Provided by: nordugrid-arc-arex_5.0.5-1ubuntu1_amd64
arc-vomsac-check - ARC VOMS AC-based queue policy enforcing plugin
ARC VOMS AC-based queue policy enforcing plugin perfors per-queue authorization based on information stored in VOMS AC.
arc-vomsac-check [-N] -P <user proxy> -L <A-REX local> [-c <configfile>] [-d <loglevel>]
-N treat absence of VOMS AC as allowed access (deny by default) -P user proxy path to user proxy certificate file to get VOMS AC from -L A-REX local A-REX jobstatus .local file (used to determine submission queue) -c configfile plugin configuration file (/etc/arc.conf will be used by default) -d loglevel logging level from 0(ERROR) to 5(DEBUG)
GETTING A-REX TO WORK WITH PLUGIN
You must attach plugin as handler for ACCEPTED state: authplugin="ACCEPTED 60 /opt/arc/libexec/arc/arc-vomsac-check -L %C/job.%I.local -P %C/job.%I.proxy"
Queue policies need to be written into plain text configuration file of the same format as arc.conf. The plugin expects several configuration blocks for every queue identified by [queue] or [queue/name] section. The attribute value pairs identified by 'ac_policy' keyword within a queue configuration block represent rules for allowing or denying users to utilize queue. These rules are processed in order of specification. The first rule that matches the VOMS AC presented by a user stops further processing of remaining rules in the block. If no one rule mathes VOMS AC, access is denied. If no 'ac_policy' rules supplied in the queue block, access is granted. Matching rules has the following format: ac_policy="[+/-]VOMS: <mathing FQAN>" Prepending '+' indicate positive match (users with FQAN match are allowed). Prepending '-' or '!' indicate negative match (users with FQAN match are prohibited). Without any prefix character, rule is treated as positive match. FQAN format can be specified either in ARC format or general VOMS format: '/VO=students/Group=physics/Role=production' is the same as '/students/physics/Role=production' or '/students/Group=physics/Role=production/Capability=NULL' or any other combinations. Regalar expressions syntax can be used in FQAN specification.
[queue/general] ac_policy="-VOMS: /students/Role=production" ac_policy="-VOMS: /students/Group=nosubmission" ac_policy="VOMS: /VO=students" [queue] name="production" ac_policy="VOMS: /students/Role=production" ac_policy="-VOMS: /badvo" ac_policy="VOMS: /.*/Role=production" In the example configuration, queue "general" can NOT be used by VO "students" users with Role "production" and VO "students" "nosubmission" Group. It CAN be used by any other members of VO "students". Queue "production" allow access to VO "students" users with Role "production", prohibit some VO "badvo" and allow any VO users with Role "production". First rule may be omitted due to common regex.
Andrii Salnikov <manf at grid dot org dot ua>