User Access Permissions
The administrator can restrict access to queues and other facilities, such as parallel environment interfaces. Access can be restricted to certain users or user groups.
Note –
The grid engine software automatically takes into account the access restrictions configured by the cluster administration. The following sections are important only if you want to query your personal access permission.
For the purpose of restricting access permissions, the administrator creates and maintains access lists (ACLs). The ACLs contain user names and UNIX group names. The ACLs are then added to access-allowed or access-denied lists in the queue or in the parallel environment interface configurations. For more information, see the queue_conf(5) or sge_pe(5) man pages.
Users who belong to ACLs that are listed in access-allowed-lists have permission to access the queue or the parallel environment interface. Users who are members of ACLs in access-denied-lists cannot access the resource in question.
ACLs are also used to define projects, to which the corresponding users have access, that is, to which users can subordinate their jobs. The administrator can also restrict access to cluster resources on a per project basis.
The User Configuration dialog box opens when you click the User Configuration button in the QMON Main Control window. This dialog box enables you to query for the ACLs to which you have access. For details, see Chapter 4, Managing User Access, in Sun N1 Grid Engine 6.1 Administration Guide.
You can display project access by clicking the Project Configuration icon in the QMON Main Control window. Details are described in Defining Projects in Sun N1 Grid Engine 6.1 Administration Guide.
From the command line, you can get a list of the currently configured ACLs with the following command:
% qconf -sul |
You can list the entries in one or more access lists with the following command:
% qconf -su acl-name[,...] |
The ACLs consist of user account names and UNIX group names, with the UNIX group names identified by a prefixed @ sign. In this way, you can determine which ACLs your account belongs to.
Note –
If you have permission to switch your primary UNIX group with the newgrp command, your access permissions might change.
You can check for those queues or parallel environment interfaces to which you have access or to which your access is denied. Query the queue or parallel environment interface configuration, as described in Displaying Queues and Queue Properties and Configuring Parallel Environments With QMON in Sun N1 Grid Engine 6.1 Administration Guide.
The access-allowed-lists are named user_lists. The access-denied-lists are named xuser_lists. If your user account or primary UNIX group is associated with an access-allowed-list, you are allowed to access the resource in question. If you are associated with an access-denied-list, you cannot access the queue or parallel environment interface. If both lists are empty, every user with a valid account can access the resource in question.
You can control project configurations from the command line using the following commands:
% qconf -sprjl % qconf -sprj project-name |
These commands display a list of defined projects and a list of particular project configurations, respectively. The projects are defined through ACLs. You must query the ACL configurations, as described in the previous paragraph.
If you have access to a project, you are allowed to submit jobs that are subordinated to the project. You can submit such jobs from the command line using the following command:
% qsub -P project-name options |
The cluster configurations, host configurations, and queue configurations define project access in the same way as for ACLs. These configurations use the project_lists and xproject_lists parameters for this purpose.
- © 2010, Oracle Corporation and/or its affiliates