Difference between revisions of "Managing ETH groups"

From ScientificComputing
Jump to: navigation, search
(Managing groups)
Line 39: Line 39:
 
Please contact us if you have any questions regarding using [[NETHZ]] and/or LDAPS groups with our HPC clusters.
 
Please contact us if you have any questions regarding using [[NETHZ]] and/or LDAPS groups with our HPC clusters.
  
== Shares ==
+
===Defining share membership===
 
 
=== Defining share membership ===
 
 
 
 
By default only members of your LZ (''Leitzahl'') group are members of your share. You can manage membership in your shareholder group using LDAPS groups exported from NETHZ. Any number of LDAPS groups can be associated with your share. In addition, individual users can be added to the share or blocked from the share.
 
By default only members of your LZ (''Leitzahl'') group are members of your share. You can manage membership in your shareholder group using LDAPS groups exported from NETHZ. Any number of LDAPS groups can be associated with your share. In addition, individual users can be added to the share or blocked from the share.
  
=== New and parting users ===
+
===New and parting users===
 
 
 
New members of the specified LDAPS group(s) will be automatically associated with your share while members who lose membership in the specified LDAPS groups are removed from your shareholder group. By default users are removed after 1 month, though can be changed upon request. These individual changes to the shareholder groups are ''only'' for share management and not file permission management.
 
New members of the specified LDAPS group(s) will be automatically associated with your share while members who lose membership in the specified LDAPS groups are removed from your shareholder group. By default users are removed after 1 month, though can be changed upon request. These individual changes to the shareholder groups are ''only'' for share management and not file permission management.
  
=== Delegating management ===
+
===Delegating management===
 
 
 
You can also name one or more people to be the share manager. This person is then generally our contact person regarding the share and, more importantly, has authority to request or confirm changes to the share. In addition a manager also gets the monthly accounting report for the share. You can also request that a user receives the monthly accounting report but no anagement authority.
 
You can also name one or more people to be the share manager. This person is then generally our contact person regarding the share and, more importantly, has authority to request or confirm changes to the share. In addition a manager also gets the monthly accounting report for the share. You can also request that a user receives the monthly accounting report but no anagement authority.

Revision as of 06:29, 31 August 2016

Managing groups

Using NETHZ groups for user management is the recommended practice on our HPC clusters. A NETHZ group exported to LDAPS can be used to manage file permissions as well as user membership in a shareholder group. A common scenario is a group DEPT-ISG-GROUP that includes all members in the group's Leitzahl as well as semester students and visiting guests.

Managing NETHZ groups for use on our HPC clusters

Our cluster can make use of NETHZ groups. As an ISG you can define a group in the NETHZ admin tool (main screen→Admin Tasks→Gruppen verwalten) and export it to LDAPS. Don't forget to click on the aktualisiern link after updating the group!

Keep the following points in mind:

LDAPS and AD groups For consistency it is recommended to export it to AD (Active Directory), too.
Syncing changes Don't forget to click on the aktualisieren link after making changes.
Changing group names Avoid changing the name of any NETHZ group.
LDAPS hierarchy An ISG-defined group will be in the
ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch
subtree of LDAPS.

We can only use groups from the

ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch

subtree in LDAPS. That is the only way that we can provide service to and use services from the whole of ETH yet guarantee there are no collisions among group names or ids. From these, we only use the lz and custom NETHZ subtrees:

ou=lz,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch

and

ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch

Please contact us if you have any questions regarding using NETHZ and/or LDAPS groups with our HPC clusters.

Defining share membership

By default only members of your LZ (Leitzahl) group are members of your share. You can manage membership in your shareholder group using LDAPS groups exported from NETHZ. Any number of LDAPS groups can be associated with your share. In addition, individual users can be added to the share or blocked from the share.

New and parting users

New members of the specified LDAPS group(s) will be automatically associated with your share while members who lose membership in the specified LDAPS groups are removed from your shareholder group. By default users are removed after 1 month, though can be changed upon request. These individual changes to the shareholder groups are only for share management and not file permission management.

Delegating management

You can also name one or more people to be the share manager. This person is then generally our contact person regarding the share and, more importantly, has authority to request or confirm changes to the share. In addition a manager also gets the monthly accounting report for the share. You can also request that a user receives the monthly accounting report but no anagement authority.