Configuring User Access

The grid engine system has the following four categories of users:

• Managers. Managers have full capabilities to manipulate the grid engine system. By default, the superusers of the master host and of any machine that hosts a queue instance have manager privileges.

• Operators. Operators can perform many of the same commands as managers, except that operators cannot add, delete, or modify queues.

• Owners. Queue owners are restricted to suspending and resuming, or disabling and enabling, the queues that they own. These privileges are necessary for successful use of qidle. Users are commonly declared to be owners of the queue instances that reside on their desktop workstations.

• Users. Users have certain access permissions, as described in Configuring Users, but users have no cluster or queue management capabilities.

The following sections describe each category in more detail.

Configuring Manager Accounts

You can configure Manager accounts with QMON or from the command line.

Configuring Manager Accounts With QMON

On the QMON Main Control window, click the User Configuration button. The Manager tab appears, which enables you to declare which accounts are allowed to run any administrative command.

This tab lists all accounts that are already declared to have administrative permission.

To add a new manager account, type its name in the field above the manager account list, and then click Add or press the Return key.

To delete a manager account, select it, and then click Delete.

Configuring Manager Accounts From the Command Line

To configure a manager account from the command line, type the following command with appropriate options:

# qconf options

The following options are available:

• qconf -am user-name [,...]

  The -am option (add manager) adds one or more users to the list of grid engine system managers. By default, the root accounts of all trusted hosts are grid engine system managers. See About Hosts and Daemons for more information.

• qconf -dm user-name [,...]

  The -dm option (delete manager) deletes the specified users from the list of grid engine system managers.

• qconf -sm

  The -sm option (show managers) displays a list of all grid engine system managers.

Configuring Operator Accounts

You can configure operator accounts with QMON or from the command line.

Configuring Operator Accounts With QMON

On the QMON Main Control window, click the User Configuration button, and then click the Operator tab.

The Operator tab enables you to declare which accounts are allowed to have restricted administrative permission, unless the accounts are also declared to be manager accounts. See Configuring Manager Accounts With QMON.

This tab lists all accounts that are already declared to have operator permission.

To add a new operator account, type its name in the field above the operator account list, and then click Add or press the Return key.

To delete an operator account, select it, and then click Delete.

Configuring Operator Accounts From the Command Line

To configure an operator account from the command line, type the following command with appropriate options:

# qconf options

The following options are available:

• qconf -ao user-name[,...]

  The -ao option (add operator) adds one or more users to the list of grid engine system operators.

• qconf -do user-name[,...]

  The -do option (delete operator) deletes the specified users from the list of grid engine system operators.

• qconf -so

  The -so option (show operators) displays a list of all grid engine system operators.

Configuring User Access Lists

Any user with a valid login ID on at least one submit host and one execution host can use the grid engine system. However, grid engine system managers can prohibit access for certain users to certain queues or to all queues. Furthermore, managers can restrict the use of facilities such as specific parallel environments. See Configuring Parallel Environments for more information.

In order to define access permissions, you must define user access lists, which are made up of named sets of users. You use user names and UNIX group names to define user access lists. The user access lists are then used either to deny or to allow access to a specific resource in any of the following configurations:

• Cluster configuration – see Basic Cluster Configuration

• Queue configuration – see Configuring Subordinate Queues

• Configuring of parallel environment interfaces – see Configuring Parallel Environments With QMON.

Configuring User Access Lists With QMON

On the QMON Main Control window, click the User Configuration button, and then click the Userset tab. The Userset tab appears.

Figure 4–1 Userset Tab

In the grid engine system, a userset can be either an Access List or a Department, or both. The two check boxes below the Usersets list indicate the type of the selected userset. This section describes access lists. Departments are explained in Defining Usersets As Projects and Departments.

The Usersets lists displays all available access lists. To display the contents of an access list, select it. The contents are displayed in the Users/Groups list.

The names of groups are prefixed with an @ sign.

To add a new userset, click Add.

To modify an existing userset, select it, and then click Modify.

To delete a userset, select it, and then click Delete.

When you click Add or Modify, an Access List Definition dialog box appears.

Figure 4–2 Access List Definition Dialog Box

To add a new access list definition, type the name of the access list in the Userset Name field. If you are modifying an existing access list, its name is displayed in the Userset Name field.

To add a new user or group to the access list, type a user or group name in the User/Group field. Be sure to prefix group names with an @ sign.

The Users/Groups list displays all currently defined users and groups.

To delete a user or group from the Users/Groups list, select it, and then click the trash icon.

To save your changes and close the dialog box, click OK. Click Cancel to close the dialog box without saving changes.

Configuring User Access Lists From the Command Line

To configure user access lists from the command line, type the following command with appropriate options.

# qconf options

The following options are available:

• qconf -au user-name[,...]access-list-name[,...]

  The -au option (add user) adds one or more users to the specified access lists.

• qconf -Au filename

  The -Au option (add user access list from file) uses a configuration file, filename, to add an access list.

• qconf -du user-name[,...] access-list-name [,...]

  The -du option (delete user) deletes one or more users from the specified access lists.

• qconf -dul access-list-name[,...]

  The -dul option (delete user list) completely removes userset lists.

• qconf -mu access-list-name

  The -mu option (modify user access list) modifies the specified access lists.

• qconf -Mu filename

  The -Mu option (modify user access list from file) uses a configuration file, filename, to modify the specified access lists.

• qconf -su access-list-name[,...]

  The -su option (show user access list) displays the specified access lists.

• qconf -sul

  The -sul option (show user access lists) displays all access lists currently defined.

Defining Usersets As Projects and Departments

Usersets are also used to define grid engine system projects and departments. For details about projects, see Defining Projects.

Departments are used for the configuration of the functional policy and the override policy. Departments differ from access lists in that a user can be a member of only one department, whereas one user can be included in multiple access lists. For more details, see Configuring the Functional Policy and Configuring the Override Policy.

A Userset is identified as a department by the Department flag, which is shown in Figure 4–1 and Figure 4–2. A Userset can be defined as both a department and an access list at the same time. However, the restriction of only a single appearance by any user in any department applies.

Configuring Users

You must declare user names before you define the share-based, functional, or override policies for users. See Configuring Policy-Based Resource Management With QMON.

If you do not want to explicitly declare user names before you define policies, the grid engine system can automatically create users for you, based on predefined default values. The automatic creation of users can significantly reduce the administrative burden for sites with many users.

To have the system create users automatically, set the Enforce User parameter on the Cluster Settings dialog box to Auto. To set default values for automatically created users, specify values for the following Automatic User Defaults on the Cluster Settings dialog box:

• Override Tickets

• Functional Shares

• Default Project

• Delete Time

For more information about the cluster configuration, see Basic Cluster Configuration.

Configuring User Objects With QMON

On the QMON Main Control window, click the User Configuration button, and then click the User tab. The User tab looks like the following figure:

To add a new user, type a user name in the field above the User list, and then click Add or press the Return key.

To delete a user, select the user name in the User list, and then click Delete.

The Delete Time column is read-only. The column indicates the time at which automatically created users are to be deleted from the grid engine system. Zero indicates that the user will never be deleted.

You can assign a default project to each user. The default project is attached to each job that users submit, unless those users request another project to which they have access. For details about projects, see Defining Projects.

To assign a default project, select a user, and then click the Default Project column heading. A Project Selection dialog box appears.

Select a project for the highlighted user entry.

Click OK to assign the default project and close the dialog box. Click Cancel to close the dialog box without assigning the default project.

Configuring User Objects From the Command Line

To configure user objects from the command line, type the following command with appropriate options:

# qconf options

The following options are available:

• qconf -auser

  The -auser option (add user) opens a template user configuration in an editor. See the user(5) man page. The editor is either the default vi editor or the editor specified by the EDITOR environment variable. After you save your changes and exit the editor, the changes are registered with sge_qmaster.

• qconf -Auser filename

  The -Auser option (add user from file) parses the specified file and adds the user configuration.

  The file must have the format of the user configuration template.

• qconf -duser user-name[,...]

  The -duser option (delete user) deletes one or more user objects.

• qconf -muser user-name

  The -muser option (modify user) enables you to modify an existing user entry. The option loads the user configuration in an editor. The editor is either the default vi editor or the editor specified by the EDITOR environment variable. After you save your changes and exit the editor, the changes are registered with sge_qmaster.

• qconf -Muser filename

  The -Muser option (modify user from file) parses the specified file and modifies the user configuration.

  The file must have the format of the user configuration template.

• qconf -suser user-name

  The -suser option (show user) displays the configuration of the specified user.

• qconf -suserl

  The -suserl option (show user list) displays a list of all currently defined users.