Difference between revisions of "How to control access rights for LFC/SRM files"

From PDP/Grid Wiki
Jump to navigationJump to search
Line 1: Line 1:
Storing files on the grid is one thing. Controlling access to  these files is a different matter. This page is the result of an ongoing investigation on how to control access rights for different storage systems (currently: dCache and DPM), as well as the way files are stored and accessed on the Local File Catalog (LFC).
+
Storing files on the grid is one thing. Controlling access to  these files is a different matter. These pages are the result of an ongoing investigation on how to control access rights for different storage systems (currently: dCache and DPM), as well as the way files are stored and accessed on the Local File Catalog (LFC).
 
 
= dCache =
 
  
 
Before we start: it is assumed that you already have generated a valid VOMS proxy prior to attempting any of these commands. It is also assumed that you have access rights to the storage systems used below.  
 
Before we start: it is assumed that you already have generated a valid VOMS proxy prior to attempting any of these commands. It is also assumed that you have access rights to the storage systems used below.  
Line 7: Line 5:
 
All of the sample output below was generated using a <tt>pvier</tt> proxy, unless noted otherwise.
 
All of the sample output below was generated using a <tt>pvier</tt> proxy, unless noted otherwise.
  
== Finding out how storage is organized ==
+
* [[Access control for dCache storage elements]]  
 
+
* [[Access control for DPM storage elements]]
To list the storage systems to which you have access use
+
* [[Access control for the LFC]]
  lcg-infosites --vo <YOUR-VO> se
 
which for my proxies currently results in
 
Avail Space(Kb) Used Space(Kb)  Type  SEs
 
----------------------------------------------------------
 
12078          108            n.a    srm.grid.rug.nl
 
12078          108            n.a    srm.grid.rug.nl
 
730582644      681194097      n.a    gb-se-amc.amc.nl
 
8226695519985  23304480014    n.a    srm.grid.sara.nl
 
605355546      806421195      n.a    gb-se-nki.els.sara.nl
 
6575746866      20920246        n.a    carme.htc.biggrid.nl
 
152913518      115521938      n.a    se.grid.rug.nl
 
248345185      1166074827      n.a    gb-se-ams.els.sara.nl
 
355230761      1056545980      n.a    gb-se-uu.science.uu.nl
 
1266740857      145035883      n.a    gb-se-wur.els.sara.nl
 
337812899      1076607113      n.a    gb-se-kun.els.sara.nl
 
2195706454      3048365        n.a    tbn18.nikhef.nl
 
771834491      620488567      n.a    gb-se-lumc.lumc.nl
 
 
 
'''Note''' the current version of the <tt>lcg-infosites</tt> command does not use your grid proxy at all !
 
 
 
You can then use the <tt>srmls</tt> command to figure out how the storage is organized:
 
$ srmls srm://srm.grid.sara.nl
 
  512 //
 
      [SNIP]
 
      4096 //pnfs/
 
      [SNIP]
 
This listing tells us that this storage system uses a PNFS file system, which means that we're talking to a dCache SRM. Subsequent <tt>srmls</tt> commands then give us:
 
$ srmls srm://srm.grid.sara.nl/pnfs/
 
  512 /pnfs//
 
      512 /pnfs//grid.sara.nl/
 
      [SNIP]
 
 
$ srmls srm://srm.grid.sara.nl/pnfs/grid.sara.nl
 
  512 /pnfs/grid.sara.nl/
 
      512 /pnfs/grid.sara.nl/disk/
 
      512 /pnfs/grid.sara.nl/tapetests/
 
      512 /pnfs/grid.sara.nl/data/
 
      512 /pnfs/grid.sara.nl/disktests/
 
 
$ srmls srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data
 
  0 /pnfs/grid.sara.nl/data/
 
      [SNIP}
 
      512 /pnfs/grid.sara.nl/data/pvier/
 
      512 /pnfs/grid.sara.nl/data/vlemed/
 
 
 
Hey, we are at the VO level now. Here I've listed the two VOs which will be used throughout this page.
 
 
 
== Creating your own directory in SRM-space ==
 
 
 
Before we copy a file to the dCache SRM we first create our own directory. If we do not do this then SRM will
 
store the files in <tt>generated</tt> directories, over which we have little or no control.
 
srmmkdir srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/janjust/
 
The URL for this directory will be used throughout the rest of this page, hence we abbreviate it to
 
SRM=srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/janjust
 
 
 
== Copying and registering your file ==
 
 
 
Next we will copy a file to our SRM directory and register it in the LFC in one go:
 
lcg-cr -d $SRM/myfile -l lfn:/grid/pvier/janjust/myfile file://$PWD/myfile
 
which, if successful, returns the LFC GUID for the file
 
guid:6b4c060f-cd95-4360-9e1b-a29d023d49b8
 
 
 
(For details on how to find out how the LFC directory space is organized see below)
 
 
 
== Looking at the permissions ==
 
 
 
For a file that is copied to SRM and that is registered in the LFC there are 2 sets of permissions:
 
# SRM-level
 
# LFC-level
 
These permissions are '''not''' directly related to each other and need to be modified separately.
 
In this section we explain how to modify the SRM-level permissions. The LFC-level permissions are explained below.
 
$ srm-get-permissions $SRM/myfile
 
# file  : srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/janjust/myfile
 
# owner : 18010
 
owner:18010:RW
 
user:18010:RW
 
group:1276:R
 
other:R
 
 
 
Just for the fun of it, let's list a file which we did not create ourselves:
 
$ srm-get-permissions srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/ronstestdir3
 
# file  : srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/ronstestdir3
 
# owner : 18010
 
owner:18010:RWX
 
user:18010:RWX
 
group:1276:NONE
 
other:NONE
 
 
 
Wait a second... that file has '''exactly''' the same user (18010) and group (1276) !
 
 
 
Now let's check a directory that we created using a different VOMS proxy, this time one for VO <tt>vlemed</tt>:
 
 
 
$ srm-get-permissions srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/vlemed/janjust
 
# file  : srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/vlemed/janjust
 
# owner : 18002
 
owner:18002:RWX
 
user:18002:RWX
 
group:1276:NONE
 
other:NONE
 
 
 
This time the user is different (18002) but the group is still 1276 !
 
We will have to keep this in mind when we want to limit access to our files.
 
 
 
== Modifying the permissions ==
 
 
 
* SRM : srm-set-permissions
 
 
 
== Verifying access control ==
 
 
 
* SRM : srm-get-permissions
 
* Try to access the file as another user
 
 
 
= DPM =
 
 
 
== Creating your own directory in DPM-space ==
 
 
 
srmmkdir .... ??
 
dpns-mkdir
 
 
 
== Copying and registering your file ==
 
 
 
lcg-cr ....
 
 
 
== Looking at the permissions ==
 
 
 
* SRM : srm-get-permissions is broken
 
** dpns-getacl
 
 
 
== Modifying the permissions ==
 
 
 
* SRM : dpns-setacl
 
 
 
== Verifying access control ==
 
 
 
* SRM
 
* Try to access the file as another user
 
 
 
= LFC =
 
 
 
== Copying and registering your file ==
 
 
 
* lcg-cr .... with full path
 
* lcg-cr .... with generated path
 
 
 
== Looking at the permissions ==
 
 
 
* lfc-getacl
 
* lfc-la
 
* lfc-lg
 
* lfc-lr
 
* lfc-ls
 
* lcg-gt
 
 
 
== Modifying the permissions ==
 
 
 
* lfc-setacl
 
 
 
== Verifying access control ==
 
 
 
* lfc-getacl
 
* lfc-la
 
* lfc-lg
 
* lfc-lr
 
* lfc-ls
 
* Try to access the file as another user
 

Revision as of 17:23, 5 August 2009

Storing files on the grid is one thing. Controlling access to these files is a different matter. These pages are the result of an ongoing investigation on how to control access rights for different storage systems (currently: dCache and DPM), as well as the way files are stored and accessed on the Local File Catalog (LFC).

Before we start: it is assumed that you already have generated a valid VOMS proxy prior to attempting any of these commands. It is also assumed that you have access rights to the storage systems used below.

All of the sample output below was generated using a pvier proxy, unless noted otherwise.

Retrieved from "https://wiki.nikhef.nl/grid/index.php?title=How_to_control_access_rights_for_LFC/SRM_files&oldid=3086"