wiki:TapeProtectionExtended
Last modified 8 years ago Last modified on 07/02/10 12:16:40

Tape System Protection with extended functionality

1. Description

Starting from release 1.9.5-20, dCache provides extended functionality for Tape Protection (previous version can be found here).
With increasing number of users there is a likely increase in frequency of staging requests. This may lead to overloading the tape storage system. To prevent such overloading, the Tape Protection mechanism restricts which user may read from tape. In addition, it is possible to specify exactly the storage unit, where the files can be staged from.

2. Administrator manual

Tape Protection mechanism can be activated by the administrator only. The administrator has to decide which users are allowed to stage files (that is, to read file from dCache in case file is currently not on disk but only on tape).
There are two steps to activate Tape Protection:

  1. Create a file named StageConfiguration.conf in /opt/d-cache/config directory and write down all DNs and FQANs that identify those users who are allowed to stage files.

Extended functionality allows the administrator to specify the Storage Group of the object to be staged, that is, to specify exactly the storage from where files are allowed to be staged.

  1. In setup file /opt/d-cache/config/dCacheSetup uncomment the following line:

stageConfigurationFilePath=${ourHomeDir}/config/StageConfiguration.conf

File StageConfiguration.conf contains list of user's
Distinguished Name (DN),
Fully Qualified Attribute Name (FQAN) (optional),
and
Storage Group of the file to be staged (StorageGroup) (optional)
written in the following way:
”<DN>” [”<FQAN>” [”<StorageGroup>”]]

All parameters are space separated.

Comment line begins with symbol '#'.

Patterns are used when writing DN, FQAN, StorageGroup.

There is an example of configuration file StageConfiguration.conf :

#List of DNs,FQANs whose owners are allowed to stage files
#stored in StorageGroup
#"<DN>" ["<FQAN>" ["<StorageGroup>"]]
"/C=DE/O=DESY/CN=Kermit the frog" "/sample"
"/O=GermanGrid/.*" "/sample/Role=production"
".*" "/atlas/Role=.*"
"/DC=org/DC=anotherExample/CN=test" "/sample/Role=production" "sql:chimera@osm"

Some special cases.

  1. If there are only two parameters specified, they are expected to be in the order

"<DN>" "<FQAN>".
If you want to specify only DN and StorageGroup, place wild card for FQAN:

"/DC=org/DC=anotherExample/CN=test" ".*" "sql:chimera@osm"

2a. Release 1.9.5-x.
To allow DCAP users to stage files, write "Unknown" in place of "<DN>" and "nobody" in place of "<FQAN>".
The following line in StageConfiguration.conf will allow all DCAP users to stage files:

"Unknown" "nobody"

This line in StageConfiguration.conf will allow all DCAP users to stage files located in the Storage Group h1:raw@osm :

"Unknown" "nobody" "h1:raw@osm"

If the file StageConfiguration.conf does not contain such lines, then all DCAP users will be disallowed to stage files.

2b. Release 1.9.9-x.
To allow DCAP users to stage files, write "" in place of both "<DN>" and "<FQAN>".
The following line in StageConfiguration.conf will allow all DCAP users to stage files:

"" ""

The following line in StageConfiguration.conf will allow all DCAP users to stage files located in the Storage Group h1:raw@osm :

"" "" "h1:raw@osm"

If the file StageConfiguration.conf does not contain such lines, then all DCAP users will be disallowed to stage files.

Please remember:

  • Tape Protection is activated if file dCacheSetup contains line :
    stageConfigurationFilePath=${ourHomeDir}/config/StageConfiguration.conf
    
    providing path to StageConfiguration.conf file.
  • Once Tape Protection is activated, staging the files will be allowed ONLY to those DNs/FQANs/StorageGroups specified in the configuration file StageConfiguration.conf.
  • By default, Tape Protection is not activated (parameter stageConfigurationFilePath in dCacheSetup.template is commented).

3. List of possible error messages

1) If Tape Protection is activated, but user's DN/FQAN do not match any line in StageConfiguration.conf, then the user has no permission to stage files and will get the following error (when trying to read file from tape):

$ globus-url-copy gsiftp://hal9000/pnfs/sample.org/data/TestFile file://///home/user/TestFile
error: globus_ftp_client: the server responded with an error
451 Operation failed: File not online. Staging not allowed.

2) If Tape Protection is activated, but file StageConfiguration.conf does not exist as specified in the path, then the following error occurs :

$ globus-url-copy gsiftp://hal9000/pnfs/sample.org/data/TestFile  file://///home/user/TestFile
error: globus_ftp_client: the server responded with an error
451 Operation failed: Tape Protection is activated, but configuration file does not exist : 
/opt/d-cache/config/StageConfiguration.conf

3) The same case as in 1) for lcg-bringonline command:

[ui_user@hal9000 ~]$ lcg-bringonline -b -v -T srmv2 srm://hal9000.dcache.org:8443//srm/managerv2?SFN=pnfs/dcache.org/data/dirTest/fileTest
SE type: SRMv2
SRM Request Token: -2147446642
srm://hal9000.dcache.org:8443//srm/managerv2?SFN=pnfs/dcache.org/data/dirTest/fileTest: [SE][StatusOfBringOnlineRequest][SRM_FAILURE] FAILED:  at Mon Oct 19 12:12:24 CEST 2009 state Failed : Failed to pin file [rc=1,msg=Pinning failed: finding read pool failed]
[ui_user@hal9000 ~]$ 

Back to dCache Home
Back to dCache Components

Last Modified by Irina @ Wed Sep 19 17:08:46 2018