Tier3 for Users

For information on using ATLAS software please see this section of our index page: WebHome#AGLT2_User_Information

Information here includes how to use CVMFS releases to compile against ATLAS software releases, how to setup SSH keys, how to get a grid certificate, and more.

Connecting

The interactive machine is where you can directly login with your afs account with a ssh terminal such as putty, And login to all other machines need to go through the interactive machine.

ssh [username]@umt3int0x.aglt2.org

x ∈ {1, 2, 3, 4, 5 }

The list of interactive machines:

umt3int01.aglt2.org

umt3int02.aglt2.org

umt3int03.aglt2.org

umt3int04.aglt2.org

umt3int05.aglt2.org

gc-9-36.aglt2.org

gc-7-31.aglt2.org

Kerberos and AFS

• When you log into one of the above interactive machines your home directory is: /afs/atlas.umich.edu/home/your_login_name

• You probably have a home directory at CERN accessible from here: /afs/cern.ch/user/first_letter_of_login/your_login_name

Example: /afs/cern.ch/user/b/bmeekhof

• You definitely have a home directory at UM : /afs/umich.edu/user/first_letter_of_login/second_letter_of_login/your_login_name

Example: /afs/umich.edu/user/b/m/bmeekhof

• If you seem unable to write to your AFS directory, get new tickets:

  bmeekhof@umt3int03 ~ > kinit Password for bmeekhof@ATLAS.UMICH.EDU: bmeekhof@umt3int03 ~ > aklog 

• You can also get Kerberos tickets for CERN or UM to write to your directories in those locations from the UM interactive machines:

  bmeekhof@umt3int03 ~ > kinit bmeekhof@CERN.CH Password for bmeekhof@CERN.CH: bmeekhof@umt3int03 ~ > aklog cern.ch

• If you have kerberos tickets for CERN you should be able to login to lxplus.cern.ch with no password. The same will possibly apply to other CERN machines providing services. However you will still have to manually kinit and aklog to write to your directory. This is not the case if you use a password login. Explaining why is beyond the scope of this document.

If you see the following error from aklog, you don't have a valid Kerberos ticket. Try running "kinit" again or contact an administrator for help.

umt3int3 ~ > /afs/atlas.umich.edu/home/rockwell > aklog
aklog: Couldn't get atlas.umich.edu AFS tickets:
aklog: unknown RPC error (-1765328189) while getting AFS tickets

AFS ACLs

• • Every directory in AFS has an Access Control List (ACL). We pronounce this "akel" and use your reaction to determine if you are a normal human being or if you know what an ACL is.

• • To see the ACLs on a directory:

bmeekhof@umt3int03 ~ > fs listacl public Access list for public is Normal rights: system:administrators rlidwka system:anyuser rl bmeekhof rlidwka 

• • Notice how in the example above that anybody (system:anyuser) can Read and List (rl). Only bmeekhof can Read, Lookup, Insert, Delete, Write, locK, or Admin (rlidwka). Admin means change the ACL.

• • This link explains better what the permissions mean: http://docs.openafs.org/UserGuide/ch04s02.html. Suffice it to say that you'll mostly use "rl" if you want people to read, "rlidwk" if you want to let people write. Use "a" in addition if you want them to be able to change the ACL

• • Here are some examples of setting ACLs:
    

Setting an ACL on a directory named "public" to allow some other authenticated user besides yourself to write.

fs setacl public other_user_name rlidwk 

Setting an ACL on a directory named "public" allowing any user to read it. "system:authuser" is authenticated users with tickets for this AFS cell only. Ie, those users who did "kinit" and "aklog" and have tickets for the AFS cell. "system:anyuser" is all users, anywhere, anyplace.

fs setacl public system:authuser rl 

-- BenMeekhof - 23 Jun 2009