100 likes | 219 Views
ACLs in Light Weight Disk Pool Manager. Jean-Philippe Baud MiddleWare Security Group Meeting 8 March 2006. Grid Client. Data Server. Name Server. Request Daemon. Disk System. Gridftp Client. SRM Daemon. NS Database. SRM Client. DPM Daemon. NS Daemon. RFIO Daemon. RFIO Client.
E N D
ACLs in Light Weight Disk Pool Manager Jean-Philippe Baud MiddleWare Security Group Meeting 8 March 2006
Grid Client Data Server Name Server Request Daemon Disk System Gridftp Client SRM Daemon NS Database SRM Client DPM Daemon NS Daemon RFIO Daemon RFIO Client DPM Database Disk Pool Manager SRM Server Architecture Gridftp Server RFIO Client ACLs in DPM
File Metadata User Metadata Logical File Name (LFN) GUID System Metadata (Ownership, Size, Checksum, ACL) User Defined Metadata File Replica Symlinks StorageFileName StorageHost LinkName DPM File Catalog Schema • LFN acts as main key in Database. Has: • Unique Identifier (GUID) • Information on Physical Replicas • Symbolic Links to it • A small amount (one field) of user attached metadata ACLs in DPM
Replica Replica Replica Replica gsiftp://host.example.com/foo/bar host.example.com srm://host.example.com/foo/bar host.example.com srm://host.example.com/foo/bar host.example.com srm://host.example.com/foo/bar host.example.com LFN Symlink Symlink GUID Symlink /dpm/cern.ch/home/dteam/dir1/dir2/file1.root /dpm/cern.ch/home/dteam/mydir/mylink /grid/dteam/mydir/mylink /grid/dteam/mydir/mylink Xxxxxx-xxxx-xxx-xxx- System Metadata “size” => 10234 “cksum_type” => “MD5” “cksum” => “yy-yy-yy” Relationships in the Catalog ACLs in DPM
DPNS System metadata • CREATE TABLE Cns_file_metadata ( • fileid NUMBER, • parent_fileid NUMBER, • guid CHAR(36), • name VARCHAR2(231), • filemode NUMBER(6), • nlink NUMBER(6), • owner_uid NUMBER(6), • gid NUMBER(6), • filesize NUMBER, • atime NUMBER(10), • mtime NUMBER(10), • ctime NUMBER(10), • fileclass NUMBER(5), • status CHAR(1), • csumtype VARCHAR2(2), • csumvalue VARCHAR2(32), • acl VARCHAR2(3900)); ACLs in DPM
DPNS replica metadata • CREATE TABLE Cns_file_replica ( • fileid NUMBER, • nbaccesses NUMBER, • atime NUMBER(10), • ptime NUMBER(10), • status CHAR(1), • f_type CHAR(1), • poolname VARCHAR2(15), • host VARCHAR2(63), • fs VARCHAR2(79), • sfn VARCHAR2(1103)); ACLs in DPM
DPNS mapping tables • CREATE TABLE Cns_groupinfo ( • gid NUMBER(10), • groupname VARCHAR2(255)); • CREATE TABLE Cns_userinfo ( • userid NUMBER(10), • username VARCHAR2(255)); ACLs in DPM
Virtual Ids and VOMS integration • DNs are mapped to virtual UIDs: the virtual uid is created on the fly the first time the system receives a request for this DN (no pool account) • VOMS roles are mapped to virtual GIDs • A given user may have one DN and several roles, so a given user may be mapped to one UID and several GIDs • Currently only the primary role is used in LFC/DPM • Support for normal proxies and VOMS proxies • Administrative tools available to update the DB mapping table: • To create VO groups in advance • To keep same uid when DN changes • To get same uid for a DN and a Kerberos principal ACLs in DPM
Access Control Lists • LFC and DPM support Posix ACLs based on Virtual Ids • Access Control Lists on files and directories • Default Access Control Lists on directories: they are inherited by the sub-directories and files under the directory • Example • dpns-mkdir /dpm/cern.ch/home/dteam/jpb • dpns-setacl -m d:u::7,d:g::7,d:o:5 /dpm/cern.ch/home/dteam/jpb • dpns-getacl /dpm/cern.ch/home/dteam/jpb # file: /dpm/cern.ch/home/dteam/jpb # owner: /C=CH/O=CERN/OU=GRID/CN=Jean-Philippe Baud 7183 # group: dteam user::rwx group::r-x #effective:r-x other::r-x default:user::rwx default:group::rwx default:other::r-x ACLs in DPM
Support • First level support • support@ggus.org • Second level support • hep-service-dpm@cern.ch • hep-service-lfc@cern.ch • https://twiki.cern.ch/twiki/bin/view/LCG/DataManagementDocumentation • Admin guides • Troubleshooting ACLs in DPM