Project

General

Profile

SAM Administration

Users are regularly cloned from the VOMS/GUMS database.
They can be viewed added modified by users in the admin_role group

LIST USERS

samweb list-users | sort
aback
agao
amandajw
anniepro
...

samweb describe-user kreymer
     Username: kreymer
      User Id: 8
       Status: active
       Groups: annie
             : admin_role
Grid Subjects:

samweb add-user --first-name=Mayly --last-name=Sanchez --email=msanchez@fnal.gov --groups="annie,admin_role" msanchez

Administrators

Users in the group admin_role can modify other users and add dimension values

Typical addition :

$ USE=moflaher
$ samweb modify-user --groups=annie,admin_role ${USE}
User 'moflaher' has been updated_
As of 2017/02/21 admins are
etiras
kreymer
moflaher
msanchez

Shared accounts

Authentication issues

SAM authentication is via SSL, with proxies available from a couple of sources :
  • OSG service certificate, renewed annually.
  • kx509 from a kerberos ticket
    • service certificates are not supported by kx509

To avoid expiration of OSG certificates, we will start by using a person's kcron keytab.

annieraw

2017/02/22

Added the user

samweb add-user --first-name=Annie \
--last-name=Daq \
--email=brichard@fnal.gov \
--groups="annie" \
annieraw

Pushed a keytab to /opt/annieraw and noted the corresponding subject

    kreymer@anniegpvm01

KEYTAB=/var/adm/krb5/`kcron -f`

scp ${KEYTAB} annieraw@annie01:/opt/annieraw/kreymer-anniegpvm01.keytab
scp ${KEYTAB} annieraw@annie02:/opt/annieraw/kreymer-anniegpvm01.keytab

export KRB5CCNAME="FILE:/tmp/krb5cc_sam_`whoami`_${$}" 
KEYTAB=/opt/annieraw/kreymer-anniegpvm01.keytab
PRINC=`klist -k ${KEYTAB} | grep FNAL.GOV | cut -c 5- | head -1`
kinit -5 -A  -kt ${KEYTAB} ${PRINC}
/usr/bin/kx509
Authorizing ...... authorized
Fetching certificate ..... fetched
Storing certificate in /tmp/x509up_u51481
Your certificate is valid until: Wed Mar  1 09:51:42 2017

openssl x509 -in /tmp/x509up_u51481 -noout -subject

subject= /DC=org/DC=cilogon/C=US/O=Fermi National Accelerator Laboratory/OU=Robots/CN=anniegpvm01.fnal.gov/CN=cron/CN=Arthur Kreymer/CN=UID:kreymer

Added the subject to the SAM annieraw account

SUBJ='/DC=org/DC=cilogon/C=US/O=Fermi National Accelerator Laboratory/OU=Robots/CN=minos27.fnal.gov/CN=cron/CN=Arthur Kreymer/CN=UID:kreymer'

samweb modify-user --addgridsubject="${SUBJ}" mindata
User 'mindata' has been updated