Difference between revisions of "Access control for the LFC"
Line 82: | Line 82: | ||
= Verifying access control = | = Verifying access control = | ||
− | + | As the original user: | |
− | + | $ lfc-getacl /grid/pvier/janjust/my-dpm-file | |
− | + | # file: /grid/pvier/janjust/my-dpm-file | |
− | + | # owner: /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser | |
− | + | # group: pvier | |
− | + | user::rw- | |
+ | group::--- #effective:--- | ||
+ | other::--- | ||
+ | |||
+ | so this file should now be accessible only to the user '''at the LFC-level'''. | ||
+ | |||
+ | Now if we switch to another VO: | ||
+ | $ voms-proxy-init --voms vlemed | ||
+ | Enter GRID pass phrase: | ||
+ | Your identity: /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser | ||
+ | Creating temporary proxy .......................................... Done | ||
+ | Contacting voms.grid.sara.nl:30003 [/O=dutchgrid/O=hosts/OU=sara.nl/CN=voms.grid.sara.nl] "vlemed" Done | ||
+ | Creating proxy ............................. Done | ||
+ | Your proxy is valid until Thu Aug 6 23:45:56 2009 | ||
+ | and then try to access the LFC entry, e.g. to get the SRM endpoint we get | ||
+ | $ lcg-lr lfn:/grid/pvier/janjust/my-dpm-file | ||
+ | srm://tbn18.nikhef.nl/dpm/nikhef.nl/home/pvier/janjust/myfile | ||
+ | we get '''NO''' error message: the LFC behaves pretty much like regular UNIX. The LFC entry is still owned by the original | ||
+ | user (/CN=Jan Just Keijser) and thus that user is still allowed to manipulate that entry, even though the voms proxy | ||
+ | belongs to another VO. |
Revision as of 15:02, 6 August 2009
This page is part of an investigation on How to control access rights for LFC/SRM files .
Finding out how the Local File Catalog is organized
To list the Local File Catalog for a particular VO use
lcg-infosites --vo <YOUR-VO> lfc
which results in
lfc.grid.sara.nl
Note the current version of the lcg-infosites command does not use your grid proxy at all !
Set the environment variable LFC_HOST to point this host
export LFC_HOST=lfc.grid.sara.nl
You can then use the lfc-ls command to figure out how the LFC is organized:
$ lfc-ls -l / drwxr-xr-x 31 root root 0 Feb 15 2007 grid $ lfc-ls -l /grid [SNIP] drwxrwxr-x 37 root 2025 0 Aug 04 13:31 pvier drwxrwxr-x 28 root 2031 0 Aug 06 10:34 vlemed [SNIP]
Hey, we are at the VO level now. Here I've listed the two VOs which will be used throughout this page.
Creating your own directory in LFC-space
Before we register a file in the LFC we first create our own directory.
lfc-mkdir /grid/pvier/janjust
Copying and registering your file
In another part of this investigation we created an SRM directory on a DPM server. The URL for this directory will be used throughout the rest of this page, hence we abbreviate it to
SRM=srm://tbn18.nikhef.nl:8446/dpm/nikhef.nl/home/pvier/janjust
For more details, see Access control for DPM storage elements.
Next we will copy a file to an SRM directory we created earlier and register it in the LFC in one go:
$ lcg-cr -d $SRM/myfile -l lfn:/grid/pvier/janjust/my-dpm-file file://$PWD/myfile guid:bbdad839-b2d1-46f6-95ab-5b6561f7e72f
which returns the LFC GUID for the file upon success.
And we also copy a file to SRM and register it in the LFC without specifying a directory:
$ lcg-cr -d tbn18.nikhef.nl -l lfn:/grid/pvier/janjust/myfile2 file://$PWD/myfile guid:fa4a182b-49f9-4989-a549-f01ab6e252f9
In this case a directory is generated automatically by the lcg-cr command.
Looking at the permissions
Use the lfc-getacl command to list the current permissions (ACLs) for an LFC entry:
$ lfc-getacl /grid/pvier/janjust/my-dpm-file # file: /grid/pvier/janjust/my-dpm-file # owner: /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser # group: pvier user::rw- group::rw- #effective:rw- other::r--
And there is a whole list of lcg-l? commands as well:
$ lcg-la lfn:/grid/pvier/janjust/my-dpm-file lfn:/grid/pvier/janjust/my-dpm-file $ lcg-lg lfn:/grid/pvier/janjust/my-dpm-file guid:bbdad839-b2d1-46f6-95ab-5b6561f7e72f $ lcg-lr lfn:/grid/pvier/janjust/my-dpm-file srm://tbn18.nikhef.nl/dpm/nikhef.nl/home/pvier/janjust/myfile
We can use the output of the last command to get a TURL for this file:
$ lcg-gt srm://tbn18.nikhef.nl/dpm/nikhef.nl/home/pvier/janjust/myfile gsiftp gsiftp://hooivork.nikhef.nl/hooivork.nikhef.nl:/export/data/ncf/pvier/2009-08-06/myfile.15536824.0
which we can then plug into globus-url-copy to retrieve it:
$ globus-url-copy gsiftp://hooivork.nikhef.nl/hooivork.nikhef.nl:/export/data/ncf/pvier/2009-08-06/myfile.15536824.0 \ file:///$PWD/blah5
Modifying the permissions
lfc-setacl -m g::0,o::0 /grid/pvier/janjust/my-dpm-file
Note that the syntax of this command is very similar to that of the dpns-setacl command.
Verifying access control
As the original user:
$ lfc-getacl /grid/pvier/janjust/my-dpm-file # file: /grid/pvier/janjust/my-dpm-file # owner: /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser # group: pvier user::rw- group::--- #effective:--- other::---
so this file should now be accessible only to the user at the LFC-level.
Now if we switch to another VO:
$ voms-proxy-init --voms vlemed Enter GRID pass phrase: Your identity: /O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser Creating temporary proxy .......................................... Done Contacting voms.grid.sara.nl:30003 [/O=dutchgrid/O=hosts/OU=sara.nl/CN=voms.grid.sara.nl] "vlemed" Done Creating proxy ............................. Done Your proxy is valid until Thu Aug 6 23:45:56 2009
and then try to access the LFC entry, e.g. to get the SRM endpoint we get
$ lcg-lr lfn:/grid/pvier/janjust/my-dpm-file srm://tbn18.nikhef.nl/dpm/nikhef.nl/home/pvier/janjust/myfile
we get NO error message: the LFC behaves pretty much like regular UNIX. The LFC entry is still owned by the original user (/CN=Jan Just Keijser) and thus that user is still allowed to manipulate that entry, even though the voms proxy belongs to another VO.