How to control access rights for LFC/SRM files

From PDP/Grid Wiki
Jump to navigationJump to search

Storing files on the grid is one thing. Controlling access to these files is a different matter. This page is the result of an ongoing investigation on how to control access rights for different storage systems (currently: dCache and DPM), as well as the way files are stored and accessed on the Local File Catalog (LFC).

dCache

Before we start: it is assumed that you already have generated a valid VOMS proxy prior to attempting any of these commands. It is also assumed that you have access rights to the storage systems used below.

All of the sample output below was generated using a pvier proxy, unless noted otherwise.

Finding out how storage is organized

To list the storage systems to which you have access use

 lcg-infosites --vo <YOUR-VO> se

which for my proxies currently results in

Avail Space(Kb) Used Space(Kb)  Type   SEs
----------------------------------------------------------
12078           108             n.a    srm.grid.rug.nl
12078           108             n.a    srm.grid.rug.nl
730582644       681194097       n.a    gb-se-amc.amc.nl
8226695519985   23304480014     n.a    srm.grid.sara.nl
605355546       806421195       n.a    gb-se-nki.els.sara.nl
6575746866      20920246        n.a    carme.htc.biggrid.nl
152913518       115521938       n.a    se.grid.rug.nl
248345185       1166074827      n.a    gb-se-ams.els.sara.nl
355230761       1056545980      n.a    gb-se-uu.science.uu.nl
1266740857      145035883       n.a    gb-se-wur.els.sara.nl
337812899       1076607113      n.a    gb-se-kun.els.sara.nl
2195706454      3048365         n.a    tbn18.nikhef.nl
771834491       620488567       n.a    gb-se-lumc.lumc.nl

Note the current version of the lcg-infosites command does not use your grid proxy at all !

You can then use the srmls command to figure out how the storage is organized:

$ srmls srm://srm.grid.sara.nl
 512 //
     [SNIP]
     4096 //pnfs/
     [SNIP]

This listing tells us that this storage system uses a PNFS file system, which means that we're talking to a dCache SRM. Subsequent srmls commands then give us:

$ srmls srm://srm.grid.sara.nl/pnfs/
 512 /pnfs//
     512 /pnfs//grid.sara.nl/
     [SNIP]

$ srmls srm://srm.grid.sara.nl/pnfs/grid.sara.nl
 512 /pnfs/grid.sara.nl/
     512 /pnfs/grid.sara.nl/disk/
     512 /pnfs/grid.sara.nl/tapetests/
     512 /pnfs/grid.sara.nl/data/
     512 /pnfs/grid.sara.nl/disktests/

$ srmls srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data
 0 /pnfs/grid.sara.nl/data/
     [SNIP}
     512 /pnfs/grid.sara.nl/data/pvier/
     512 /pnfs/grid.sara.nl/data/vlemed/

Hey, we are at the VO level now. Here I've listed the two VOs which will be used throughout this page.

Creating your own directory in SRM-space

Before we copy a file to the dCache SRM we first create our own directory. If we do not do this then SRM will store the files in generated directories, over which we have little or no control.

srmmkdir srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/janjust/

The URL for this directory will be used throughout the rest of this page, hence we abbreviate it to

SRM=srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/janjust

Copying and registering your file

Next we will copy a file to our SRM directory and register it in the LFC in one go:

lcg-cr -d $SRM/myfile -l lfn:/grid/pvier/janjust/myfile file://$PWD/myfile

which, if successful, returns the LFC GUID for the file

guid:6b4c060f-cd95-4360-9e1b-a29d023d49b8

(For details on how to find out how the LFC directory space is organized see below)

Looking at the permissions

For a file that is copied to SRM and that is registered in the LFC there are 2 sets of permissions:

  1. SRM-level
  2. LFC-level

These permissions are not directly related to each other and need to be modified separately. In this section we explain how to modify the SRM-level permissions. The LFC-level permissions are explained below.

$ srm-get-permissions $SRM/myfile
# file  : srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/janjust/myfile
# owner : 18010
owner:18010:RW
user:18010:RW
group:1276:R
other:R

Just for the fun of it, let's list a file which we did not create ourselves:

$ srm-get-permissions srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/ronstestdir3
# file  : srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/ronstestdir3
# owner : 18010
owner:18010:RWX
user:18010:RWX
group:1276:NONE
other:NONE

Wait a second... that file has exactly the same user (18010) and group (1276) !

Now let's check a directory that we created using a different VOMS proxy, this time one for VO vlemed:

$ srm-get-permissions srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/vlemed/janjust
# file  : srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/vlemed/janjust
# owner : 18002
owner:18002:RWX
user:18002:RWX
group:1276:NONE
other:NONE

This time the user is different (18002) but the group is still 1276 ! We will have to keep this in mind when we want to limit access to our files.

Modifying the permissions

  • SRM : srm-set-permissions

Verifying access control

  • SRM : srm-get-permissions
  • Try to access the file as another user

DPM

Creating your own directory in DPM-space

srmmkdir .... ??
dpns-mkdir

Copying and registering your file

lcg-cr ....

Looking at the permissions

  • SRM : srm-get-permissions is broken
    • dpns-getacl

Modifying the permissions

  • SRM : dpns-setacl

Verifying access control

  • SRM
  • Try to access the file as another user

LFC

Copying and registering your file

  • lcg-cr .... with full path
  • lcg-cr .... with generated path

Looking at the permissions

  • lfc-getacl
  • lfc-la
  • lfc-lg
  • lfc-lr
  • lfc-ls
  • lcg-gt

Modifying the permissions

  • lfc-setacl

Verifying access control

  • lfc-getacl
  • lfc-la
  • lfc-lg
  • lfc-lr
  • lfc-ls
  • Try to access the file as another user