How to control access rights for LFC/SRM files

From PDP/Grid Wiki
Jump to navigationJump to search

Storing files on the grid is one thing. Controlling access to these files is a different matter. This page is the result of an ongoing investigation on how to control access rights for different storage systems (currently: dCache and DPM), as well as the way files are stored and accessed on the Local File Catalog (LFC).

dCache

Before we start: it is assumed that you already have generated a valid VOMS proxy prior to attempting any of these commands. It is also assumed that you have access rights to the storage systems used below.

Finding out how storage is organized

To list the storage systems to which you have access use 

 lcg-infosites --vo <YOUR-VO> se

which for my proxies currently results in 

Avail Space(Kb) Used Space(Kb)  Type   SEs
----------------------------------------------------------
12078           108             n.a    srm.grid.rug.nl
12078           108             n.a    srm.grid.rug.nl
730582644       681194097       n.a    gb-se-amc.amc.nl
8226695519985   23304480014     n.a    srm.grid.sara.nl
605355546       806421195       n.a    gb-se-nki.els.sara.nl
6575746866      20920246        n.a    carme.htc.biggrid.nl
152913518       115521938       n.a    se.grid.rug.nl
248345185       1166074827      n.a    gb-se-ams.els.sara.nl
355230761       1056545980      n.a    gb-se-uu.science.uu.nl
1266740857      145035883       n.a    gb-se-wur.els.sara.nl
337812899       1076607113      n.a    gb-se-kun.els.sara.nl
2195706454      3048365         n.a    tbn18.nikhef.nl
771834491       620488567       n.a    gb-se-lumc.lumc.nl

Note the current version of the lcg-infosites command does not use your grid proxy at all!

Creating your own directory in SRM-space

srmmkdir ....

Copying and registering your file

lcg-cr ....

Looking at the permissions

  • SRM : srm-get-permissions

Modifying the permissions

  • SRM : srm-set-permissions

Verifying access control

  • SRM : srm-get-permissions
  • Try to access the file as another user

DPM

Creating your own directory in DPM-space

srmmkdir .... ??
dpns-mkdir

Copying and registering your file

lcg-cr ....

Looking at the permissions

  • SRM : srm-get-permissions is broken
    • dpns-getacl

Modifying the permissions

  • SRM : dpns-setacl

Verifying access control

  • SRM
  • Try to access the file as another user

LFC

Copying and registering your file

  • lcg-cr .... with full path
  • lcg-cr .... with generated path

Looking at the permissions

  • lfc-getacl
  • lfc-la
  • lfc-lg
  • lfc-lr
  • lfc-ls
  • lcg-gt

Modifying the permissions

  • lfc-setacl

Verifying access control

  • lfc-getacl
  • lfc-la
  • lfc-lg
  • lfc-lr
  • lfc-ls
  • Try to access the file as another user
Retrieved from "https://wiki.nikhef.nl/grid/index.php?title=How_to_control_access_rights_for_LFC/SRM_files&oldid=3080"