release notes | Book: 1.9.5, 1.9.12 (opt, FHS), 2.11 (FHS), 2.12 (FHS), 2.13 (FHS), 2.14 (FHS), | Wiki | Q&A black_bg
Web: Multi-page, Single page | PDF: A4-size, Letter-size | eBook: epub black_bg
ACLs and permission handlers
Prev Chapter 16.  ACLs in dCache  Next
The dCache Book > Configuration of dCache > ACLs in dCache > ACLs and permission handlers

ACLs and permission handlers

dCache provides support for ACLs by introducing the concept of a permission handler. A permission handler may be queried to determine if an end user is authorised for some file-based operation (namespace or data transfer). A permission handler will supply one of three decisions: allow, deny and defer.

dCache operates with a chain (or ordered list) of permission handlers. When determining if an end user is authorised for some operation the first permission handler in the chain is checked. If that permission handler decides that the operation should be allowed or denied for that end user then dCache will authorise or deny that user respectively. If the first permission handler defers then the next permission handler in the chain is queried.

If this second permission handler returns allow or denied the dCache will authorise or deny that user respectively. If the second permission handler also defers then dCache will continue down the chain and query the next permission handler. If the chain is exhausted then an always deny policy is used (TODO: is this true?).

The UnixPermissionHandler is an example permission handler. It provides the standard Unix permission model and decides whether an end user is authorised based on file and directory ownership and group-ownership and the set of permissions. This permission handler will always come to a decision whether an end user is authorised or not, so will never return a defer decision. Therefore any permission handler placed in the chain after a UnixPermissionHandler is superfluous.

The ACLPermissionHandler is a permission handler that implements the NFS v4 ACL model. Users and groups of users may be authorised for different operations. This is independent of a file and directory ownership. With these ACLs how new files and directories inherit permissions is described explicitly. These aspects will be described in detail later on in this chapter.

By default dCache uses the UnixPermissionHandler. This provides backwards compatability with older versions of dCache. To enable support for ACLs, the ACL configuration section in dCacheSetup file must be configured as described in the section called “permissionHandler”

Prev Up Next
Introduction Home Database configuration