Tier3 for Users

For information on using ATLAS software please see this section of our index page: WebHome#AGLT2_User_Information

Information here includes how to use CVMFS releases to compile against ATLAS software releases, how to setup SSH keys, how to get a grid certificate, and more.

Connecting

Users can ssh to these machines using a password:
umt3int01.physics.lsa.umich.edu
umt3int02.physics.lsa.umich.edu
umt3int03.physics.lsa.umich.edu

Kerberos and AFS

• When you log into one of the above interactive machines your home directory is: /afs/atlas.umich.edu/home/your_login_name
• You probably have a home directory at CERN accessible from here: /afs/cern.ch/user/first_letter_of_login/your_login_name
Example: /afs/cern.ch/user/b/bmeekhof
• You definitely have a home directory at UM : /afs/umich.edu/user/first_letter_of_login/second_letter_of_login/your_login_name
Example: /afs/umich.edu/user/b/m/bmeekhof
• If you seem unable to write to your AFS directory, get new tickets:

  bmeekhof@umt3int03 ~ > kinit 
  Password for bmeekhof@ATLAS.UMICH.EDU: 
  
  bmeekhof@umt3int03 ~ > aklog 

• You can also get Kerberos tickets for CERN or UM to write to your directories in those locations from the UM interactive machines:

  bmeekhof@umt3int03 ~ > kinit bmeekhof@CERN.CH 
  Password for bmeekhof@CERN.CH: 
  
  bmeekhof@umt3int03 ~ > aklog cern.ch

• If you have kerberos tickets for CERN you should be able to login to lxplus.cern.ch with no password. The same will possibly apply to other CERN machines providing services. However you will still have to manually kinit and aklog to write to your directory. This is not the case if you use a password login. Explaining why is beyond the scope of this document.
If you see the following error from aklog, you don't have a valid Kerberos ticket. Try running "kinit" again or contact an administrator for help.

umt3int3 ~ > /afs/atlas.umich.edu/home/rockwell > aklog
aklog: Couldn't get atlas.umich.edu AFS tickets:
aklog: unknown RPC error (-1765328189) while getting AFS tickets

AFS ACLs

• Every directory in AFS has an Access Control List (ACL). We pronounce this "akel" and use your reaction to determine if you are a normal human being or if you know what an ACL is.
• To see the ACLs on a directory:

  bmeekhof@umt3int03 ~ > fs listacl public
  Access list for public is
  Normal rights:
    system:administrators rlidwka
    system:anyuser rl
    bmeekhof rlidwka
  

• Notice how in the example above that anybody (system:anyuser) can Read and List (rl). Only bmeekhof can Read, Lookup, Insert, Delete, Write, locK, or Admin (rlidwka). Admin means change the ACL.
• This link explains better what the permissions mean: http://docs.openafs.org/UserGuide/ch04s02.html. Suffice it to say that you'll mostly use "rl" if you want people to read, "rlidwk" if you want to let people write. Use "a" in addition if you want them to be able to change the ACL
• Here are some examples of setting ACLs:
  Setting an ACL on a directory named "public" to allow some other authenticated user besides yourself to write.

  fs setacl public other_user_name rlidwk
  

  Setting an ACL on a directory named "public" allowing any user to read it. "system:authuser" is authenticated users with tickets for this AFS cell only. Ie, those users who did "kinit" and "aklog" and have tickets for the AFS cell. "system:anyuser" is all users, anywhere, anyplace.

  fs setacl public system:authuser rl
  

-- BenMeekhof - 23 Jun 2009