wiki:developers-meeting-20080829
Last modified 12 years ago Last modified on 09/02/08 11:38:36

dCache Deployment Phone Meeting, Aug 29, 2008

Participants :

  • CERN : Flavia, Simone, Stehpano
  • In2P3 : Lionel, Jonathan
  • Spain : PIC : Paco, Madrid : Pablo
  • gridKa : Artem
  • Sara : Mark
  • NDGF : Gerd
  • Munich : Christoph
  • DESY : Yves
  • dCache : Paul, Timur, Gerd and Patrick

Preliminary information

Space Tokens ACL's

Currently dCache doesn't support any kind of real access control on space tokens. Roles/Groups?, which can be assigned to tokens in the current releases, are not check except for the following case :

  • If NO 'Space Token Description' is specified in an srm-get-space-tokens command, only those token id's are returned, where the Roles/Groups? proxy extensions match the Role/Group? assigned to the token.

Moreover :

  • If a 'Space Token Description' is specified in the srm-get-space-tokens command, all space tokens are returned which belong to this 'Space Token Description' and NO Vo/Role/Group? check is performed.
  • No access control checks on 'Space Tokens' are performed for a write operation. However knows the space token id, may use the token for writing, if the file system permission allows for such an access.
  • However : Permissions are always checked on the file system level.

File System Permission

Currently, dCache provides the gPlazma service to map proxy information (DN/FQAN) to uid's and gid's. Please find details in the gPlazma chapter of The Book. Those uid/gid pairs are checked against uid/gid and unix permissions to gain access to dCache. uid/gid and permissions are treated in the regular 'unix' way, though dCache doesn't support secondary groups.

Future of File System Permissions in dCache

With dCache 1.8.0-16, Posix like Access Control is available for file system accesses. This feature is independent of the file system engine. (Pnfs or Chimera). The feature moves from the development phase to the testing phase Sep 1. dCache.org is preparing for a real-time video tutorial on 'Acls in dCache'. Assuming that operations are running smooth, and the man power situation with-in the dCache collaboration is stable, we expect the ALC system to be production-ready in Dec (2008).

Token access mapped to file system access permissions

Although in dCache, the space token space is orthogonal to the file system name space, Space Tokens may be mapped to one or more file system sub-trees. (This feature shouldn't be mixed up with the fact that a Space Token ID can be assigned to a directory for implicit space reservation, where the particular protocol doesn't support space tokens). Mapping Space Tokens to sub directories is done by creating a token within a dCache LinkGroup which contains Links which themselves are limited to a particular directory tree. The disadvantage of this approach is that not all tokens can be created in a single LinkGroup. This may produce unwanted fragmentation of the available storage space. This is especially an issue for small sites using a lot of space tokens with different directory sub trees and for NDGF, based on their special country spanning approach. Site should contact dCache.org if the space token - directory assignment is not clear or leads to problems.

dCache permission system and altas

The main reason for this phone meeting has been that the Atlas requirements for sites, running an Altas Storage Servive, had not been adapted to the access control limitations described above. This fact has been declared as to be an communication problem between (W)Lcg and Atlas. In order to be prepared for the upcoming challenges, Lcg, Atlas and dCache agreed to find workarounds for problems arising from dCache limitations. e.g. Token Access Control may be achieved (to a certain degree) by mapping them to file system permissions as described above. All parties will follow up on this topic as soon as dCache file system Acl's reach production level. Help in field testing is highly appreciated by dCache.org.

Checking the altas dCache file system tree for Token Access Violation

In order to detect violations on the usage of particular reserved tokens, Atlas need to get the entire dCache file system dumped regularly. This can either be done by using the well know unix find command or, in a less intrusive way, by a tool dCache.org is providing short term. Please check for the tool and the documentation here.


Last modified by Patrick @ Sat Feb 27 15:51:25 2021