Restrict a pool to one or several VOs/groups

By default, a pool is generic: users from all VOs/groups will be able to write in it.

But it is possible to restrict a pool to one or several VOs/groups. See the dpm-addpool and dpm-modifypool man pages.

For instance:

• Possibility to dedicate a pool to several groups

       $ dpm-addpool --poolname poolA --group alice,cms,lhcb
       $ dpm-addpool --poolname poolB --group atlas

• Add groups to existing list

       $ dpm-modifypool --poolname poolB --group +dteam

• Remove groups from existing list

       $ dpm-modifypool --poolname poolA --group -cms

• Reset list to new set of groups (= sign optional for backward compatibility)

       $ dpm-modifypool --poolname poolA --group =dteam

• Add group and remove another one

       $ dpm-modifypool --poolname poolA --group +dteam,-lhcb

IMPORTANT:

Secondary groups are not supported at the pool level, so that the VOs / groups who actually use the space "get the bill at the end of the month". This is the same behaviour as in UNIX.

In other words, only the primary virtual gid of the user matters when writing. Thus, to dedicate a pool to an entire VO, you should add the VO subgroups and roles to the pool.

For instance:

$ dpm-addpool --poolname Pool-Ops --group ops,ops/Role=lcgadmin

When a pool explicitely dedicated to a virtual gid is full, the generic pool is then used (provided there is one).

-- SophieLemaitre - 17 Aug 2007