How to control access rights for LFC/SRM files
Storing files on the grid is one thing. Controlling access to these files is a different matter. This page is the result of an ongoing investigation on how to control access rights for different storage systems (currently: dCache and DPM), as well as the way files are stored and accessed on the Local File Catalog (LFC).
dCache
Before we start: it is assumed that you already have generated a valid VOMS proxy prior to attempting any of these commands. It is also assumed that you have access rights to the storage systems used below.
All of the sample output below was generated using a pvier proxy, unless noted otherwise.
Finding out how storage is organized
To list the storage systems to which you have access use
lcg-infosites --vo <YOUR-VO> se
which for my proxies currently results in
Avail Space(Kb) Used Space(Kb) Type SEs ---------------------------------------------------------- 12078 108 n.a srm.grid.rug.nl 12078 108 n.a srm.grid.rug.nl 730582644 681194097 n.a gb-se-amc.amc.nl 8226695519985 23304480014 n.a srm.grid.sara.nl 605355546 806421195 n.a gb-se-nki.els.sara.nl 6575746866 20920246 n.a carme.htc.biggrid.nl 152913518 115521938 n.a se.grid.rug.nl 248345185 1166074827 n.a gb-se-ams.els.sara.nl 355230761 1056545980 n.a gb-se-uu.science.uu.nl 1266740857 145035883 n.a gb-se-wur.els.sara.nl 337812899 1076607113 n.a gb-se-kun.els.sara.nl 2195706454 3048365 n.a tbn18.nikhef.nl 771834491 620488567 n.a gb-se-lumc.lumc.nl
Note the current version of the lcg-infosites command does not use your grid proxy at all !
You can then use the srmls command to figure out how the storage is organized:
$ srmls srm://srm.grid.sara.nl 512 // [SNIP] 4096 //pnfs/ [SNIP]
This listing tells us that this storage system uses a PNFS file system, which means that we're talking to a dCache SRM. Subsequent srmls commands then give us:
$ srmls srm://srm.grid.sara.nl/pnfs/ 512 /pnfs// 512 /pnfs//grid.sara.nl/ [SNIP] $ srmls srm://srm.grid.sara.nl/pnfs/grid.sara.nl 512 /pnfs/grid.sara.nl/ 512 /pnfs/grid.sara.nl/disk/ 512 /pnfs/grid.sara.nl/tapetests/ 512 /pnfs/grid.sara.nl/data/ 512 /pnfs/grid.sara.nl/disktests/ $ srmls srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data 0 /pnfs/grid.sara.nl/data/ [SNIP} 512 /pnfs/grid.sara.nl/data/pvier/ 512 /pnfs/grid.sara.nl/data/vlemed/
Hey, we are at the VO level now. Here I've listed the two VOs which will be used throughout this page.
Creating your own directory in SRM-space
Before we copy a file to the dCache SRM we first create our own directory. If we do not do this then SRM will store the files in generated directories, over which we have little or no control.
srmmkdir srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/janjust/
The URL for this directory will be used throughout the rest of this page, hence we abbreviate it to
SRM=srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/janjust
Copying and registering your file
Next we will copy a file to our SRM directory and register it in the LFC in one go:
lcg-cr -d $SRM/myfile -l lfn:/grid/pvier/janjust/myfile file://$PWD/myfile
which, if successful, returns the LFC GUID for the file
guid:6b4c060f-cd95-4360-9e1b-a29d023d49b8
(For details on how to find out how the LFC directory space is organized see below)
Looking at the permissions
For a file that is copied to SRM and that is registered in the LFC there are 2 sets of permissions:
- SRM-level
- LFC-level
These permissions are not directly related to each other and need to be modified separately. In this section we explain how to modify the SRM-level permissions. The LFC-level permissions are explained below.
$ srm-get-permissions $SRM/myfile # file : srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/janjust/myfile # owner : 18010 owner:18010:RW user:18010:RW group:1276:R other:R
Just for the fun of it, let's list a file which we did not create ourselves:
$ srm-get-permissions srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/ronstestdir3 # file : srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/ronstestdir3 # owner : 18010 owner:18010:RWX user:18010:RWX group:1276:NONE other:NONE
Wait a second... that file has exactly the same user (18010) and group (1276) !
Now let's check a directory that we created using a different VOMS proxy, this time one for VO vlemed:
$ srm-get-permissions srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/vlemed/janjust # file : srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/vlemed/janjust # owner : 18002 owner:18002:RWX user:18002:RWX group:1276:NONE other:NONE
This time the user is different (18002) but the group is still 1276 ! We will have to keep this in mind when we want to limit access to our files.
Modifying the permissions
- SRM : srm-set-permissions
Verifying access control
- SRM : srm-get-permissions
- Try to access the file as another user
DPM
Creating your own directory in DPM-space
srmmkdir .... ?? dpns-mkdir
Copying and registering your file
lcg-cr ....
Looking at the permissions
- SRM : srm-get-permissions is broken
- dpns-getacl
Modifying the permissions
- SRM : dpns-setacl
Verifying access control
- SRM
- Try to access the file as another user
LFC
Copying and registering your file
- lcg-cr .... with full path
- lcg-cr .... with generated path
Looking at the permissions
- lfc-getacl
- lfc-la
- lfc-lg
- lfc-lr
- lfc-ls
- lcg-gt
Modifying the permissions
- lfc-setacl
Verifying access control
- lfc-getacl
- lfc-la
- lfc-lg
- lfc-lr
- lfc-ls
- Try to access the file as another user