wiki:TapeProtection
Last modified 8 years ago Last modified on 10/20/09 12:30:53

Tape System Protection

Tape System Protection

1. Description

Starting from release 1.9.4, dCache provides support for Tape Protection, that is, restriction of who may read from tape (Tape Read Access).
Before release 1.9.4, the read access to tape was allowed for all users. Every user was able to retrieve large amount of data from tape to disk pools.
With increasing number of users there is a likely increase in frequency of staging requests. This may lead to overloading the tape storage system. To prevent such overloading, the Tape Protection mechanism restricts which user may read from tape.

2. Administrator manual

Tape Protection mechanism can be activated by the administrator only. The administrator has to decide which users are allowed to stage files (that is, to read file from dCache in case file is currently not on disk but only on tape).
There are two steps to activate Tape Protection:

  1. Create a file named StageConfiguration.conf in /opt/d-cache/config directory and write down all DNs and FQANs that identify those users who are allowed to stage files.
  1. In setup file /opt/d-cache/config/dCacheSetup uncomment the following line:

stageConfigurationFilePath=${ourHomeDir}/config/StageConfiguration.conf

File StageConfiguration.conf contains list of user's Distinguished Names (DNs) and Fully Qualified Attribute Names (FQANs) written in this way:
”<DN>” [”<FQAN>”]
that is, each line contains one DN and may optionally contain one FQAN (space separated).
Comment line begins with symbol '#'.
Patterns are used when writing DNs and FQANs. Example:
/atlas/Role=.*

Example of StageConfiguration.conf :

#List of DNs/FQANs whose owner are allowed to stage files
#"<DN>" ["<FQAN>"]
"/C=DE/O=DESY/CN=Kermit the frog" "/desy”
"/O=GermanGrid/.*" "/desy/Role=production”

Tape Protection is activated if file dCacheSetup contains line :
stageConfigurationFilePath=${ourHomeDir}/config/StageConfiguration.conf
providing path to StageConfiguration.conf file.

If Tape Protection is activated, only those users whose DNs/FQANs are listed in the file StageConfiguration?.conf will be able to stage files.

By default, Tape Protection is not activated (the line stageConfigurationFilePath in dCacheSetup.template is commented).

3. List of possible error messages

1) If Tape Protection is activated, but user's DN/FQAN do not match any line in StageConfiguration?.conf, then the user has no permission to stage files and will get the following error (when trying to read file from tape):

$ globus-url-copy gsiftp://hal9000/pnfs/sample.org/data/TestFile file://///home/user/TestFile
error: globus_ftp_client: the server responded with an error
451 Operation failed: File not online. Staging not allowed.

2) If Tape Protection is activated, but file StageConfiguration?.conf does not exist as specified in the path, then the following error occurs :

$ globus-url-copy gsiftp://hal9000/pnfs/sample.org/data/TestFile  file://///home/user/TestFile
error: globus_ftp_client: the server responded with an error
451 Operation failed: Tape Protection is activated, but configuration file does not exist : 
/opt/d-cache/config/StageConfiguration.conf

3) The same case as in 1) for lcg-bringonline command:

[ui_user@hal9000 ~]$ lcg-bringonline -b -v -T srmv2 srm://hal9000.dcache.org:8443//srm/managerv2?SFN=pnfs/dcache.org/data/dirTest/fileTest
SE type: SRMv2
SRM Request Token: -2147446642
srm://hal9000.dcache.org:8443//srm/managerv2?SFN=pnfs/dcache.org/data/dirTest/fileTest: [SE][StatusOfBringOnlineRequest][SRM_FAILURE] FAILED:  at Mon Oct 19 12:12:24 CEST 2009 state Failed : Failed to pin file [rc=1,msg=Pinning failed: finding read pool failed]
[ui_user@hal9000 ~]$ 

Back to dCache Home
Back to dCache Components

Last Modified by Irina @ Sun Feb 25 18:15:33 2018