Thursday, 13 May 2010

A rough guide to the User Account Service

The original plan when writing this post was to describe the research and development work being done around the NGS's User Account System - one of the less exciting, but rather important - services that we provide.

As it was being written, it became clear that, before any of the the R+D work was mentioned, we first need to explain what the User Account System is and how it ties in with the other services we provide.

To use the NGS you need both a certificate and an NGS account tied to that certificate.

We are only too aware that this distinction is confusing to new users.

The certificate identifies you to the grid world. Your account ensures that - at the very least - the NGS's part of the grid world will welcome you when you arrive.

The certificate says who you are, the account says what you can do and what you have done in the past. Your account links the distinguished name from your certificate to - among other things - the amount of CPU time you have requested and the amount of CPU time you have used.

The accounts are held in a database - held at STFC and replicated at Manchester for safety - but NGS partner sites should seldom need to access the database directly. Instead, the information from the database is used to maintain a virtual organisation (VO) called ''.

All active accounts are automatically associated with this virtual organisation using the NGS virtual organisation membership server ( at Manchester.

NGS partner sites typically pull the list of distinguished names from this server at regular intervals and use it to populate the local grid-mapfile file - the list of recognised users.

You can also use the voms-proxy-init tool contact the VOMS service and get a 'VOMS assertion' that certifies you are a bona-fide, 100% genuine NGS account holder to anyone who needs to know.

At regular intervals, partner sites send the information about how much CPU time was used by each account holder back to us where it is be used to update the CPU usage recorded in your account.

If you overrun your CPU quota: your account will be locked and your details removed from the VO - but not from the database - until you reapply for more resources.

Among the R+D projects running at the moment are ones to:

  • Manage access rights to applications such as CASTEP and AMBER from within the account service. The idea is to map such access rights onto VO groups within a virtual organisation.
  • Investigate how to incorporate usage data from other accounting systems such as EGEE APEL or sites using GridSAFE.

Both these projects will - hopefully - be described in future postings. In the mean time, you can view the current state of your account by visiting

from a web browser with a copy of your certificate installed.

No comments: