out of the hpssGECOS field, it does not exist in UNIX. It only exists in LDAP.

The metadata for each file and directory in an HPSS system contains an Account field, which determines how the storage will be charged. Each user has at least one default account index, which is put into the Account field of all new files and directories .

When using UNIX-style accounting, the account index is the user's UID. When the user's UID is combined with the user's Realm Id, a unique Account is created.

When using Site-style accounting, each user may have more than one account index, and may switch among them at runtime.

Each site must decide whether it wishes to validate Accounts. However, when using UNIX-style accounting no authorization checking need be done since the account is always the user's UID.

If Account Validation is enabled, additional authorization checks are performed when the following events occur: when files and directories are created, when their ownership is changed, when their account index is changed, or when a user attempts to use an account index other than their default. If the authorization check fails, the operation fails with a permission error.

Using Account Validation is highly recommended for sites that will be accessing remote HPSS systems. The use of Account Validation will help keep account indexes consistent. If remote sites are not being accessed, Account Validation is still recommended as a mechanism to keep consistent accounting information.

If UNIX-style accounting is used, at least one Gatekeeper must be configured .

For Site-style accounting, an Account Validation metadata file must be created, populated and maintained with valid user account indexes. See the Account Validation Editor (hpss_avaledit) manual page for details on the use of the Account Validation Editor.

If the Require Default Account field is enabled when using Site-style accounting and Account Validation, users are required to have valid default account indexes before performing almost any client API action. If the Require Default Account field is disabled (which is the default behavior) users will only be required to have a valid account set when performing an operation which requires an account to be validated such as a create, an account change operation, or an ownership change operation.

When using Site-style accounting with Account Validation, if the Account Inheritance field is enabled, newly created files and directories will automatically inherit their account index from their parent directory. The account indexes can then be changed explicitly by users. This is useful when individual users have not had default accounts set up for them or if entire directory trees need to be charged to the same account. When Account Inheritance is disabled (which is the default) newly created files and directories will obtain their account from the user's current session account, which is initially set to the user's default account index. This default account index may be changed by the user during the session.

A site may decide to customize the way they do accounting. In most cases these sites should enable Account Validation with Site-style accounting and then implement their own site policy module which will be linked with the Gatekeeper. See Section 3.7.3: Gatekeeper on page 84 as well as the appropriate sections of the HPSS Programmers Reference for more information.

By default Account Validation is disabled (bypassed). If it is disabled, the style of accounting is determined by looking up each user's hpssGECOS account information in the authorization registry. The following instructions describe how to set up users in this case.

If a users have their default account index encoded in a string of the form AA=<default-acct-idx>in

HPSS Installation Guide

July 2008

Release 6.2 (Revision 2.0)

97

Page 97
Image 97
IBM HPSS manual Hpss Installation Guide July Release 6.2 Revision