Difference between revisions of "Access control for CASTOR storage elements"
(11 intermediate revisions by the same user not shown) | |||
Line 10: | Line 10: | ||
VO: | VO: | ||
12983000000 1003000000 n.a srm-dteam.gridpp.rl.ac.uk | 12983000000 1003000000 n.a srm-dteam.gridpp.rl.ac.uk | ||
+ | |||
+ | '''Note #1''' before using the <tt>srm*</tt> commands make sure that the SRM client is at least '''2.1.0''' as otherwise most, if not all, <tt>srm*</tt> commands will fail: | ||
+ | $ srmping -version | ||
+ | Storage Resource Manager (SRM) Client version 2.1.0 | ||
+ | Copyright (c) 2002-2008 Fermi National Accelerator Laborator | ||
+ | '''Note #2''' The glite 3.2 UI up to version 3.2.4 contains an '''older''' (actually, '''too old''' !) version of the srm-client than the glite 3.1 UI ! | ||
You can use the <tt>srmping</tt> command to get some basic information about a storage system | You can use the <tt>srmping</tt> command to get some basic information about a storage system | ||
Line 110: | Line 116: | ||
In this section we explain how to modify the SRM-level permissions. The LFC-level permissions are explained | In this section we explain how to modify the SRM-level permissions. The LFC-level permissions are explained | ||
in [[Access control for the LFC]]. | in [[Access control for the LFC]]. | ||
− | |||
− | |||
$ srm-get-permissions $SRM/myfile | $ srm-get-permissions $SRM/myfile | ||
− | + | # file : srm://srm-dteam.gridpp.rl.ac.uk/castor/ads.rl.ac.uk/test/dteam/disk0tape0/janjust/myfile | |
− | + | # owner : dteam001 | |
− | + | owner:dteam001:RWX | |
− | + | user:dteam001:RWX | |
− | + | group:dteam:RWX | |
− | + | other:RW | |
− | |||
− | |||
− | # | ||
− | |||
− | |||
− | user:: | ||
− | |||
− | |||
− | group: | ||
− | |||
− | other: | ||
− | |||
− | |||
− | |||
− | |||
− | |||
Just for the fun of it, let's list a file which we did not create ourselves: | Just for the fun of it, let's list a file which we did not create ourselves: | ||
− | $ | + | $ srm-get-permissions srm://srm-dteam.gridpp.rl.ac.uk/castor/ads.rl.ac.uk/test/atlas/atlasTest/nopolicy2 |
− | # file: / | + | # file : srm://srm-dteam.gridpp.rl.ac.uk/castor/ads.rl.ac.uk/test/atlas/atlasTest/nopolicy2 |
− | + | # owner : gtf | |
− | # | + | owner:gtf:RW |
− | + | user:gtf:RW | |
− | + | group:sysgroup:R | |
− | + | other:R | |
− | group: | ||
− | |||
− | other: | ||
− | |||
When you compare it to dCache (see [[Access control for dCache storage elements]]) this looks more like "regular" | When you compare it to dCache (see [[Access control for dCache storage elements]]) this looks more like "regular" | ||
UNIX permissions: | UNIX permissions: | ||
* the file is owned by a single user | * the file is owned by a single user | ||
* there are 'group' and 'other' permissions | * there are 'group' and 'other' permissions | ||
− | but | + | but there are subtle differences! |
− | |||
We will have to keep this in mind when we want to limit access to our files. | We will have to keep this in mind when we want to limit access to our files. | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
= Modifying the permissions = | = Modifying the permissions = | ||
− | + | Use | |
+ | srm-set-permissions -h | ||
+ | to get a list of options for this command. | ||
+ | $ srm-set-permissions -type=CHANGE -group=NONE -other=NONE $SRM/myfile | ||
+ | Return code: SRM_INVALID_REQUEST | ||
+ | Explanation: Group 500 does not exist | ||
+ | Don't you just love these kind of error messages? | ||
+ | Some experimentation shows that the <tt>-group=NONE</tt> part is wreaking havoc: | ||
+ | $ srm-set-permissions -type=CHANGE -other=NONE $SRM/myfile | ||
+ | returns no errors, but ... | ||
+ | $ srm-get-permissions $SRM/myfile | ||
+ | # file : srm://srm-dteam.gridpp.rl.ac.uk/castor/ads.rl.ac.uk/test/dteam/disk0tape0/janjust/myfile | ||
+ | # owner : dteam001 | ||
+ | owner:dteam001:RWX | ||
+ | user:dteam001:RWX | ||
+ | group:dteam:RW | ||
+ | other:R # <------------- !!!!! | ||
+ | it also did not do what we expected: the <tt>other</tt> permissions are still '''R''' but we requested 'NONE'. | ||
− | + | There are other ways of using <tt>srm-set-permissions</tt>. Let's see what that gives: | |
− | $ | + | $ srm-set-permissions -type=REMOVE -group=RWX $SRM/myfile |
− | + | Return code: SRM_INVALID_REQUEST | |
− | + | Explanation: Group 500 does not exist | |
− | + | No change. Next: | |
− | + | $ srm-set-permissions -type=REMOVE -other=RWX $SRM/myfile | |
− | + | Ah, that command did work: the intention of this command was to remove the permissions <tt>RWX</tt> for the <tt>other</tt> group. Let's see what the permissions are now: | |
− | + | $ srm-get-permissions $SRM/myfile | |
− | + | # file : srm://srm-dteam.gridpp.rl.ac.uk/castor/ads.rl.ac.uk/test/dteam/disk0tape0/janjust/myfile | |
− | + | # owner : dteam001 | |
− | + | owner:dteam001:NONE | |
− | + | user:dteam001:NONE | |
+ | group:dteam:NONE | ||
+ | other:NONE | ||
+ | Now '''ALL''' permissions are gone ?!?!?!? | ||
+ | This just keeps getting better and better, doesn't it ;-) ? | ||
= Verifying access control = | = Verifying access control = | ||
As the original user: | As the original user: | ||
− | $ | + | $ srm-get-permissions $SRM/myfile |
− | # file: / | + | # file : srm://srm-dteam.gridpp.rl.ac.uk/castor/ads.rl.ac.uk/test/dteam/disk0tape0/janjust/myfile |
− | # owner: | + | # owner : dteam001 |
− | + | owner:dteam001:NONE | |
− | user:: | + | user:dteam001:NONE |
− | group:: | + | group:dteam:NONE |
− | + | other:NONE | |
− | + | Let's try to read it: | |
− | + | $ lcg-cp $SRM/myfile file://$PWD/blah | |
− | + | globus_ftp_client: the server responded with an error | |
+ | 500 Command failed. : open error: Permission denied | ||
+ | |||
+ | lcg_cp: Permission denied | ||
+ | Well, at least the permissions are consistent with the <tt>lcg-cp</tt> command. | ||
− | + | Let's give access back to the owner: | |
+ | $ srm-set-permissions -type=ADD -owner=RWX $SRM/myfile | ||
+ | And try again: | ||
+ | $ srm-get-permissions $SRM/myfile | ||
+ | # file : srm://srm-dteam.gridpp.rl.ac.uk/castor/ads.rl.ac.uk/test/dteam/disk0tape0/janjust/myfile | ||
+ | # owner : dteam001 | ||
+ | owner:dteam001:RWX | ||
+ | user:dteam001:RWX | ||
+ | group:dteam:NONE | ||
+ | other:NONE | ||
+ | |||
+ | $ lcg-cp $SRM/myfile file://$PWD/blah | ||
+ | $ ls -al blah | ||
+ | -rw-r--r-- 1 janjust datagrid 8508 Aug 20 16:49 blah | ||
+ | so at least we can copy the file again. | ||
Now if we switch to another VO: | Now if we switch to another VO: | ||
− | $ voms-proxy-init --voms | + | $ voms-proxy-init --voms pvier |
Enter GRID pass phrase: | Enter GRID pass phrase: | ||
Your identity: /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser | Your identity: /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser | ||
− | Creating temporary proxy .......................................... Done | + | Creating temporary proxy ........................................................ Done |
− | Contacting voms.grid.sara.nl: | + | Contacting voms.grid.sara.nl:30000 [/O=dutchgrid/O=hosts/OU=sara.nl/CN=voms.grid.sara.nl] "pvier" Done |
− | Creating proxy ............................. Done | + | Creating proxy ........................................................... Done |
− | Your proxy is valid until | + | Your proxy is valid until Fri Aug 21 05:18:15 2009 |
and then try to copy the file | and then try to copy the file | ||
− | $ | + | $ lcg-cp $SRM/myfile file://$PWD/blah |
− | we get '''NO''' error message | + | we get '''NO''' error message. |
− | |||
− | |||
− | ' | + | Let's create a VO-less proxy and try again: |
− | + | $ grid-proxy-init -old | |
+ | Your identity: /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser | ||
+ | Enter GRID pass phrase for this identity: | ||
+ | Creating proxy ....................................................... Done | ||
+ | Your proxy is valid until: Fri Aug 21 05:22:13 2009 | ||
+ | |||
+ | $ voms-proxy-info -all | ||
+ | WARNING: Unable to verify signature! Server certificate possibly not installed. | ||
+ | Error: VOMS extension not found! | ||
+ | subject : /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser/CN=proxy | ||
+ | issuer : /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser | ||
+ | identity : /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser | ||
+ | type : proxy | ||
+ | strength : 512 bits | ||
+ | path : /tmp/x509up_u7651 | ||
+ | timeleft : 11:59:59 | ||
+ | |||
+ | $ lcg-cp $SRM/myfile file://$PWD/blah | ||
+ | And again, we get '''NO''' error message. | ||
− | + | Next we ask a colleague to try it as well and he also gets '''NO''' error message !! | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | Some investigation shows that the gridmap-file on the CASTOR nodes maps all users for a particular VO to a single userid | |
+ | <tt>dteam001</tt>. So even though the group permissions are now gone anybody who is mapped to this userid can read/write/delete | ||
+ | my files. | ||
− | + | = Conclusion = | |
− | + | Access control in CASTOR is not very well implemented: | |
− | + | * The <tt>srm-{get,set}-permissions</tt> commands do work but not in a comprehensible manner. | |
− | + | * The fact that multiple users, regardless of the VOMS-extensions in their proxies, are mapped to a single userid makes access control useless. | |
− | |||
− | |||
− | |||
− | |||
− |
Latest revision as of 16:01, 9 December 2009
This page is part of an investigation on How to control access rights for LFC/SRM files .
Note: CASTOR is currently not being used in the Netherlands. It is included in this investigation for the sake of completeness. Also, as there are no Dutch CASTOR systems we cannot use proxies for the Dutch VOs that were used for the other storage elements. For CASTOR we will use a dteam proxy.
Finding out which storage systems are available
There are only a few CASTOR storage systems in use within EGEE. A Google search came up with one that is accessible for the dteam VO:
12983000000 1003000000 n.a srm-dteam.gridpp.rl.ac.uk
Note #1 before using the srm* commands make sure that the SRM client is at least 2.1.0 as otherwise most, if not all, srm* commands will fail:
$ srmping -version Storage Resource Manager (SRM) Client version 2.1.0 Copyright (c) 2002-2008 Fermi National Accelerator Laborator
Note #2 The glite 3.2 UI up to version 3.2.4 contains an older (actually, too old !) version of the srm-client than the glite 3.1 UI !
You can use the srmping command to get some basic information about a storage system
$ srmping -2 srm://srm-dteam.gridpp.rl.ac.uk/ VersionInfo : v2.2 SRM version:v2_7_15 backend_type:CASTOR backend_version:2.1.7 Nb of active CASTOR threads:0
So host srm-dteam.gridpp.rl.ac.uk is a SRMv2.2 compliant storage system based on CASTOR.
Finding out how storage is organized
You can use the srmls command to figure out how the storage is organized:
$ srmls -l srm://srm-dteam.gridpp.rl.ac.uk/ srm client error: java.lang.Exception: Return status: - Status code: SRM_FAILURE - Explanation: Failed for all paths
It seems that CASTOR does not allow the listing of arbitary remote directories. By looking at a file that was previously stored on this host (using lcg-lr) we guess that the directory structure starts with the prefix:
/castor/ads.rl.ac.uk/test/dteam/disk0tape0
However, an srmls on this directory returns:
srm client error: java.lang.Exception: Return status: - Status code: SRM_TOO_MANY_RESULTS - Explanation:
but we can list the generated directory:
$ srmls srm://srm-dteam.gridpp.rl.ac.uk/castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-01-23/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-01-26/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-03-06/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-03-16/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-03-18/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-04-30/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-05-01/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-05-07/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-05-14/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-05-29/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-06-11/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-06-12/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-06-19/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-06-23/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-06-24/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-07-13/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-07-15/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-07-16/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-07-20/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-07-21/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-07-22/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-07-23/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-07-24/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-07-25/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-07-26/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-07-27/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-07-28/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-07-29/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-07-31/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-08-04/ /castor/ads.rl.ac.uk/test/dteam/disk0tape0/generated/2009-08-20/
Creating your own directory in SRM-space
Before we copy a file to the CASTOR SRM we first create our own directory. If we do not do this then SRM will store the files in generated directories, over which we have little or no control.
srmmkdir srm://srm-dteam.gridpp.rl.ac.uk/castor/ads.rl.ac.uk/test/dteam/disk0tape0/janjust
The URL for this directory will be used throughout the rest of this page, hence we abbreviate it to
SRM=srm://srm-dteam.gridpp.rl.ac.uk/castor/ads.rl.ac.uk/test/dteam/disk0tape0/janjust
Copying and registering your file
Next we will copy a file to our SRM directory and register it in the LFC in one go:
$ lcg-cr -d $SRM/myfile -l lfn:/grid/pvier/janjust/my-castor-file file://$PWD/myfile guid:0e56765a-5e1c-495e-a997-4495a4f06f18
which returns the LFC GUID for the file upon success.
Note: the LFC location is /grid/pvier/janjust which was actually a mistake. However, the LFC allows me to write to this directory even though I used a dteam proxy !!
(For details on how to find out how the LFC directory space is organized see Access control for the LFC)
We could also have copied the file to the SRM only, bypassing the LFC registration, using the command
lcg-cp file://$PWD/myfile $SRM/myfile
or even
srmcp -globus_tcp_port_range=20000,25000 file://$PWD/myfile $SRM/myfile
but as we needed the LFC entry as well we used the (preferred) lcg-cr command. Please also note that the srmcp command is not very well supported.
Looking at the permissions
For a file that is copied to SRM and that is registered in the LFC there are 2 sets of permissions:
- SRM-level
- LFC-level
These permissions are not directly related to each other and need to be modified separately. In this section we explain how to modify the SRM-level permissions. The LFC-level permissions are explained in Access control for the LFC.
$ srm-get-permissions $SRM/myfile # file : srm://srm-dteam.gridpp.rl.ac.uk/castor/ads.rl.ac.uk/test/dteam/disk0tape0/janjust/myfile # owner : dteam001 owner:dteam001:RWX user:dteam001:RWX group:dteam:RWX other:RW
Just for the fun of it, let's list a file which we did not create ourselves:
$ srm-get-permissions srm://srm-dteam.gridpp.rl.ac.uk/castor/ads.rl.ac.uk/test/atlas/atlasTest/nopolicy2 # file : srm://srm-dteam.gridpp.rl.ac.uk/castor/ads.rl.ac.uk/test/atlas/atlasTest/nopolicy2 # owner : gtf owner:gtf:RW user:gtf:RW group:sysgroup:R other:R
When you compare it to dCache (see Access control for dCache storage elements) this looks more like "regular" UNIX permissions:
- the file is owned by a single user
- there are 'group' and 'other' permissions
but there are subtle differences!
We will have to keep this in mind when we want to limit access to our files.
Modifying the permissions
Use
srm-set-permissions -h
to get a list of options for this command.
$ srm-set-permissions -type=CHANGE -group=NONE -other=NONE $SRM/myfile Return code: SRM_INVALID_REQUEST Explanation: Group 500 does not exist
Don't you just love these kind of error messages? Some experimentation shows that the -group=NONE part is wreaking havoc:
$ srm-set-permissions -type=CHANGE -other=NONE $SRM/myfile
returns no errors, but ...
$ srm-get-permissions $SRM/myfile # file : srm://srm-dteam.gridpp.rl.ac.uk/castor/ads.rl.ac.uk/test/dteam/disk0tape0/janjust/myfile # owner : dteam001 owner:dteam001:RWX user:dteam001:RWX group:dteam:RW other:R # <------------- !!!!!
it also did not do what we expected: the other permissions are still R but we requested 'NONE'.
There are other ways of using srm-set-permissions. Let's see what that gives:
$ srm-set-permissions -type=REMOVE -group=RWX $SRM/myfile Return code: SRM_INVALID_REQUEST Explanation: Group 500 does not exist
No change. Next:
$ srm-set-permissions -type=REMOVE -other=RWX $SRM/myfile
Ah, that command did work: the intention of this command was to remove the permissions RWX for the other group. Let's see what the permissions are now:
$ srm-get-permissions $SRM/myfile # file : srm://srm-dteam.gridpp.rl.ac.uk/castor/ads.rl.ac.uk/test/dteam/disk0tape0/janjust/myfile # owner : dteam001 owner:dteam001:NONE user:dteam001:NONE group:dteam:NONE other:NONE
Now ALL permissions are gone ?!?!?!? This just keeps getting better and better, doesn't it ;-) ?
Verifying access control
As the original user:
$ srm-get-permissions $SRM/myfile # file : srm://srm-dteam.gridpp.rl.ac.uk/castor/ads.rl.ac.uk/test/dteam/disk0tape0/janjust/myfile # owner : dteam001 owner:dteam001:NONE user:dteam001:NONE group:dteam:NONE other:NONE
Let's try to read it:
$ lcg-cp $SRM/myfile file://$PWD/blah globus_ftp_client: the server responded with an error 500 Command failed. : open error: Permission denied lcg_cp: Permission denied
Well, at least the permissions are consistent with the lcg-cp command.
Let's give access back to the owner:
$ srm-set-permissions -type=ADD -owner=RWX $SRM/myfile
And try again:
$ srm-get-permissions $SRM/myfile # file : srm://srm-dteam.gridpp.rl.ac.uk/castor/ads.rl.ac.uk/test/dteam/disk0tape0/janjust/myfile # owner : dteam001 owner:dteam001:RWX user:dteam001:RWX group:dteam:NONE other:NONE $ lcg-cp $SRM/myfile file://$PWD/blah $ ls -al blah -rw-r--r-- 1 janjust datagrid 8508 Aug 20 16:49 blah
so at least we can copy the file again.
Now if we switch to another VO:
$ voms-proxy-init --voms pvier Enter GRID pass phrase: Your identity: /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser Creating temporary proxy ........................................................ Done Contacting voms.grid.sara.nl:30000 [/O=dutchgrid/O=hosts/OU=sara.nl/CN=voms.grid.sara.nl] "pvier" Done Creating proxy ........................................................... Done Your proxy is valid until Fri Aug 21 05:18:15 2009
and then try to copy the file
$ lcg-cp $SRM/myfile file://$PWD/blah
we get NO error message.
Let's create a VO-less proxy and try again:
$ grid-proxy-init -old Your identity: /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser Enter GRID pass phrase for this identity: Creating proxy ....................................................... Done Your proxy is valid until: Fri Aug 21 05:22:13 2009 $ voms-proxy-info -all WARNING: Unable to verify signature! Server certificate possibly not installed. Error: VOMS extension not found! subject : /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser/CN=proxy issuer : /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser identity : /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser type : proxy strength : 512 bits path : /tmp/x509up_u7651 timeleft : 11:59:59 $ lcg-cp $SRM/myfile file://$PWD/blah
And again, we get NO error message.
Next we ask a colleague to try it as well and he also gets NO error message !!
Some investigation shows that the gridmap-file on the CASTOR nodes maps all users for a particular VO to a single userid dteam001. So even though the group permissions are now gone anybody who is mapped to this userid can read/write/delete my files.
Conclusion
Access control in CASTOR is not very well implemented:
- The srm-{get,set}-permissions commands do work but not in a comprehensible manner.
- The fact that multiple users, regardless of the VOMS-extensions in their proxies, are mapped to a single userid makes access control useless.