Provided by: nordugrid-arc-arex_5.0.5-1ubuntu1_i386 bug


       arc-vomsac-check - ARC VOMS AC-based queue policy enforcing plugin


       ARC  VOMS  AC-based  queue  policy  enforcing  plugin perfors per-queue
       authorization based on information stored in VOMS AC.


       arc-vomsac-check  [-N]  -P  <user   proxy>   -L   <A-REX   local>   [-c
       <configfile>] [-d <loglevel>]


       -N     treat absence of VOMS AC as allowed access (deny by default)

       -P user proxy
              path to user proxy certificate file to get VOMS AC from

       -L A-REX local
              A-REX jobstatus .local file (used to determine submission queue)

       -c configfile
              plugin   configuration  file  (/etc/arc.conf  will  be  used  by

       -d loglevel
              logging level from 0(ERROR) to 5(DEBUG)


       You must attach plugin as handler for ACCEPTED state:

       authplugin="ACCEPTED   60   /opt/arc/libexec/arc/arc-vomsac-check    -L
       %C/job.%I.local -P %C/job.%I.proxy"


       Queue policies need to be written into plain text configuration file of
       the same format as arc.conf.  The plugin expects several  configuration
       blocks for every queue identified by [queue] or [queue/name] section.

       The  attribute  value  pairs identified by 'ac_policy' keyword within a
       queue configuration block represent rules for allowing or denying users
       to utilize queue. These rules are processed in order of specification.

       The  first  rule  that  matches  the  VOMS AC presented by a user stops
       further processing of remaining rules in the  block.  If  no  one  rule
       mathes  VOMS AC, access is denied.  If no 'ac_policy' rules supplied in
       the queue block, access is granted.

       Matching rules has the following format:

        ac_policy="[+/-]VOMS: <mathing FQAN>"

       Prepending '+' indicate positive  match  (users  with  FQAN  match  are
       allowed).   Prepending  '-'  or '!' indicate negative match (users with
       FQAN match are prohibited).  Without  any  prefix  character,  rule  is
       treated as positive match.

       FQAN  format  can  be  specified  either  in ARC format or general VOMS
       format: '/VO=students/Group=physics/Role=production'  is  the  same  as
       '/students/physics/Role=production'                                  or
       '/students/Group=physics/Role=production/Capability=NULL' or any  other
       combinations.    Regalar   expressions  syntax  can  be  used  in  FQAN


        ac_policy="-VOMS: /students/Role=production"
        ac_policy="-VOMS: /students/Group=nosubmission"
        ac_policy="VOMS: /VO=students"

        ac_policy="VOMS: /students/Role=production"
        ac_policy="-VOMS: /badvo"
        ac_policy="VOMS: /.*/Role=production"

       In the example configuration, queue "general" can NOT  be  used  by  VO
       "students"   users   with   Role   "production"   and   VO   "students"
       "nosubmission" Group. It CAN  be  used  by  any  other  members  of  VO

       Queue  "production"  allow  access  to  VO  "students"  users with Role
       "production", prohibit some VO "badvo" and allow any VO users with Role
       "production".  First rule may be omitted due to common regex.


       Andrii Salnikov <manf at grid dot org dot ua>