...
- Get user (entity) info and groups from Unity
- If the user doesn’t belong to any of locally accepted B2ACCESS groups, remove the user from local (iRODS) groups that are maps of B2ACCESS groups (e.g. from PRACE group) and exit.
- If the user doesn’t have a local iRODS account, create it and add DN mapping to that account. The local username may be concatenation of some string and B2ACCESS id or persistent id (configurable).
- Add the user to local groups according to group map configuration.
...
Demonstrator
The demo is available for users added to the test LDAP, in order to try it please contact: jankowsk@man.poznan.pl
- Test B2ACCESS user console: https://b2access.eudat.psnc.pl:2443/home/home
- Test B2STAGE/iRODS site: eptest.eudat.psnc.pl
Demonstrator workflow
1. | Group "PRACE" is empty on B2ACCESS and there is no user XXX in B2ACCESS | |
2. | User XXX cannot access EUDAT resource at gsiftp://eptest.eudat.psnc.pl | |
3. | There is no local user account. | |
4. | Users with attribute deisaUserProfile set to “EUDAT” are selected from PRACE LDAP. The same selection is done by prace_eudat_users_sync.py script, that synchronizes PRACE LDAP and B2ACCESS. Normally the script is called periodically (e.g. hourly), but for the demo it may be run manually by the admin. | |
5. | After the script run, the user XXX appear in B2ACCESS and group "PRACE" contains PRACE users. | |
6. | User XXX can access EUDAT resource at gsiftp://eptest.eudat.psnc.pl | |
7. | Local user account provisioning and grid mapping are done automatically on user login. | |
8. | Attribute deisaUserProfile with value “EUDAT” is removed from user XXX in PRACE LDAP. | |
9. | As the result of prace_eudat_users_sync.py script run the user is removed from PRACE group in B2ACCESS (but not completely from the service). | |
10. | User XXX cannot access EUDAT resource at gsiftp://eptest.eudat.psnc.pl | |
11. | The local account still exists, but the user is removed from the grid mapping. |
Resources
...