How to control access rights for LFC/SRM files
Storing files on the grid is one thing. Controlling access to these files is a different matter. This page is the result of an ongoing investigation on how to control access rights for different storage systems (currently: dCache and DPM), as well as the way files are stored and accessed on the Local File Catalog (LFC).
dCache
Before we start: it is assumed that you already have generated a valid VOMS proxy prior to attempting any of these commands. It is also assumed that you have access rights to the storage systems used below.
All of the sample output below was generated using a pvier proxy, unless noted otherwise.
Finding out how storage is organized
To list the storage systems to which you have access use
lcg-infosites --vo <YOUR-VO> se
which for my proxies currently results in
Avail Space(Kb) Used Space(Kb) Type SEs ---------------------------------------------------------- 12078 108 n.a srm.grid.rug.nl 12078 108 n.a srm.grid.rug.nl 730582644 681194097 n.a gb-se-amc.amc.nl 8226695519985 23304480014 n.a srm.grid.sara.nl 605355546 806421195 n.a gb-se-nki.els.sara.nl 6575746866 20920246 n.a carme.htc.biggrid.nl 152913518 115521938 n.a se.grid.rug.nl 248345185 1166074827 n.a gb-se-ams.els.sara.nl 355230761 1056545980 n.a gb-se-uu.science.uu.nl 1266740857 145035883 n.a gb-se-wur.els.sara.nl 337812899 1076607113 n.a gb-se-kun.els.sara.nl 2195706454 3048365 n.a tbn18.nikhef.nl 771834491 620488567 n.a gb-se-lumc.lumc.nl
Note the current version of the lcg-infosites command does not use your grid proxy at all !
You can then use the srmls command to figure out how the storage is organized:
$ srmls srm://srm.grid.sara.nl
512 //
[SNIP]
4096 //pnfs/
[SNIP]
This listing tells us that this storage system uses a PNFS file system, which means that we're talking to a dCache SRM. Subsequent srmls commands then give us:
$ srmls srm://srm.grid.sara.nl/pnfs/
512 /pnfs//
512 /pnfs//grid.sara.nl/
[SNIP]
$ srmls srm://srm.grid.sara.nl/pnfs/grid.sara.nl
512 /pnfs/grid.sara.nl/
512 /pnfs/grid.sara.nl/disk/
512 /pnfs/grid.sara.nl/tapetests/
512 /pnfs/grid.sara.nl/data/
512 /pnfs/grid.sara.nl/disktests/
$ srmls srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data
0 /pnfs/grid.sara.nl/data/
[SNIP}
512 /pnfs/grid.sara.nl/data/pvier/
512 /pnfs/grid.sara.nl/data/vlemed/
Hey, we are at the VO level now. Here I've listed the two VOs which will be used throughout this page.
Creating your own directory in SRM-space
Before we copy a file to the dCache SRM we first create our own directory. If we do not do this then SRM will store the files in generated directories, over which we have little or no control.
srmmkdir srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/janjust/
The URL for this directory will be used throughout the rest of this page, hence we abbreviate it to
SRM=srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/janjust
Copying and registering your file
Next we will copy a file to our SRM directory and register it in the LFC in one go:
lcg-cr -d $SRM/myfile -l lfn:/grid/pvier/janjust/myfile file://$PWD/myfile
which, if successful, returns the LFC GUID for the file
guid:6b4c060f-cd95-4360-9e1b-a29d023d49b8
(For details on how to find out how the LFC directory space is organized see below)
Looking at the permissions
- SRM : srm-get-permissions
Modifying the permissions
- SRM : srm-set-permissions
Verifying access control
- SRM : srm-get-permissions
- Try to access the file as another user
DPM
Creating your own directory in DPM-space
srmmkdir .... ?? dpns-mkdir
Copying and registering your file
lcg-cr ....
Looking at the permissions
- SRM : srm-get-permissions is broken
- dpns-getacl
Modifying the permissions
- SRM : dpns-setacl
Verifying access control
- SRM
- Try to access the file as another user
LFC
Copying and registering your file
- lcg-cr .... with full path
- lcg-cr .... with generated path
Looking at the permissions
- lfc-getacl
- lfc-la
- lfc-lg
- lfc-lr
- lfc-ls
- lcg-gt
Modifying the permissions
- lfc-setacl
Verifying access control
- lfc-getacl
- lfc-la
- lfc-lg
- lfc-lr
- lfc-ls
- Try to access the file as another user
