1 / 10

ACLs in Light Weight Disk Pool Manager

ACLs in Light Weight Disk Pool Manager. Jean-Philippe Baud MiddleWare Security Group Meeting 8 March 2006. Grid Client. Data Server. Name Server. Request Daemon. Disk System. Gridftp Client. SRM Daemon. NS Database. SRM Client. DPM Daemon. NS Daemon. RFIO Daemon. RFIO Client.

cissy
Download Presentation

ACLs in Light Weight Disk Pool Manager

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ACLs in Light Weight Disk Pool Manager Jean-Philippe Baud MiddleWare Security Group Meeting 8 March 2006

  2. Grid Client Data Server Name Server Request Daemon Disk System Gridftp Client SRM Daemon NS Database SRM Client DPM Daemon NS Daemon RFIO Daemon RFIO Client DPM Database Disk Pool Manager SRM Server Architecture Gridftp Server RFIO Client ACLs in DPM

  3. File Metadata User Metadata Logical File Name (LFN) GUID System Metadata (Ownership, Size, Checksum, ACL) User Defined Metadata File Replica Symlinks StorageFileName StorageHost LinkName DPM File Catalog Schema • LFN acts as main key in Database. Has: • Unique Identifier (GUID) • Information on Physical Replicas • Symbolic Links to it • A small amount (one field) of user attached metadata ACLs in DPM

  4. Replica Replica Replica Replica gsiftp://host.example.com/foo/bar host.example.com srm://host.example.com/foo/bar host.example.com srm://host.example.com/foo/bar host.example.com srm://host.example.com/foo/bar host.example.com LFN Symlink Symlink GUID Symlink /dpm/cern.ch/home/dteam/dir1/dir2/file1.root /dpm/cern.ch/home/dteam/mydir/mylink /grid/dteam/mydir/mylink /grid/dteam/mydir/mylink Xxxxxx-xxxx-xxx-xxx- System Metadata “size” => 10234 “cksum_type” => “MD5” “cksum” => “yy-yy-yy” Relationships in the Catalog ACLs in DPM

  5. DPNS System metadata • CREATE TABLE Cns_file_metadata ( • fileid NUMBER, • parent_fileid NUMBER, • guid CHAR(36), • name VARCHAR2(231), • filemode NUMBER(6), • nlink NUMBER(6), • owner_uid NUMBER(6), • gid NUMBER(6), • filesize NUMBER, • atime NUMBER(10), • mtime NUMBER(10), • ctime NUMBER(10), • fileclass NUMBER(5), • status CHAR(1), • csumtype VARCHAR2(2), • csumvalue VARCHAR2(32), • acl VARCHAR2(3900)); ACLs in DPM

  6. DPNS replica metadata • CREATE TABLE Cns_file_replica ( • fileid NUMBER, • nbaccesses NUMBER, • atime NUMBER(10), • ptime NUMBER(10), • status CHAR(1), • f_type CHAR(1), • poolname VARCHAR2(15), • host VARCHAR2(63), • fs VARCHAR2(79), • sfn VARCHAR2(1103)); ACLs in DPM

  7. DPNS mapping tables • CREATE TABLE Cns_groupinfo ( • gid NUMBER(10), • groupname VARCHAR2(255)); • CREATE TABLE Cns_userinfo ( • userid NUMBER(10), • username VARCHAR2(255)); ACLs in DPM

  8. Virtual Ids and VOMS integration • DNs are mapped to virtual UIDs: the virtual uid is created on the fly the first time the system receives a request for this DN (no pool account) • VOMS roles are mapped to virtual GIDs • A given user may have one DN and several roles, so a given user may be mapped to one UID and several GIDs • Currently only the primary role is used in LFC/DPM • Support for normal proxies and VOMS proxies • Administrative tools available to update the DB mapping table: • To create VO groups in advance • To keep same uid when DN changes • To get same uid for a DN and a Kerberos principal ACLs in DPM

  9. Access Control Lists • LFC and DPM support Posix ACLs based on Virtual Ids • Access Control Lists on files and directories • Default Access Control Lists on directories: they are inherited by the sub-directories and files under the directory • Example • dpns-mkdir /dpm/cern.ch/home/dteam/jpb • dpns-setacl -m d:u::7,d:g::7,d:o:5 /dpm/cern.ch/home/dteam/jpb • dpns-getacl /dpm/cern.ch/home/dteam/jpb # file: /dpm/cern.ch/home/dteam/jpb # owner: /C=CH/O=CERN/OU=GRID/CN=Jean-Philippe Baud 7183 # group: dteam user::rwx group::r-x #effective:r-x other::r-x default:user::rwx default:group::rwx default:other::r-x ACLs in DPM

  10. Support • First level support • support@ggus.org • Second level support • hep-service-dpm@cern.ch • hep-service-lfc@cern.ch • https://twiki.cern.ch/twiki/bin/view/LCG/DataManagementDocumentation • Admin guides • Troubleshooting ACLs in DPM

More Related