Project

General

Profile

Production Group Account

The production efforts maintain a number of group accounts. If you are part of the production efforts you may or may not be included in the login list for these special accounts.

Currently the primary account used for production is the minospro account. This account is able to perform submission of special production jobs as well as being the home for a number of production related programs, scripts and items.

minospro Credentials

Normally, users submit jobs using authentication credentials based upon their kerberos login. The minospro account is different.

The minospro account uses a special "service certificate" to allow it to more generally submit jobs.

The service certificate was issued through the Open Science Grid (OSG) and has the following information:

"/CN=minospro/minos27.fnal.gov" 

Distinguished Name:
Subject: DC=com, DC=DigiCert-Grid, O=Open Science Grid, OU=Services, CN=minospro/minos27.fnal.gov

The public certificate and private key are held in a local area (non-nfs, non-afs) of the machines where they are installed. On the minos51 machine this is: /minos/app/home/minospro/grid/scratch/certs/

They are named:

minospro_minos27.pem
minospro_minos27-decrypted_key.pem

They can be used to generate an appropriate grid proxy using voms-proxy-init:


voms-proxy-init -cert=${CERT} -key=${KEY} --rfc --voms=fermilab:/fermilab/minos/Role=Production -out ${PROXY}<${INPUT

voms-proxy-init 
 -cert=/minos/app/home/minospro/grid/scratch/certs/minospro_minos27.pem 
 -key=/minos/app/home/minospro/grid/scratch/certs/minospro_minos27-decrypted_key.pem 
 --rfc 
 --voms=fermilab:/fermilab/minos/Role=Production

This identity is registered with the /Fermilab/nova VO and has Production role.

Summitting Jobs as minospro

The minospro certificates have been installed in the minospro account on minos51.

A cron entry renews the proxy every two hours. The entry reads:

0 */2 * * * source /minos/app/home/minospro/grid/scratch/minosproProxyRenewal.sh 

Before submitting a job, the user must define the appropriate static value for the variable X509_USER_PROXY. This can be done by using the following commands:

export X509_USER_PROXY=/minos/app/home/minospro/grid/scratch/minospro.Production.proxy

With this in place, the normal user can setup the jobsub client tool (from within the minospro account in minos51 machine) and submit a job transparently.

All the jobs will show up as being owned by minospro and have accounting that is linked to the minospro account.