From dimou@mail.cern.ch Thu May 12 16:20:39 2005 Date: Thu, 12 May 2005 16:18:13 +0200 (CEST) From: Maria Dimou-Zacharova Reply-To: Maria.Dimou@cern.ch To: project-lcg-vo-atlas-admin@cern.ch, project-lcg-vo-alice-admin@cern.ch, project-lcg-vo-cms-admin@cern.ch, project-lcg-vo-lhcb-admin@cern.ch, usatlas-vo@bnl.gov Cc: support-eis@cern.ch, karoly.lorentey@cern.ch, ian.neilson@cern.ch, tlevshin@hppc.fnal.gov, d.p.kelsey@rl.ac.uk, joni.hahkala@cern.ch, Vincenzo Ciaschini , John Weigand , Valerio Venturi , Chris Onions , 'Claire Massip' , Judy Richards , Markus Schulz , Ian Bird Subject: Q&A on LHC experiment VOs' integration to CERN HR db Dear LHC Experiment VO managers, Gabriele (USAtlas VO mgr) listed some very valid questions, which I believe, are of interest to all. Please read the answers I attempt below. The LHC experiments' Registration Task Force members, the Head of the Users' Office (Chris), one of the Atlas Group Administrators (Claire) and the CERN Security Team liaison (Judy) are in copy, in order to react in case anyone disagrees with what I am saying. Thanks again for your collaboration - maria > * How can I be sure that people are indeed in the HR (ORGDB) database? > How do I query it? When the complete chain of packages VOMRS-->ORGDB-->voms-admin-->glite-voms (in particular the Oracle port) will be fully tested and working, the VO Registration procedure will immedately return the candidate member's status in ORGDB and will give the user appropriate instructions for ORGDB registration, when necessary. We are trying to get there, see https://lcg-voms.cern.ch:8443/vo-LCG_Test/vomrs (no Oracle component in this installation) but we haven't yet tested. However, it is useful, from now on, to make sure that when you accept a user in your VO already today (LDAP era) the person is registered in ORGDB AND associated with Your experiment. In this way, when the users will be asked to register using VOMRS, there will be no failures due to this ORGDB mismatch. So a tool for the present day is an -indirect- CERN HR view available to "simple mortals" is via http://userreg.cern.ch, access to which is reserved to Group Administrators. However, as VO managers, it is easy for you to obtain permission to be added to the list of Group Administrators. To do that: 1. Send a request to User.Registration@cern.ch asking to be added to the Group Administrators' list of your computing group (e.g. ZP for Alessandro and Gabriele (ATLAS)). If they need a justification, explain that this is simply for viewing the status of your VO candidates in the CERN HR db, not for computer accounts or quotas. You may certainly ask them to contact me, if need be. Send a copy to your own Group Administrators, to inform them. To find who they are open http://consult.cern.ch/xwho , search for your name and click on group-code for the various administrators of the group, e.g. http://consult.cern.ch/xwho/people/ZP/admins for Alessandro and Gabriele (ATLAS). 2. You will receive a login and passwd for opening the http://userreg.cern.ch page. Once you select your computing group and the name of your present or future VO member, you'll see a sub-set of his/her HR db record, including the experiment. > I have quite some people that do have an account at CERN, but that weren't > matched by the system: how do I know for sure that they are in the correct > place? Via http://userreg.cern.ch, once you are authorised. Meanwhile, via your experiment secretariat. > * How can I enter/modify information in the database? You cannot. Only the experiment secretariat and the Users' Office can. > Which are the person to contact? Are they clear that I will, and others > in this role, act on behalf of the users to fix their problems? Please, all of you, write to your experiment secretariats (Cc: Users' Office), mentioning your role as experiment VO managers and the exchanges they had with us in the Task Force: Index: http://cern.ch/dimou/lcg/registrar/TF/ Users' Office: http://cern.ch/dimou/lcg/registrar/TF/PIE-notes.html Experiments: Questionnaire_ALICE_answers.txt 10-Jun-2004 Questionnaire_ATLAS_answers.txt 16-Jun-2004 12:15 3k Questionnaire_CMS_answers.doc 25-Jun-2004 09:20 54k Questionnaire_LHCb_answers.txt 24-Jun-2004 14:38 8k Questionnaire_to_LHC_Experiments.txt 09-Jun-2004 17:32 3k If you need any assistance, please let me know. > * How can I know if someone is being matched correctly? Can I have a > system/page with which I can test the mapping? > Once I know that someone is in the correct place, what can I do to > understand why is not matching? I think this is mostly answered with the above. To summarise: We'll release https://lcg-voms.cern.ch:8443/vo-LCG_Test/vomrs or similar URL of a VOMRS/VOMS installation for testing a.s.a.p. according to the plan: http://cern.ch/dimou/lcg/registrar/TF/lhc-vos-transition.html Meanwhile, use http://userreg.cern.ch Most of the valid users who *appear* as non-matching don't have the right affiliation. Remember: they have to exist in ORGDB AND *still* belong to your experiment! > * How can I fix the matches? > If I have identified a problem, what do I do to fix it? You cannot. Only the experiment secretariat and the Users' Office can. > * How much of these tools will require people at CERN to be at work? With > the time difference, this is a real problem. I will do support for people > that are in California, which has a 9 hour time difference with CERN. If > they cannot use BNL grid resources because they are not properly matched in > the CERN HR DB, needing both the user and CERN means a day for each mail > iteration. The migration from today's LDAP-based VOs to the complete VOMRS-ORGDB-VOMS solution will take several months as the plan shows. During this period, no valid user entry will stop working, as the grid-map file will have mixed contents, originating from LDAP and VOMS (see the plan again). New VO candidates from California, who are not in ORGDB, will require ORGDB people to be at CERN and the VO managers to be at work and the grid-map/LCMAPS update procedures to run, so, yes, they will need no less than 2 days to be processed. But today, that the VO managers have to obtain auditable written proof from the Institute Representatives (no more needed with ORGDB) we certainly take some time as well. > I am sure the main reason of the ignorance of doing any of these step is > mine, but to-date the only way to do any of this is ask either of you. What > can I start doing by myself? Step 1 at the beginning of this mail. Accept new users IF in ORGDB AND still working for ATLAS. Thank you all very much for being so collaborative. - maria > > Gabriele > > ------------------------------------ > Brookhaven National Lab (Bldg.510A) > Upton, New York 11973 > Tel. : +1 (631) 344 4434 > Fax. : +1 (631) 344 7616 > -- Maria Dimou-Zacharova http://cern.ch/dimou CERN, CH-1211 Geneva 23, Switzerland Maria.Dimou@cern.ch, Tel: +41-22-7673356, Fax: +41-22-7674900