Provided by: nordugrid-arc-arex_5.4.2-1build1_amd64 bug

NAME
       arc-vomsac-check - ARC VOMS AC-based queue policy enforcing plugin


DESCRIPTION
       ARC  VOMS  AC-based  queue  policy  enforcing plugin perfors per-queue authorization based on information
       stored in VOMS AC.


SYNOPSIS
       arc-vomsac-check [-N] -P <user proxy> -L <A-REX local> [-c <configfile>] [-d <loglevel>]


OPTIONS
       -N     treat absence of VOMS AC as allowed access (deny by default)

       -P user proxy
              path to user proxy certificate file to get VOMS AC from

       -L A-REX local
              A-REX jobstatus .local file (used to determine submission queue)

       -c configfile
              plugin configuration file (/etc/arc.conf will be used by default)

       -d loglevel
              logging level from 0(ERROR) to 5(DEBUG)


GETTING A-REX TO WORK WITH PLUGIN
       You must attach plugin as handler for ACCEPTED state:

       authplugin="ACCEPTED 60 /opt/arc/libexec/arc/arc-vomsac-check -L %C/job.%I.local -P %C/job.%I.proxy"


CONFIGURATION
       Queue policies need to be written into plain text configuration file of the same format as arc.conf.  The
       plugin  expects  several  configuration  blocks  for  every  queue  identified by [queue] or [queue/name]
       section.

       The attribute value pairs identified by 'ac_policy' keyword within a queue configuration block  represent
       rules  for  allowing  or  denying  users  to  utilize  queue.  These  rules  are  processed  in  order of
       specification.

       The first rule that matches the VOMS AC presented by a user stops further processing of  remaining  rules
       in  the  block. If no one rule mathes VOMS AC, access is denied.  If no 'ac_policy' rules supplied in the
       queue block, access is granted.

       Matching rules has the following format:

        ac_policy="[+/-]VOMS: <mathing FQAN>"

       Prepending '+' indicate positive match (users with FQAN  match  are  allowed).   Prepending  '-'  or  '!'
       indicate  negative  match  (users with FQAN match are prohibited).  Without any prefix character, rule is
       treated as positive match.

       FQAN   format   can   be   specified    either    in    ARC    format    or    general    VOMS    format:
       '/VO=students/Group=physics/Role=production'   is  the  same  as  '/students/physics/Role=production'  or
       '/students/Group=physics/Role=production/Capability=NULL' or any other combinations.  Regalar expressions
       syntax can be used in FQAN specification.


EXAMPLE CONFIGURATION
        [queue/general]
        ac_policy="-VOMS: /students/Role=production"
        ac_policy="-VOMS: /students/Group=nosubmission"
        ac_policy="VOMS: /VO=students"

        [queue]
        name="production"
        ac_policy="VOMS: /students/Role=production"
        ac_policy="-VOMS: /badvo"
        ac_policy="VOMS: /.*/Role=production"

       In  the  example  configuration,  queue  "general"  can  NOT  be  used  by  VO "students" users with Role
       "production" and VO "students" "nosubmission"  Group.  It  CAN  be  used  by  any  other  members  of  VO
       "students".

       Queue  "production"  allow access to VO "students" users with Role "production", prohibit some VO "badvo"
       and allow any VO users with Role "production".  First rule may be omitted due to common regex.


AUTHOR
       Andrii Salnikov <manf at grid dot org dot ua>