Last modified 12 years ago Last modified on 08/12/09 11:57:03

ACLs with PNFS in dCache

ACLs with PNFS in dCache

1. Requirements

  1. dCache version >= 1.9.3
  2. JDK >= 1.5.0
  3. JDBC interface to RDBMS (tested with Postgres 8.x, Oracle 10g and DB2 v9.1)
  4. ant (optional)

2. Configuration

First, create the 'aclpnfs' database as follows:

$ createdb aclpnfs
$ psql aclpnfs < /opt/d-cache/libexec/chimera/sql/create-dCacheACL.sql

Second, the ACL-variable aclConnUrl have to be correspondingly configured in the "ACL Configuration" section in /opt/d-cache/config/dCacheSetup :


Substitute the database name chimera with the current name of the ACL-database aclpnfs and leave this line uncommented. This has to be done in dCacheSetup on all doors, not just the node containing the database.
Also, when updating dCacheSetup on all doors, you have to substitute localhost with the name of the node hosting the database aclpnfs.

Third, choose one of the following ACLs configuration cases.
By default (without any additional ACLs configuration) dCache uses the UNIX permissions check. To enable ACLs, the permissionHandler variable in the "ACL Configuration" section in /opt/d-cache/config/dCacheSetup has to be configured (see Cases 2 and 3 below). The default case is to use UNIX permissions (see Case 1 below).

Configuration cases:

  1. Only UNIX permissions are used:
  2. Only ACL permissions are used:
  3. ACL permissions are used first. If ACLs do not state whether an operation is allowed or denied then UNIX permissions are used:,

3. ACL table

The database 'aclpnfs' contains only one table: t_acl. Below we provide an example and explain the meaning of the fields:

# select * from t_acl where rs_id='000100000000000000824D78';

rs_id rs_typetypeflagsaccess_mskwhowho_id ace_order
000100000000000000824D78 1 1 0 131072 0 1000 0
000100000000000000824D78 1 0 0 128 0 1000 1
000100000000000000824D78 1 0 0 35 0 1000 2

Table t_acl:

  1. rs_id: Resource ID.
  1. rs_type: Resource type. 0 - DIR, 1 - FILE.
  1. type: Type of ACE. 0 - ALLOW, 1 - DENY.
  1. Attention! When using ACLs with PNFS, the ACE flags are not supported, that is,

there is no inheritance of ACEs on the newly created objects (files or directories). The newly created object will have no ACL set to it. A dCache system administrator has to manually set ACLs on the newly created objects.

  1. access_msk: Supported access permissions, see access_msk.
  1. who: The subject, see who.
  1. who_id: Virtual user or group ID.
  1. ace_order: Defines position of ACE within ACL.

Information on how to set and get ACLs can be found in the 'ACL Administration' section.

Information on how to configure ACL and UNIX permissions can be found in the 'How does it work together: ACL and UNIX permissions' section.

Go to ACLs with Chimera in dCache
Back to dCache Home
Back to dCache Components

Last Modified by Irina @ Sun Mar 7 00:30:46 2021