Any user with a valid login ID on at least one submit host and one execution host can use the grid engine system. However, grid engine system managers can prohibit access for certain users to certain queues or to all queues. Furthermore, managers can restrict the use of facilities such as specific parallel environments. See Configuring Parallel Environments for more information.
In order to define access permissions, you must define user access lists, which are made up of named sets of users. You use user names and UNIX group names to define user access lists. The user access lists are then used either to deny or to allow access to a specific resource in any of the following configurations:
Cluster configuration – see Basic Cluster Configuration
Queue configuration – see Configuring Subordinate Queues
Configuring of parallel environment interfaces – see Configuring Parallel Environments With QMON.
On the QMON Main Control window, click the User Configuration button, and then click the Userset tab. The Userset tab appears.
In the grid engine system, a userset can be either an Access List or a Department, or both. The two check boxes below the Usersets list indicate the type of the selected userset. This section describes access lists. Departments are explained in Defining Usersets As Projects and Departments.
The Usersets lists displays all available access lists. To display the contents of an access list, select it. The contents are displayed in the Users/Groups list.
The names of groups are prefixed with an @ sign.
To add a new userset, click Add.
To modify an existing userset, select it, and then click Modify.
To delete a userset, select it, and then click Delete.
When you click Add or Modify, an Access List Definition dialog box appears.
To add a new access list definition, type the name of the access list in the Userset Name field. If you are modifying an existing access list, its name is displayed in the Userset Name field.
To add a new user or group to the access list, type a user or group name in the User/Group field. Be sure to prefix group names with an @ sign.
The Users/Groups list displays all currently defined users and groups.
To delete a user or group from the Users/Groups list, select it, and then click the trash icon.
To save your changes and close the dialog box, click OK. Click Cancel to close the dialog box without saving changes.
To configure user access lists from the command line, type the following command with appropriate options.
# qconf options |
The following options are available:
qconf -au user-name[,...]access-list-name[,...]
The -au option (add user) adds one or more users to the specified access lists.
The -Au option (add user access list from file) uses a configuration file, filename, to add an access list.
qconf -du user-name[,...] access-list-name [,...]
The -du option (delete user) deletes one or more users from the specified access lists.
qconf -dul access-list-name[,...]
The -dul option (delete user list) completely removes userset lists.
The -mu option (modify user access list) modifies the specified access lists.
The -Mu option (modify user access list from file) uses a configuration file, filename, to modify the specified access lists.
qconf -su access-list-name[,...]
The -su option (show user access list) displays the specified access lists.
The -sul option (show user access lists) displays all access lists currently defined.
Usersets are also used to define grid engine system projects and departments. For details about projects, see Defining Projects.
Departments are used for the configuration of the functional policy and the override policy. Departments differ from access lists in that a user can be a member of only one department, whereas one user can be included in multiple access lists. For more details, see Configuring the Functional Policy and Configuring the Override Policy.
A Userset is identified as a department by the Department flag, which is shown in Figure 4–1 and Figure 4–2. A Userset can be defined as both a department and an access list at the same time. However, the restriction of only a single appearance by any user in any department applies.