A site admin needs to analyze the jobs that fail against his sites, one of the tool to analyze them is glite-wms-job-logging-info but because he is not the owner
of the failed jobs, the command fails like in this example:
glite.lb.Exception: edg_wll_JobLog: Operation not permitted: matching
jobs found but authorization failed
at glite::lb::Job::log[../src/Job.cpp:123]
It is required a way to see those logs with the site admin role.
A proposed way is:
the LB or maybe the WMS automatically set the ACL of a job by retrieving from the GOCDB the list of X509s related to the site where the job is going to run implementing the READ permission by default.
This request is a "wish". All details on the ticket.
Sara Bertocco
How about authorising the DN of the CE the job is sent to? Presumably the site admin has access to the host cert ...
Stephen Burke
Hello
just to disambiguate my phrase "list of X509s";
there I mean the list of X509s of site admins associated to that CE or site, not the X509 of the CE where the job will run.
This is a copy of original issue https://savannah.cern.ch/bugs/?89371 by Sara Bertocco
A site admin needs to analyze the jobs that fail against his sites, one of the tool to analyze them is glite-wms-job-logging-info but because he is not the owner of the failed jobs, the command fails like in this example:
glite.lb.Exception: edg_wll_JobLog: Operation not permitted: matching jobs found but authorization failed at glite::lb::Job::log[../src/Job.cpp:123]
It is required a way to see those logs with the site admin role. A proposed way is: the LB or maybe the WMS automatically set the ACL of a job by retrieving from the GOCDB the list of X509s related to the site where the job is going to run implementing the READ permission by default.
This request is a "wish". All details on the ticket.
Sara Bertocco
How about authorising the DN of the CE the job is sent to? Presumably the site admin has access to the host cert ...
Stephen Burke
Hello
just to disambiguate my phrase "list of X509s";
there I mean the list of X509s of site admins associated to that CE or site, not the X509 of the CE where the job will run.
many thanks, cheers Fabio