GridSite Admin Guide
GridSite is a set of website management tools developed by GridPP and used for www.gridpp.ac.uk. This page explains how to use GridSite to manage other people's access to parts of the site - especially people's write access to areas devoted to specific subprojects. For very GridPP specific details of how to add a new member to the site, see the Adding a new GridPP member page.
Before tackling this Guide, please read the User Guide, which explains how to authenticate to the website and how files and pages can be modified by people with the right permissions.
Groups and DN Lists
GridSite defines groups of people using plain text DN Lists - that is, lists of people's certificate DNs. Each DN List has a URL which uniquely identifies the list (and may also allow other sites to obtain the list and use it themselves.) For example, the list of all GridPP members is https://www.gridpp.ac.uk/dn-lists/gridpp (note that it's https:// not http:// - this means that other sites that download the list can check the certificate of www.gridpp.ac.uk and know they're talking to the authoritative source of the lists.)
The gridpp list is unusual in that a program outside of the GridSite system constructs it by adding together the member lists for all of the GridPP institutes every hour. These lists are shown separately on the GridPP Contacts page.
If you are or should be the contact person for your institute (for example, if you're the systems manager or local Grid expert) you can get write access to your institute's list. This means you can add new people, remove people as they leave and change certificate names if necessary. (Please contact webmaster@gridpp.ac.uk to get yourself added. You need to specify you certificate name in your email.)
The GridPP Contacts page also shows lists for major experiments. The administration of these lists can also be delegated. (Again, please contact webmaster@gridpp.ac.uk to get yourself added. You need to specify you certificate name in your email.)
The system also has a number of other DN Lists which are associated with specific areas of the website. There is a full list at https://www.gridpp.ac.uk/dn-lists/
If you have permission to modify a DN List, you can start changing it by going to https://www.gridpp.ac.uk/dn-lists/, using the "Manage directory" button and finding the URL of your DN List in the listings. You will probably need to go down into your subdirectory to find your list. For example, https://www.gridpp.ac.uk/dn-lists/atlas is in the atlas subdirectory of /dn-lists/ (You may wish to bookmark the listing of your directory.)
DN List directories are managed by the ACLs described in the next section, and if you have write permission, you can edit the lists already there, and add new lists with the same prefix (this means you can readily create your own subgroups.)
Access Control Lists
DN Lists appear in the Grid Access Control Lists (GACL) used by GridSite. These are stored as .gacl files in directories: if the .gacl file is present, it governs access to the directory; if it is absent, then the parent directories are searched upwards until a .gacl is found.
The GridSite GACL Reference explains the XML format of these files, but they can be edited using the ACL editor built into the GridSite system by people who have the Admin permission within the ACL.
If you have this permission in a given directory, when you view directory listings or files in that directory you will see the option "Manage Directory" in the page footer. This allows you to get a listing of the directory and the .gacl file will appear at the top if it's present. If not, then there will be a button to create a new .gacl file with the same permissions as have been inherited by that directory from its parent.
GACL allows quite complex conditions to be imposed on access, but normally you can think of an ACL as being composed of a number of entries, each of which contains one condition (the required credential) and a set of allowed and denied permissions.
Credentials can be individual user's certificate names or whole groups of certificate names if a DN List is given. (You can also specifiy hostname patterns using Unix shell wildcards (eg *.ac.uk) or EDG VOMS attribute certificates.)
Permissions can be Admin (edit the ACL), Write (create, modify or delete files), List (browse the directory) or Read (read files.) Permissions can be allowed or denied. If denied by any entry, the permission is not available to that user or DN List (depending on what credential type was associated with the Deny.)
Last modified Wed 2 June 2004 . View page history
Switch to HTTPS . Website Help . Print View . Built with GridSite 1.4.3