Configuring User Access Lists (Sun N1 Grid Engine 6.1 Administration Guide)

Sun N1 Grid Engine 6.1 Administration Guide

Configuring User Access Lists

Any user with a valid login ID on at least one submit host and one execution host can use the grid engine system. However, grid engine system managers can prohibit access for certain users to certain queues or to all queues. Furthermore, managers can restrict the use of facilities such as specific parallel environments. See Configuring Parallel Environments for more information.

In order to define access permissions, you must define user access lists, which are made up of named sets of users. You use user names and UNIX group names to define user access lists. The user access lists are then used either to deny or to allow access to a specific resource in any of the following configurations:

Cluster configuration – see Basic Cluster Configuration
Queue configuration – see Configuring Subordinate Queues
Configuring of parallel environment interfaces – see Configuring Parallel Environments With QMON.

Configuring User Access Lists With `QMON`

On the QMON Main Control window, click the User Configuration button, and then click the Userset tab. The Userset tab appears.

Figure 4–1 Userset Tab

Dialog box titled User Configuration. Shows Userset tab with
list of usersets. Shows Add, Modify, Delete, Tickets, Done, and Help buttons.

In the grid engine system, a userset can be either an Access List or a Department, or both. The two check boxes below the Usersets list indicate the type of the selected userset. This section describes access lists. Departments are explained in Defining Usersets As Projects and Departments.

The Usersets lists displays all available access lists. To display the contents of an access list, select it. The contents are displayed in the Users/Groups list.

Note –

The names of groups are prefixed with an @ sign.

To add a new userset, click Add.

To modify an existing userset, select it, and then click Modify.

To delete a userset, select it, and then click Delete.

When you click Add or Modify, an Access List Definition dialog box appears.

Figure 4–2 Access List Definition Dialog Box

Dialog box titled QMON. Shows Userset Name and User/Group fields,
and list of Users/Groups included in the userset. Shows Ok and Cancel buttons.

To add a new access list definition, type the name of the access list in the Userset Name field. If you are modifying an existing access list, its name is displayed in the Userset Name field.

To add a new user or group to the access list, type a user or group name in the User/Group field. Be sure to prefix group names with an @ sign.

The Users/Groups list displays all currently defined users and groups.

To delete a user or group from the Users/Groups list, select it, and then click the trash icon.

To save your changes and close the dialog box, click OK. Click Cancel to close the dialog box without saving changes.

Configuring User Access Lists From the Command Line

To configure user access lists from the command line, type the following command with appropriate options.

# qconf options

The following options are available:

qconf -au user-name[,...]access-list-name[,...]

The -au option (add user) adds one or more users to the specified access lists.
qconf -Au filename

The -Au option (add user access list from file) uses a configuration file, filename, to add an access list.
qconf -du user-name[,...] access-list-name [,...]

The -du option (delete user) deletes one or more users from the specified access lists.
qconf -dul access-list-name[,...]

The -dul option (delete user list) completely removes userset lists.
qconf -mu access-list-name

The -mu option (modify user access list) modifies the specified access lists.
qconf -Mu filename

The -Mu option (modify user access list from file) uses a configuration file, filename, to modify the specified access lists.
qconf -su access-list-name[,...]

The -su option (show user access list) displays the specified access lists.
qconf -sul

The -sul option (show user access lists) displays all access lists currently defined.

Defining Usersets As Projects and Departments

Usersets are also used to define grid engine system projects and departments. For details about projects, see Defining Projects.

Departments are used for the configuration of the functional policy and the override policy. Departments differ from access lists in that a user can be a member of only one department, whereas one user can be included in multiple access lists. For more details, see Configuring the Functional Policy and Configuring the Override Policy.

A Userset is identified as a department by the Department flag, which is shown in Figure 4–1 and Figure 4–2. A Userset can be defined as both a department and an access list at the same time. However, the restriction of only a single appearance by any user in any department applies.