Provided by: nordugrid-arc-arex_4.0.0-1_amd64 bug

NAME

       arc-vomsac-check - ARC VOMS AC-based queue policy enforcing plugin

DESCRIPTION

       ARC  VOMS  AC-based queue policy enforcing plugin perfors per-queue authorization based on
       information stored in VOMS AC.

SYNOPSIS

       arc-vomsac-check [-N] -P <user proxy> -L <A-REX local> [-c <configfile>] [-d <loglevel>]

OPTIONS

       -N     treat absence of VOMS AC as allowed access (deny by default)

       -P user proxy
              path to user proxy certificate file to get VOMS AC from

       -L A-REX local
              A-REX jobstatus .local file (used to determine submission queue)

       -c configfile
              plugin configuration file (/etc/arc.conf will be used by default)

       -d loglevel
              logging level from 0(ERROR) to 5(DEBUG)

GETTING A-REX TO WORK WITH PLUGIN

       You must attach plugin as handler for ACCEPTED state:

       authplugin="ACCEPTED  60  /opt/arc/libexec/arc/arc-vomsac-check  -L   %C/job.%I.local   -P
       %C/job.%I.proxy"

CONFIGURATION

       Queue policies need to be written into plain text configuration file of the same format as
       arc.conf.  The plugin expects several configuration blocks for every queue  identified  by
       [queue] or [queue/name] section.

       The  attribute  value pairs identified by 'ac_policy' keyword within a queue configuration
       block represent rules for allowing or denying users to  utilize  queue.  These  rules  are
       processed in order of specification.

       The  first  rule  that matches the VOMS AC presented by a user stops further processing of
       remaining rules in the block. If no one rule mathes VOMS AC,  access  is  denied.   If  no
       'ac_policy' rules supplied in the queue block, access is granted.

       Matching rules has the following format:

        ac_policy="[+/-]VOMS: <mathing FQAN>"

       Prepending  '+'  indicate  positive match (users with FQAN match are allowed).  Prepending
       '-' or '!' indicate negative match (users with FQAN match are  prohibited).   Without  any
       prefix character, rule is treated as positive match.

       FQAN   format   can   be   specified   either  in  ARC  format  or  general  VOMS  format:
       '/VO=students/Group=physics/Role=production'        is         the         same         as
       '/students/physics/Role=production'                                                     or
       '/students/Group=physics/Role=production/Capability=NULL'  or  any   other   combinations.
       Regalar expressions syntax can be used in FQAN specification.

EXAMPLE CONFIGURATION

        [queue/general]
        ac_policy="-VOMS: /students/Role=production"
        ac_policy="-VOMS: /students/Group=nosubmission"
        ac_policy="VOMS: /VO=students"

        [queue]
        name="production"
        ac_policy="VOMS: /students/Role=production"
        ac_policy="-VOMS: /badvo"
        ac_policy="VOMS: /.*/Role=production"

       In  the example configuration, queue "general" can NOT be used by VO "students" users with
       Role "production" and VO "students" "nosubmission" Group. It CAN  be  used  by  any  other
       members of VO "students".

       Queue  "production"  allow  access to VO "students" users with Role "production", prohibit
       some VO "badvo" and allow any VO users with Role "production".  First rule may be  omitted
       due to common regex.

AUTHOR

       Andrii Salnikov <manf at grid dot org dot ua>