Yes. But if Silviu or others had use cases for us to chew on, maybe
there would be reasons to modify the managed-job-security-config.xml
too.
-Stu
On Apr 21, 2008, at Apr 21, 3:23 PM, Tom Scavo wrote:
Is this why, when configuring GridShib in GRAM, we modify the config
of ManagedJobFactoryService (managed-job-factory-security-config.xml)
but not the GRAM job resources config
(managed-job-security-config.xml)?
Tom
On Mon, Apr 21, 2008 at 3:50 PM, Stuart Martin <[EMAIL PROTECTED]>
wrote:
I should have explained this a bit better. There are 2 levels of
authorization here. 1) access to the services in a container 2)
access to
the WSRF job resources being processed by the
managedExecutionJobService in
the container. For #1, I want to allow many users to use the
services.
That makes sense, this is the typical setup/use of the gridmap
file. But
for #2, (typically) users do not want other users to be able to
affect their
jobs. To handle #2, a new temp gridmap file is created per job that
contains only the DN of the user that submitted the job. GRAM does
not
provide anything more sophisticated than that at the moment.
-Stu
On Apr 21, 2008, at Apr 21, 2:15 PM, Silviu Popescu wrote:
Hi Stuart,
Thanks for the quick response.
I'm not sure yet if I'll need this functionality, I was just
curious if it
is possible. Actually, in gridmap file I have more DNs mapped to
same local
user and I thought job access is possible to all DNs .
Regards,
Silviu
Stuart Martin <[EMAIL PROTECTED]> wrote: Hi Silviu,
Currently only the DN of the user that submitted the job request is
allowed to access that job "resource". GRAM creates a one entry
gridmapfile for each job submitted and that temp gridmapfile is used
to authorize users, thus limiting access the job to just the
submitter.
Can you describe the functionality you would like to have? Would you
like to pass in a list of DNs on the createManagedJob operation that
you would want to have access to a specific job? Or does this fall
into the VO management methods like VOMS and GridShib that are
designed to provide to group affiliation and authorization?
Thanks,
-Stu
On Apr 21, 2008, at Apr 21, 3:51 AM, Silviu Popescu wrote:
Hi,
What do I have to do to allow all users to query the status of a
submitted job ?
I submitted a job with user [EMAIL PROTECTED]
[EMAIL PROTECTED] globusrun-ws -submit -b -o job.epr -c /bin/sleep 200
Submitting job...Done.
Job ID: uuid:3b41a688-0f7f-11dd-9f38-000f2034b443
Termination time: 04/22/2008 08:45 GMT
[EMAIL PROTECTED] globusrun-ws -status -j job.epr
Current job state: Active
[EMAIL PROTECTED] scp job.epr silviup-laptop:/home/user/job.epr
[EMAIL PROTECTED] globusrun-ws -status -j job.epr -F c14
globusrun-ws: Error querying job state
globus_soap_message_module: SOAP Fault
Fault code: soapenv:Server.userException
Fault string:
org
.globus
.wsrf
.impl.security.authorization.exceptions.AuthorizationException:
"/O=Grid/OU=GlobusTest/OU=simpleCA-portal.tech.pub.ro/CN=User" is
not authorized to use operation:
{http://www.globus.org/namespaces/2004/10/gram/job/exec
}getMultipleResourceProperties on this service
When I submit from silviup-laptop the query works fine.
[EMAIL PROTECTED] globusrun-ws -submit -o job.epr -F c14 -b -
c /bin/sleep 200
Submitting job...Done.
Job ID: uuid:13a06b6e-0f7f-11dd-ab7b-0018f39fc34f
Termination time: 04/22/2008 08:43 GMT
[EMAIL PROTECTED] globusrun-ws -status -j job.epr -F c14
Current job state: Active
Thanks,
Silviu
