Access control for dCache storage elements

From PDP/Grid Wiki
Jump to navigationJump to search

This page is part of an investigation on How to control access rights for LFC/SRM files .

Finding out how storage is organized

To list the storage systems to which you have access use 

 lcg-infosites --vo <YOUR-VO> se

which results in 

Avail Space(Kb) Used Space(Kb)  Type   SEs
----------------------------------------------------------
12078           108             n.a    srm.grid.rug.nl
12078           108             n.a    srm.grid.rug.nl
730582644       681194097       n.a    gb-se-amc.amc.nl
8226695519985   23304480014     n.a    srm.grid.sara.nl
605355546       806421195       n.a    gb-se-nki.els.sara.nl
6575746866      20920246        n.a    carme.htc.biggrid.nl
152913518       115521938       n.a    se.grid.rug.nl
248345185       1166074827      n.a    gb-se-ams.els.sara.nl
355230761       1056545980      n.a    gb-se-uu.science.uu.nl
1266740857      145035883       n.a    gb-se-wur.els.sara.nl
337812899       1076607113      n.a    gb-se-kun.els.sara.nl
2195706454      3048365         n.a    tbn18.nikhef.nl
771834491       620488567       n.a    gb-se-lumc.lumc.nl

Note the current version of the lcg-infosites command does not use your grid proxy at all !

You can then use the srmls command to figure out how the storage is organized: 

$ srmls srm://srm.grid.sara.nl
 512 //
     [SNIP]
     4096 //pnfs/
     [SNIP]

This listing tells us that this storage system uses a PNFS file system, which means that we're talking to a dCache SRM. Subsequent srmls commands then give us: 

$ srmls srm://srm.grid.sara.nl/pnfs/
 512 /pnfs//
     512 /pnfs//grid.sara.nl/
     [SNIP]

$ srmls srm://srm.grid.sara.nl/pnfs/grid.sara.nl
 512 /pnfs/grid.sara.nl/
     512 /pnfs/grid.sara.nl/disk/
     512 /pnfs/grid.sara.nl/tapetests/
     512 /pnfs/grid.sara.nl/data/
     512 /pnfs/grid.sara.nl/disktests/

$ srmls srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data
 0 /pnfs/grid.sara.nl/data/
     [SNIP}
     512 /pnfs/grid.sara.nl/data/pvier/
     512 /pnfs/grid.sara.nl/data/vlemed/

Hey, we are at the VO level now. Here I've listed the two VOs which will be used throughout this page.

Creating your own directory in SRM-space

Before we copy a file to the dCache SRM we first create our own directory. If we do not do this then SRM will store the files in generated directories, over which we have little or no control. 

srmmkdir srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/janjust/

The URL for this directory will be used throughout the rest of this page, hence we abbreviate it to 

SRM=srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/janjust

Copying and registering your file

Next we will copy a file to our SRM directory and register it in the LFC in one go: 

lcg-cr -d $SRM/myfile -l lfn:/grid/pvier/janjust/myfile file://$PWD/myfile

which, if successful, returns the LFC GUID for the file 

guid:6b4c060f-cd95-4360-9e1b-a29d023d49b8

(For details on how to find out how the LFC directory space is organized see below)

Looking at the permissions

For a file that is copied to SRM and that is registered in the LFC there are 2 sets of permissions:

  1. SRM-level
  2. LFC-level

These permissions are not directly related to each other and need to be modified separately. In this section we explain how to modify the SRM-level permissions. The LFC-level permissions are explained in Access control for the LFC. 

$ srm-get-permissions $SRM/myfile
# file  : srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/janjust/myfile
# owner : 18010
owner:18010:RW
user:18010:RW
group:1276:R
other:R

Just for the fun of it, let's list a file which we did not create ourselves: 

$ srm-get-permissions srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/ronstestdir3
# file  : srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/ronstestdir3
# owner : 18010
owner:18010:RWX
user:18010:RWX
group:1276:NONE
other:NONE

Wait a second... that file has exactly the same user (18010) and group (1276) !

Now let's check a directory that was created using a different VOMS proxy, this time one for VO vlemed: 

$ srm-get-permissions srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/vlemed/generated/2007-11-07
# file  : srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/vlemed/generated/2007-11-07
# owner : 18002
owner:18002:RWX
user:18002:RWX
group:1276:RX
other:RX

This time the user is different (18002) but the group is still 1276 ! We will have to keep this in mind when we want to limit access to our files.

Note: this limitation is due to the setup of dCache , where pnfs is used as the underlying file system. pnfs does not support user-level access control. An alternative is to use chimera as the underlying file system, which does support user-level ACLs, but this would require a migration of all data currently in dCache, as well as a (manual) re-synchronization between dCache and all LFCs that have entries pointing to dCache.

Modifying the permissions

  • SRM : srm-set-permissions

Verifying access control

  • SRM : srm-get-permissions
  • Try to access the file as another user
Retrieved from "https://wiki.nikhef.nl/grid/index.php?title=Access_control_for_dCache_storage_elements&oldid=3094"