|
|
Line 1: |
Line 1: |
− | Storing files on the grid is one thing. Controlling access to these files is a different matter. This page is the result of an ongoing investigation on how to control access rights for different storage systems (currently: dCache and DPM), as well as the way files are stored and accessed on the Local File Catalog (LFC). | + | Storing files on the grid is one thing. Controlling access to these files is a different matter. These pages are the result of an ongoing investigation on how to control access rights for different storage systems (currently: dCache and DPM), as well as the way files are stored and accessed on the Local File Catalog (LFC). |
− | | |
− | = dCache =
| |
| | | |
| Before we start: it is assumed that you already have generated a valid VOMS proxy prior to attempting any of these commands. It is also assumed that you have access rights to the storage systems used below. | | Before we start: it is assumed that you already have generated a valid VOMS proxy prior to attempting any of these commands. It is also assumed that you have access rights to the storage systems used below. |
Line 7: |
Line 5: |
| All of the sample output below was generated using a <tt>pvier</tt> proxy, unless noted otherwise. | | All of the sample output below was generated using a <tt>pvier</tt> proxy, unless noted otherwise. |
| | | |
− | == Finding out how storage is organized ==
| + | * [[Access control for dCache storage elements]] |
− | | + | * [[Access control for DPM storage elements]] |
− | To list the storage systems to which you have access use
| + | * [[Access control for the LFC]] |
− | lcg-infosites --vo <YOUR-VO> se
| |
− | which for my proxies currently results in
| |
− | Avail Space(Kb) Used Space(Kb) Type SEs
| |
− | ----------------------------------------------------------
| |
− | 12078 108 n.a srm.grid.rug.nl
| |
− | 12078 108 n.a srm.grid.rug.nl
| |
− | 730582644 681194097 n.a gb-se-amc.amc.nl
| |
− | 8226695519985 23304480014 n.a srm.grid.sara.nl
| |
− | 605355546 806421195 n.a gb-se-nki.els.sara.nl
| |
− | 6575746866 20920246 n.a carme.htc.biggrid.nl
| |
− | 152913518 115521938 n.a se.grid.rug.nl
| |
− | 248345185 1166074827 n.a gb-se-ams.els.sara.nl
| |
− | 355230761 1056545980 n.a gb-se-uu.science.uu.nl
| |
− | 1266740857 145035883 n.a gb-se-wur.els.sara.nl
| |
− | 337812899 1076607113 n.a gb-se-kun.els.sara.nl
| |
− | 2195706454 3048365 n.a tbn18.nikhef.nl
| |
− | 771834491 620488567 n.a gb-se-lumc.lumc.nl
| |
− | | |
− | '''Note''' the current version of the <tt>lcg-infosites</tt> command does not use your grid proxy at all !
| |
− | | |
− | You can then use the <tt>srmls</tt> command to figure out how the storage is organized:
| |
− | $ srmls srm://srm.grid.sara.nl
| |
− | 512 //
| |
− | [SNIP]
| |
− | 4096 //pnfs/
| |
− | [SNIP]
| |
− | This listing tells us that this storage system uses a PNFS file system, which means that we're talking to a dCache SRM. Subsequent <tt>srmls</tt> commands then give us:
| |
− | $ srmls srm://srm.grid.sara.nl/pnfs/
| |
− | 512 /pnfs//
| |
− | 512 /pnfs//grid.sara.nl/
| |
− | [SNIP]
| |
− |
| |
− | $ srmls srm://srm.grid.sara.nl/pnfs/grid.sara.nl
| |
− | 512 /pnfs/grid.sara.nl/
| |
− | 512 /pnfs/grid.sara.nl/disk/
| |
− | 512 /pnfs/grid.sara.nl/tapetests/
| |
− | 512 /pnfs/grid.sara.nl/data/
| |
− | 512 /pnfs/grid.sara.nl/disktests/
| |
− |
| |
− | $ srmls srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data
| |
− | 0 /pnfs/grid.sara.nl/data/
| |
− | [SNIP}
| |
− | 512 /pnfs/grid.sara.nl/data/pvier/
| |
− | 512 /pnfs/grid.sara.nl/data/vlemed/
| |
− | | |
− | Hey, we are at the VO level now. Here I've listed the two VOs which will be used throughout this page.
| |
− | | |
− | == Creating your own directory in SRM-space ==
| |
− | | |
− | Before we copy a file to the dCache SRM we first create our own directory. If we do not do this then SRM will
| |
− | store the files in <tt>generated</tt> directories, over which we have little or no control.
| |
− | srmmkdir srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/janjust/
| |
− | The URL for this directory will be used throughout the rest of this page, hence we abbreviate it to
| |
− | SRM=srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/janjust
| |
− | | |
− | == Copying and registering your file ==
| |
− | | |
− | Next we will copy a file to our SRM directory and register it in the LFC in one go:
| |
− | lcg-cr -d $SRM/myfile -l lfn:/grid/pvier/janjust/myfile file://$PWD/myfile
| |
− | which, if successful, returns the LFC GUID for the file
| |
− | guid:6b4c060f-cd95-4360-9e1b-a29d023d49b8
| |
− | | |
− | (For details on how to find out how the LFC directory space is organized see below)
| |
− | | |
− | == Looking at the permissions ==
| |
− | | |
− | For a file that is copied to SRM and that is registered in the LFC there are 2 sets of permissions:
| |
− | # SRM-level
| |
− | # LFC-level
| |
− | These permissions are '''not''' directly related to each other and need to be modified separately.
| |
− | In this section we explain how to modify the SRM-level permissions. The LFC-level permissions are explained below.
| |
− | $ srm-get-permissions $SRM/myfile
| |
− | # file : srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/janjust/myfile
| |
− | # owner : 18010
| |
− | owner:18010:RW
| |
− | user:18010:RW
| |
− | group:1276:R
| |
− | other:R
| |
− | | |
− | Just for the fun of it, let's list a file which we did not create ourselves:
| |
− | $ srm-get-permissions srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/ronstestdir3
| |
− | # file : srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/pvier/ronstestdir3
| |
− | # owner : 18010
| |
− | owner:18010:RWX
| |
− | user:18010:RWX
| |
− | group:1276:NONE
| |
− | other:NONE
| |
− | | |
− | Wait a second... that file has '''exactly''' the same user (18010) and group (1276) !
| |
− | | |
− | Now let's check a directory that we created using a different VOMS proxy, this time one for VO <tt>vlemed</tt>:
| |
− | | |
− | $ srm-get-permissions srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/vlemed/janjust
| |
− | # file : srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/vlemed/janjust
| |
− | # owner : 18002
| |
− | owner:18002:RWX
| |
− | user:18002:RWX
| |
− | group:1276:NONE
| |
− | other:NONE
| |
− | | |
− | This time the user is different (18002) but the group is still 1276 !
| |
− | We will have to keep this in mind when we want to limit access to our files.
| |
− | | |
− | == Modifying the permissions ==
| |
− | | |
− | * SRM : srm-set-permissions
| |
− | | |
− | == Verifying access control ==
| |
− | | |
− | * SRM : srm-get-permissions
| |
− | * Try to access the file as another user
| |
− | | |
− | = DPM =
| |
− | | |
− | == Creating your own directory in DPM-space ==
| |
− | | |
− | srmmkdir .... ??
| |
− | dpns-mkdir
| |
− | | |
− | == Copying and registering your file ==
| |
− | | |
− | lcg-cr ....
| |
− | | |
− | == Looking at the permissions ==
| |
− | | |
− | * SRM : srm-get-permissions is broken | |
− | ** dpns-getacl
| |
− | | |
− | == Modifying the permissions ==
| |
− | | |
− | * SRM : dpns-setacl
| |
− | | |
− | == Verifying access control ==
| |
− | | |
− | * SRM
| |
− | * Try to access the file as another user
| |
− | | |
− | = LFC =
| |
− | | |
− | == Copying and registering your file ==
| |
− | | |
− | * lcg-cr .... with full path
| |
− | * lcg-cr .... with generated path
| |
− | | |
− | == Looking at the permissions ==
| |
− | | |
− | * lfc-getacl
| |
− | * lfc-la
| |
− | * lfc-lg
| |
− | * lfc-lr
| |
− | * lfc-ls
| |
− | * lcg-gt
| |
− | | |
− | == Modifying the permissions ==
| |
− | | |
− | * lfc-setacl
| |
− | | |
− | == Verifying access control ==
| |
− | | |
− | * lfc-getacl
| |
− | * lfc-la
| |
− | * lfc-lg
| |
− | * lfc-lr
| |
− | * lfc-ls
| |
− | * Try to access the file as another user
| |