DPM 1.5.4

The DPM version >= 1.5.4 supports :

  • virtual uids and gids
  • VOMS

It means that whenever and whereever you access the DPM Name Server, you will always be mapped to the same virtual uid. A given group or VOMS role will always be mapped to the same virtual gid.

Thus, these versions of the DPM make the ACLs be fully operational, when using pool accounts.

Everything below is handled automatically by YAIM.


Installation from scratch

Here is how to install the DPM version 1.5.4.

Follow the DPM Admin Guide

See the https://uimon.cern.ch/twiki/bin/view/LCG/DpmAdminGuide

Add the supported VOs/groups

The step dpns-chown root:VO /grid/VO will not work unless you explicitely add the VO groupid in the DPM Name Server :

$dpns-entergrpmap --group <VO_name>

For instance :

$dpns-entergrpmap --group atlas

This command will automatically assign a gid to the given VO. There is no need to specify "--gid" (especially, there is absolutely no relation between the unix gid and the DPNS gid...)


Upgrade from DPM version < 1.5.4

Here is the procedure on how to upgrade the DPM to version 1.5.4.

Important

The DPNS server has to be upgraded before the DPM clients.

An old client (version < 1.5.4) will work with a new server (>= 1.5.4). But a new client (>= 1.5.4) will not work with an old server (< 1.5.4).

Install the new RPMs

First, upgrade the RPMs :

$ rpm -Uvh DPM-client-1.5.4-1sec.i386.rpm
$ rpm -Uvh DPM-gridftp-server-1.5.4-1sec_sl3.i386.rpm
$ rpm -Uvh DPM-name-server-mysql-1.5.4-1sec.i386.rpm
$ rpm -Uvh DPM-rfio-server-1.5.4-1sec.i386.rpm
$ rpm -Uvh DPM-server-mysql-1.5.4-1sec.i386.rpm
$ rpm -Uvh DPM-srm-server-mysql-1.5.4-1sec.i386.rpm

But don't restart the DPNS daemon

Migrate to version 1.5.4

The script you have to run will :

  • create a file containing the (group id <-> group name) mappings. Check this file to see if the information is correct
  • migrate the database schema (two new tables will be created)
  • create the DN <-> existing groups mappings in the database

A specific grid-mapfile also has to be created. This is taken care of automatically by YAIM.

Note : The mappings for the users and future groups will be automatically created by the script.

The script comes with the DPM-name-server RPM and is located in /opt/lcg/share/DPM/DPM-migration/virtualIds.

Mysql

Run the script as follow :

./create-uid-gid-mappings.sh --mysql --user <dpns_user> --password-file "/path/to/password/file" --database <mysql_dpns_database> --verbose

For instance :

./create-uid-gid-mappings.sh --mysql --user dpm --password-file "/file/to/delete/password" --database cns_db --verbose

Note : The file containing the DPNS user password should be protected, and deleted afterwards.

Oracle

Run the script as follow :

./create-uid-gid-mappings.sh --oracle --user <dpns_user> --password-file "/path/to/password/file" --database <oracle_sid> --verbose

For instance :

./create-uid-gid-mappings.sh --oracle --user dpm --password "/file/to/delete/password" --database DPM --verbose

Note : The file containing the DPNS user password should be protected, and deleted afterwards.

Create the specific grid-mapfile

The specific lcgdm-mapfile is automatically created/updated by a cron job using the lcgdm-mkgridmap.conf file.

It is used when authenticating with grid-proxy-init (instead of voms-proxy-init).

But you can create it by hand before testing, as follow :

/opt/edg/libexec/edg-mkgridmap/edg-mkgrimap.pl \
      --conf=/opt/lcg/etc/lcgdm-mkgridmap.conf \
      --output=/opt/lcg/etc/lcgdm-mapfile --safe

lcgdm-mapfile contains DNs to VO names mappings.

This file is used if grid-proxy-init or voms-proxy-init is used to create the user proxy. It is not used if voms-proxy-init -voms is used instead.

Migrate the existing ACLs

Not supported (yet?).


Test

The DPM version 1.5.4 works with both grid-proxy-init and voms-proxy-init

From a UI where DPM-client-1.5.4 has been installed, test :

grid-proxy-init

$ grid-proxy-init
Your identity: /C=CH/O=CERN/OU=GRID/CN=Sophie Lemaitre 2268
Enter GRID pass phrase for this identity:
Creating proxy ........................................................................... Done
Your proxy is valid until: Sat Oct 29 05:53:15 2005

$ dpns-mkdir /dpm/cern.ch/home/dteam/tests_sophie/dpns_voms_test

$ dpns-ls -ld /dpm/cern.ch/home/dteam/tests_sophie/dpns_voms_test
drwxrwxr-x   0 101      2688      0 Oct 28 17:51 /dpm/cern.ch/home/dteam/tests_sophie/dpns_voms_test

Important : you are now always mapped to the same user and group ids (here 101 and 2688).

voms-proxy-init

$ voms-proxy-init -voms dteam
Your identity: /C=CH/O=CERN/OU=GRID/CN=Sophie Lemaitre 2268
Enter GRID pass phrase:
Creating proxy ................................. Done
Your proxy is valid until Sat Oct 29 06:03:40 2005

$ dpns-mkdir /dpm/cern.ch/home/dteam/tests_sophie/dpns_voms_test2

$ dpns-ls -ld /dpm/cern.ch/home/dteam/tests_sophie/dpns_voms_test2
drwxrwxr-x   0 101      2688      0 Oct 28 18:51 /dpm/cern.ch/home/dteam/tests_sophie/dpns_voms_test2

Important : you are now always mapped to the same user and group ids (here 101 and 2688).


Help !

In case of any problem or if you have questions, do not hesitate to contact hep-service-dpm@cernNOSPAMPLEASE.ch (remove the NOSPAM !).

-- SophieLemaitre - 24 Feb 2006

Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r4 - 2006-02-24 - unknown
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback