dCache provides support for ACLs by introducing the concept of a permission handler. A permission handler may be queried to determine if an end user is authorised for some file-based operation (namespace or data transfer). A permission handler will supply one of three decisions: allow, deny and defer.
dCache operates with a chain (or ordered list) of permission handlers. When determining if an end user is authorised for some operation the first permission handler in the chain is checked. If that permission handler decides that the operation should be allowed or denied for that end user then dCache will authorise or deny that user respectively. If the first permission handler defers then the next permission handler in the chain is queried.
If this second permission handler returns allow or denied the dCache will authorise or deny that user respectively. If the second permission handler also defers then dCache will continue down the chain and query the next permission handler. If the chain is exhausted then an “always deny” policy is used (TODO: is this true?).
UnixPermissionHandler is an example
permission handler. It provides the standard Unix permission
model and decides whether an end user is authorised based on
file and directory ownership and group-ownership and the set of
permissions. This permission handler will always come to a
decision whether an end user is authorised or not, so will never
return a defer decision. Therefore any permission handler
placed in the chain after a
UnixPermissionHandler is superfluous.
ACLPermissionHandler is a permission
handler that implements the NFS v4 ACL model. Users and
groups of users may be authorised for different operations.
This is independent of a file and directory ownership. With
these ACLs how new files and directories inherit permissions
is described explicitly. These aspects will be described in
detail later on in this
By default dCache uses the
UnixPermissionHandler. This provides
backwards compatability with older versions of dCache. To
enable support for ACLs, the ACL configuration section in
dCacheSetup file must be configured as
described in the section called “permissionHandler”