User management Guides

This section provides information you need for the user management.

What are the components involved in that.

Configuration system

Registry

VOMS2CSAgent

What is the user in DIRAC context?

DIRAC users are entities that can be authenticated. Basically, it’s a record in the /Registry section of the Configuration system. Each user has a username as a unique identifier. Username can be created manually by administrator or automaticaly by scripts. User attributes are described in the /Registry/Users section. To provide authentication a user must have the DN attribute, read more about authentication. User has permissions. To describe permissions we use groups.

What is the DIRAC groups?

DIRAC groups collects DIRAC users and are described in the /Registry/Groups section, each subsection of the group is a description of the users permissions and rights for various Grid operations and is associated with DIRAC Virtual Organization. The name of the DIRAC group usually consists of the DIRAC VO name and a word that describes the permissions for group users, for example “dteam_user”, “dteam_pilot”, “dteam_admin”.

What is the DIRAC Virtual Organization(VO)?

The VO is a term coming from grid infrastructures where VO parameters are handled by the VOMS services. In DIRAC VO is not necessarily corresponding to some VOMS described VO. However, the DIRAC VO description can include specific VOMS information. It is not mandatory for the DIRAC VO to have the same name as the corresponding VOMS VO. However, having these names the same can avoid confusions at the expense of having names longer than necessary. DIRAC VO must be described in the /Registry/VO section.

Consider the registration process

User management is handled within the Registry section of the Configuration System. To manage it you can use:

dirac commands for managing Registry

configuration manager application in the Web portal (need to install WebAppDIRAC extension)

modify local cfg file manually (by default it is located in /opt/dirac/etc/dirac.cfg)

use the VOMS2CSAgent to fetch VOMS VO users

In a nutshell, how to edit the configuration from the portal. First, it should be noted that to be able to do this, you must be an already registered user in a group that has the appropriate permission to edit the configuration(“CSAdministrator”). You need to log in under this user/group and use the Configuration Manager application, then enable the “Manage” mode, this will allow you to make changes.

First of all, define, if necessary, some attributes at the root of the Registry section, that will be applicable for all the configuration are defined.

Registry options

# Default user group to be used:
DefaultGroup = lhcb_user

# Querantine user group is usually to be used in case you want to set
# users in groups by hand as a "punishment" for a certain period of time:
QuarantineGroup = lowPriority_user

# Default proxy time expressed in seconds:
DefaultProxyTime = 4000

To begin, consider how to add new VO to the Registry/VO section. Having all the necessary attributes VO you need to add it to the configuration. One of the mandatory attributes of the VO is the VOAdmin (administrator of the VO), it must be registered as a DIRAC user(see the example below). If the described VO is a VOMS VO, then it is important to note that the VO administrator should have an administrative role in the VOMS VO, it is necessary to obtain relevant information from the VOMS servers regarding VO users. In this case, the addition of VOMS VO is considered, respectively, there are attributes specific to VOMS.

Registry section

# DIRAC VOs section, subsections represents name of the DIRAC VO or alias name of the real VOMS VO
VO
{

  # It is not mandatory for the DIRAC VO to have the same name as the corresponding VOMS VO
  lhcb
  {

    # VO administrator user name, that also MUST be registered(/Registry/Users section)
    VOAdmin = lhcbadmin

    # VO administrator group used for querying VOMS server.
    # If not specified, the VO "DefaultGroup" will be used
    VOAdminGroup = lhcb_admin

    # Real VOMS VO name, if this VO is associated with VOMS VO
    VOMSName = lhcb

    # Registered identity provider associated with VO
    IdProvider = CheckIn

    # Section to describe all the VOMS servers that can be used with the given VOMS VO
    VOMSServers
    {

      # The host name of the VOMS server
      cclcgvomsli01.in2p3.fr
      {

        # DN of the VOMS server certificate
        DN = /O=GRID-FR/C=FR/O=CNRS/OU=CC-IN2P3/CN=cclcgvomsli01.in2p3.fr

        # The VOMS server port
        Port = 15003

        # CA that issued the VOMS server certificate
        CA = /C=FR/O=CNRS/CN=GRID2-FR
      }
    }
  }
}

The next step is to create groups in the Registry/Groups section with the appropriate permissions. It is usually necessary to have at least three groups:

for regular users running tasks(e.g.: “dteam_user”)

to run pilot tasks(e.g.: “dteam_pilot”)

administrative group(e.g.: “dteam_admin”)

Permissions of the group users are determined by “Properties” option. Full description of all supported Properties.

Registry section

# DIRAC groups section, subsections represents the name of the group
Groups
{

  # Group for the common user
  lhcb_user
  {

    # DIRAC users logins than belongs to the group
    Users = lhcbuser1

    # Group properties(set permissions of the group users)
    Properties = NormalUser # Normal user operations

    # Permission to download proxy with this group, by default: True
    DownloadableProxy = False

    # Role of the users in the VO
    VOMSRole = /lhcb

    # Scope associated with a role of the user in the VO
    IdPRole = some_special_scope

    # Virtual organization associated with the group
    VOMSVO = lhcb

    # Just for normal users:
    JobShare = 200

    # Controls automatic Proxy upload:
    AutoUploadProxy = True

    # Controls automatic Proxy upload for Pilot groups:
    AutoUploadPilotProxy = True

    # Controls automatic addition of VOMS extension:
    AutoAddVOMS = True
  }

  # Group to submit pilot jobs
  lhcb_pilot
  {
    Properties = GenericPilot # Generic pilot
    Properties += LimitedDelegation # Allow getting only limited proxies (ie. pilots)
    Properties += Pilot # Private pilot
  }

  # Admin group
  lhcb_admin
  {
    Properties = AlarmsManagement # Allow to set notifications and manage alarms
    Properties += ServiceAdministrator # DIRAC Service Administrator
    Properties += CSAdministrator # possibility to edit the Configuration Service
    Properties += JobAdministrator # Job Administrator can manipulate everybody's jobs
    Properties += FullDelegation # Allow getting full delegated proxies
    Properties += ProxyManagement # Allow managing proxies
    Properties += Operator # Operator
  }
}

To add a new group you can use special DIRAC command that simplifies this action: dirac-admin-add-group.

Finally, create a user in the Registry/Users section:

Registry section

# DIRAC users section, subsections represents the name of the user
Users
{

  lhcbuser1
  {
    # Distinguish name obtained from user certificate (Mandatory)
    DN = /O=My organisation/C=FR/OU=Unit/CN=My Name

    # User e-mail (Mandatory)
    Email = my@email.com

    # Cellular phone number
    mobile = +030621555555

    # Quota assigned to the user. Expressed in MBs.
    Quota = 300

    # This subsection describes the properties associated with each DN attribute (optional)
    DNProperties
    {

      # Arbitrary section name
      DNSubsection
      {

        # Distinguish name obtained from user certificate (Mandatory)
        DN = /O=My organisation/C=FR/OU=Unit/CN=My Name

        # Proxy provider that can generate the proxy certificate with DN in DN attribute.
        ProxyProviders = MY_DIRACCA
      }
    }
  }
}

To add a new user you can use special DIRAC command that simplifies this action: dirac-admin-add-user.