Users of the grid engine system fall into four categories. Users in each category have access to their own set of grid engine system commands.
Managers – Managers have full capabilities to manipulate the grid engine system. By default, the superusers of all administration hosts have manager privileges.
Operators – Operators can perform many of the same commands as managers, with the exception of making configuration changes, for example, adding, deleting, or modifying queues.
Owners – Queue owners can suspend or enable the queues that they own. Queue owners can also suspend or enable the jobs within the queues they own. Queue owners have no other management permissions.
Users – Users have certain access permissions, as described in User Access Permissions. Users have no cluster management or queue management capabilities.
Table 2–1 shows the command capabilities that are available to the different user categories.
Table 2–1 User Categories and Associated Command Capabilities
Command |
Manager |
Operator |
Owner |
User |
---|---|---|---|---|
qacct |
Full |
Full |
Own jobs only |
Own jobs only |
qalter |
Full |
Full |
Own jobs only |
Own jobs only |
qconf |
Full |
No system setup modifications |
Show only configurations and access permissions |
Show only configurations and access permissions |
qdel |
Full |
Full |
Own jobs only |
Own jobs only |
qhold |
Full |
Full |
Own jobs only |
Own jobs only |
qhost |
Full |
Full |
Full |
Full |
qlogin |
Full |
Full |
Full |
Full |
qmod |
Full |
Full |
Own jobs and owned queues only |
Own jobs only |
qmon |
Full |
No system setup modifications |
No configuration changes |
No configuration changes |
qrexec |
Full |
Full |
Full |
Full |
qselect |
Full |
Full |
Full |
Full |
qsh |
Full |
Full |
Full |
Full |
qstat |
Full |
Full |
Full |
Full |
qsub |
Full |
Full |
Full |
Full |
The administrator can restrict access to queues and other facilities, such as parallel environment interfaces. Access can be restricted to certain users or user groups.
The grid engine software automatically takes into account the access restrictions configured by the cluster administration. The following sections are important only if you want to query your personal access permission.
For the purpose of restricting access permissions, the administrator creates and maintains access lists (ACLs). The ACLs contain user names and UNIX group names. The ACLs are then added to access-allowed or access-denied lists in the queue or in the parallel environment interface configurations. For more information, see the queue_conf(5) or sge_pe(5) man pages.
Users who belong to ACLs that are listed in access-allowed-lists have permission to access the queue or the parallel environment interface. Users who are members of ACLs in access-denied-lists cannot access the resource in question.
ACLs are also used to define projects, to which the corresponding users have access, that is, to which users can subordinate their jobs. The administrator can also restrict access to cluster resources on a per project basis.
The User Configuration dialog box opens when you click the User Configuration button in the QMON Main Control window. This dialog box enables you to query for the ACLs to which you have access. For details, see Chapter 4, Managing User Access, in Sun N1 Grid Engine 6.1 Administration Guide.
You can display project access by clicking the Project Configuration icon in the QMON Main Control window. Details are described in Defining Projects in Sun N1 Grid Engine 6.1 Administration Guide.
From the command line, you can get a list of the currently configured ACLs with the following command:
% qconf -sul |
You can list the entries in one or more access lists with the following command:
% qconf -su acl-name[,...] |
The ACLs consist of user account names and UNIX group names, with the UNIX group names identified by a prefixed @ sign. In this way, you can determine which ACLs your account belongs to.
If you have permission to switch your primary UNIX group with the newgrp command, your access permissions might change.
You can check for those queues or parallel environment interfaces to which you have access or to which your access is denied. Query the queue or parallel environment interface configuration, as described in Displaying Queues and Queue Properties and Configuring Parallel Environments With QMON in Sun N1 Grid Engine 6.1 Administration Guide.
The access-allowed-lists are named user_lists. The access-denied-lists are named xuser_lists. If your user account or primary UNIX group is associated with an access-allowed-list, you are allowed to access the resource in question. If you are associated with an access-denied-list, you cannot access the queue or parallel environment interface. If both lists are empty, every user with a valid account can access the resource in question.
You can control project configurations from the command line using the following commands:
% qconf -sprjl % qconf -sprj project-name |
These commands display a list of defined projects and a list of particular project configurations, respectively. The projects are defined through ACLs. You must query the ACL configurations, as described in the previous paragraph.
If you have access to a project, you are allowed to submit jobs that are subordinated to the project. You can submit such jobs from the command line using the following command:
% qsub -P project-name options |
The cluster configurations, host configurations, and queue configurations define project access in the same way as for ACLs. These configurations use the project_lists and xproject_lists parameters for this purpose.
Use the following command to display a list of grid engine system managers:
% qconf -sm |
Use the following command to display a list of operators:
% qconf -so |
The superuser of an administration host is considered to be a manager by default.
Users who are owners of a certain queue are contained in the queue configuration, as described in Displaying Queues and Queue Properties. You can display the queue configuration by typing the following command:
% qconf -sq {cluster-queue | queue-instance | queue-domain} |
The queue configuration entry in question is called owner_list.