On Mar 21, 2010, at 5:50 AM, Marco Lackovic wrote: > On Fri, Mar 19, 2010 at 4:32 PM, Lukasz Lacinski <lu...@cct.lsu.edu> wrote: >> In that case the GRIDMAP environment variable is used to point out its >> location different from a default one. It's necessary in that case. Please >> look here for more information >> http://www.globus.org/toolkit/docs/4.0/security/prewsaa/Pre_WS_AA_Public_Interfaces.html#prewsaa-env-gridmapfile > In the section you pointed out it is stated "If the user is root (uid > 0), then the gridmap file is /etc/grid-security/grid-mapfile". Which > user does it refer to? The one who starts the container? Isn't that > supposed to be the "globus" user?
Hi Marco, In the typical situation both the GridFTP process (started by the inetd or xinetd deamon or started as a standalone server by a script in /etc/init.d/) and the PreWS GRAM process run with the root UID. When a user sends a request to them they look for the user in grid-mapfile (by default in /etc/grid-security/grid-mapfile, unless the GRIDMAP environment variable is set). Then a new GridFTP server process or a process of a PreWS GRAM job manager are created. These new processes run with the UID of the user who sent a request. In the typical configuration only WS GRAM runs in the container with the globus UID. That's why appropriate changes have to be introduced to the /etc/sudoers file to allow the globus user switch to another user UID and execute processes/jobs that users request for. We can also consider a situation when a user who doesn't have root privileges wants to install PreWS GRAM or GridFTP with different configuration for test purposes. In this case both servers run with the user UID. Then they look for grid-mapfile in $HOME/.gridmap, unless the GRIDMAP environment variable is set. Regards, Lukasz
