Sun Grid Engine Information Center
Administering Sun Grid Engine
Index

Configuring User Access

Types of Users

The Grid Engine system has the following four categories of users:

• Managers – Managers have full capabilities to manipulate the Grid Engine system. By default, the superusers of the master host and of any machine that hosts a queue instance have manager privileges.
• Operators – Operators can perform many of the same commands as managers, except that operators cannot add, delete, or modify queues.
• Users – Users have certain access permissions, as described in Configuring Users, but users have no cluster or queue management capabilities.

Queue owners can be managers, operators, or users. Queue owners are restricted to suspending and resuming, or disabling and enabling, the queues that they own. These privileges are necessary for successful use of qidle. Users are commonly declared to be owners of the queue instances that reside on their desktop workstations. See How to Configure Owners Parameters for more information.

Configuring Manager Accounts

How to Configure Manager Accounts With QMON

1. On the QMON Main Control window, click the User Configuration button.
   The Manager tab appears, shown in the following figure, and lists all accounts that have administrative permission.
   
   
   
2. To enable another user to manage the Grid Engine system, type the user name in the field above the manager account list.
   Click Add or press the Return key.
   
   
3. To delete a manager account, select it, and then click Delete.

Configuring Manager Accounts From the Command Line

To configure a manager account from the command line, type the following command with appropriate options:

# qconf <options>

The following options are available:

• qconf -am username – The -am option (add manager) adds one or more users to the list of Grid Engine system managers. By default, the root accounts of all trusted hosts are Grid Engine system managers. See About Hosts and Daemons for more information.
• qconf -dm username – The -dm option (delete manager) deletes the specified users from the list of Grid Engine system managers.
• qconf -sm – The -sm option (show managers) displays a list of all Grid Engine system managers.

Configuring Operator Accounts

How to Configure Operator Accounts With QMON

1. On the QMON Main Control window, click the User Configuration button, and then click the Operator tab.
   The Operator tab, similar to the Manager tab shown in the figure above, and lists all accounts that currently have restricted administrative permission. If the account also has manager access, then that overrides operator access. See Configuring Manager Accounts With QMON.
   
   
2. To add a new operator account, type its name in the field above the operator account list.
   Click Add or press the Return key.
   
   
3. To delete an operator account, select it, and then click Delete.

Configuring Operator Accounts From the Command Line

To configure an operator account from the command line, type the following command with appropriate options:

# qconf <options>

The following options are available:

• qconf -ao username – The -ao option (add operator) adds one or more users to the list of Grid Engine system operators.
• qconf -do username – The -do option (delete operator) deletes the specified users from the list of Grid Engine system operators.
• qconf -so – The -so option (show operators) displays a list of all Grid Engine system operators.

Configuring User Access Lists

Any user with a valid login ID on at least one submit host and one execution host can use the Grid Engine system. However, Grid Engine system managers can prohibit access for certain users to certain queues or to all queues. Furthermore, managers can restrict the use of facilities such as specific parallel environments. See Configuring Parallel Environments for more information.

To define access permissions, you must define user access lists, which are made up of named sets of users. In the Grid Engine system, these are referred to as usersets. You use user names and UNIX group names to define user access lists. The user access lists are then used either to deny or to allow access to a specific resource in any of the following configurations:

• Cluster configuration – see Basic Cluster Configuration.
• Queue configuration – see Configuring Subordinate Queues.
• Parallel environment configuration – see Configuring Parallel Environments With QMON.

Usersets are also used to define Grid Engine system projects and departments. For details about projects, see Defining Projects.

How to Configure User Access Lists With QMON

1. On the QMON Main Control window, click the User Configuration button, and then click the Userset tab.
   The Userset tab appears as shown in the following figure.
   
   
   In the Grid Engine system, a userset can be either an access list, a Department, or both. The check boxes below the Usersets list indicate the type of the selected userset. This section describes access lists. Departments are explained in Defining Usersets As Projects and Departments.
   
   The Usersets list displays all available access lists. To display currently defined users and groups, select the userset.

   Note The names of groups are prefixed with an @ sign.

   
   

2. To add, modify, or delete a userset, do the following:
   • To add a new userset, click Add.
     An Access List Definition dialog box appears, as shown in the figure below. The Users/Groups list displays all currently defined users and groups.
     
     • To add a new access list definition, type the name of the access list in the Userset Name field and click Ok.
     • To add a new user or group to the access list, type a user or group name in the User/Group field and then click Ok. Be sure to prefix group names with an @ sign.
     • To delete a user or group from the Users/Groups list, select it and then click the trash icon.
   • To modify an existing userset, select it, and then click Modify.
     An Access List Definition dialog box appears with the name of the current userset in the Userset Name field.
   • To delete a userset, select it, and then click Delete.
     
3. To save your changes and close the dialog box, click OK.
   Click Cancel to close the dialog box without saving changes.
   
   
4. To close the User Configuration dialog box, click Done.

Configuring User Access Lists From the Command Line

To configure user access lists from the command line, type the following command with appropriate options:

# qconf <options>

The following options are available:

• qconf -au username [,...] access-list-name [,...] – The -au option (add user) adds one or more users to the specified access lists.
• qconf -Au filename – The -Au option (add user access list from file) uses a configuration file, filename, to add an access list.
• qconf -du username [,...] access-list-name [,...] – The -du option (delete user) deletes one or more users from the specified access lists.
• qconf -dul access-list-name [,...] – The -dul option (delete user list) completely removes userset lists.
• qconf -mu access-list-name – The -mu option (modify user access list) modifies the specified access lists.
• qconf -Mu filename – The -Mu option (modify user access list from file) uses a configuration file, filename, to modify the specified access lists.
• qconf -su access-list-name [,...] – The -su option (show user access list) displays the specified access lists.
• qconf -sul – The -sul option (show user access lists) displays all access lists currently defined.

Configuring Users

You must declare user names before you define the share-based, functional, or override policies for users. See Configuring Policy-Based Resource Management With QMON.

If you do not want to explicitly declare user names before you define policies, the Grid Engine system can automatically create users for you, based on predefined default values. The automatic creation of users can significantly reduce the administrative burden for sites with many users.

To have the system create users automatically, set the Enforce User parameter on the Cluster Settings dialog box to Auto. To set default values for automatically created users, specify values for the following Automatic User Defaults on the Cluster Settings dialog box:

• Override Tickets
• Functional Shares
• Default Project
• Delete Time

For more information about the cluster configuration, see Basic Cluster Configuration.

How to Configure User Objects With QMON

1. On the QMON Main Control window, click the User Configuration button.
   
   
2. Click the User tab.
   The User tab appears as shown in the following figure:
   
   
   
3. To add a new user, type a user name in the field above the User list, and then click Add or press the Return key.
   To delete a user, select the user name in the User list, and then click Delete.
   The Delete Time column is read-only. The column indicates the time at which automatically created users are to be deleted from the Grid Engine system. Zero indicates that the user will never be deleted.
   
   
4. To assign a default project, select a user, and then click the Default Project column heading.
   A Project Selection dialog box appears, as shown below. You can assign a default project to each user. The default project is attached to each job that users submit, unless those users request another project to which they have access.
   
   Departments are used for the configuration of the functional policy and the override policy. Departments differ from access lists in that a user can be a member of only one department, whereas one user can be included in multiple access lists. For more details, see Configuring the Functional Policy and Configuring the Override Policy.
   
   A Userset is identified as a department by the Department flag. A Userset can be defined as both a department and an access list at the same time. However, the restriction of only a single appearance by any user in any department applies.
   
   
   
5. Select a project for the highlighted user entry.
   
   
6. Click OK to assign the default project and close the dialog box.
   Click Cancel to close the dialog box without assigning the default project.

Configuring User Objects From the Command Line

To configure user objects from the command line, type the following command with appropriate options:

# qconf <options>

The following options are available:

• qconf -auser – The -auser option (add user) opens a template user configuration in an editor. See the user(5) man page. The editor is either the default vi editor or the editor specified by the EDITOR environment variable. After you save your changes and exit the editor, the changes are registered with sge_qmaster.
• qconf -Auser filename – The -Auser option (add user from file) parses the specified file and adds the user configuration. The file must have the format of the user configuration template.
• qconf -duser username [,...] – The -duser option (delete user) deletes one or more user objects.
• qconf -muser username – The -muser option (modify user) enables you to modify an existing user entry. The option loads the user configuration in an editor. The editor is either the default vi editor or the editor specified by the EDITOR environment variable. After you save your changes and exit the editor, the changes are registered with sge_qmaster.
• qconf -Muser filename – The -Muser option (modify user from file) parses the specified file and modifies the user configuration. The file must have the format of the user configuration template.
• qconf -suser username – The -suser option (show user) displays the configuration of the specified user.
• qconf -suserl – The -suserl option (show user list) displays a list of all currently defined users.