" click "Change"
Add e-group with privilege Privilege "Admin"   "cms-<facility-name>-exec" click "Add"
  Privilege "Can see members"   "cms-authorized-users" click "Add"

After this switch to the "Members" tab and add the initial facility executive(s):
Type: Person
Name: enter name, click on the magnifying glass, and select the right person (not account!) in the pop-up window
click on "Add new member"
repeat above in case of more than one initial facility executive.
Set up the cms-<facility-name>-admin e-group similarly, but with
Description: <facility-name> facility admins
(In the "Owner, Admin & Privileges" tab, the entries should be the same as for the cms-<facility-name>-exec e-group, i.e. with the cms-<facility-name>-exec having admin privilege of cms-<facility-name>-admin !)

Inside CRIC go to "Admin" -> "Auth Admin panel" and click on the "+ Add" in the E-Groups row. Type in the newly created e-group, i.e. cms-<facility-name>-exec and click on "Save and add another". Type in the other e-group, i.e. cms-<facility-name>-admin and click on "Save".
On the CMS Facility page in CRIC for the facility under the "Authorization Groups" section, click on the paper+pen icon in the "Executive(s)" "e-groups::" line. Go to the bottom of the page and select the cms-<facility-name>-exec entry in the left "Available E-groups" list and click the -> error to move it to the "Chosen E-groups" list, then click on "Save" at the very bottom of the page.
Similarly for the admins, on the CMS Facility page for the facility under the "Authorization Groups" section, click on the paper+pen icon in the "Site Admin(s)" "e-groups::" line. Go to the bottom of the page and select the cms-<facility-name>-admin entry in the left "Available E-groups" list and click the -> error to move it to the "Chosen E-groups" list, then click on "Save" at the very bottom of the page.

 

Revision 22019-06-05 - StephanLammel

Line: 1 to 1
 
META TOPICPARENT name="FacilitiesServicesDocumentation"
Changed:
<
<
Modifying facility and site information in either GitLab (SITECONF), siteStatus (life-, prod-, CRAB-Status) or CRIC (grid resource information) is normally restricted to administrators of the facility. We are using e-groups for this, with two e-groups per facility. One e-group for the site/facility executives (unlimited modification authorization) and one for facility/site/service administrators.
>
>

Facility/Site E-groups

Modifying facility and site information in either GitLab (SITECONF), siteStatus (life-, prod-, CRAB-Status), or CRIC (grid resource information) is normally restricted to administrators of the facility. We are using CERN e-groups for the authorization of this, with two e-groups per facility. One e-group for the facility/site executives (unlimited modification authorization) and one for facility/site/service administrators. The two e-groups have slightly different privileges in CRIC and facility/site executives can add and delete members of the facility/site/service administrator e-group. In CMS terms a facility is normally an institute, e.g. CH_CERN with sites T0_CH_CERN and T2_CH_CERN. (For most institutes with one site there is a one-to-one correspondence and the facility name is the site name without the Tn_ prefix.) The facility is effectively the administrative unit of sites, processing, and/or storage services the experiment uses.
 
Changed:
<
<

SITECONF Repository

>
>

Information for Facility/Site Executive:

The two e-groups for each facility are called
  • cms-<facility-name>-exec and
  • cms-<facility-name>-admin
with the facility name being a two letter country code, underscore, plus name of the institute/university/laboratory. Both e-groups can be administered, i.e. members added/deleted, by members of the cms-<facility-name>-exec group. (The e-groups are owned by CMS Site Support to allow assistance and recovery in case a sole executive leaves.) Members of the e-groups can be viewed by any member of the cms-authorized-users e-group.
 
Changed:
<
<
SITECONF
>
>
To add a new member, go to the CERN e-groups web site, type in the e-group name name (note: default in the search field is "begins with" not "contains") , click on the e-egroup in the "Name" column, select the "Members" tab, type in the name of the person to add in the selection box on the right, use the magnifying glass to search for the user, select the user in the pop-up window and then click on the "Add new member button".
To delete a member, you need, in the "Members" tab, to select the box in the first column in the line of the user, and then click on the "Delete Members" button above the table.

Information for Site Support Members:

 

Revision 12019-06-05 - StephanLammel

Line: 1 to 1
Added:
>
>
META TOPICPARENT name="FacilitiesServicesDocumentation"

Modifying facility and site information in either GitLab (SITECONF), siteStatus (life-, prod-, CRAB-Status) or CRIC (grid resource information) is normally restricted to administrators of the facility. We are using e-groups for this, with two e-groups per facility. One e-group for the site/facility executives (unlimited modification authorization) and one for facility/site/service administrators.

SITECONF Repository

SITECONF

 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback