release notes | Book: 1.9.5, 1.9.12 (opt, FHS), 2.11 (FHS), 2.12 (FHS), 2.13 (FHS), 2.14 (FHS), | Wiki | Q&A black_bg
Web: Multi-page, Single page | PDF: A4-size, Letter-size | eBook: epub black_bg
storage-authzdb
Prev Chapter 12. gPlazma authorization in dCache Next
The dCache Book > Configuration of dCache > gPlazma authorization in dCache > storage-authzdb

storage-authzdb

In gPlazma, except for the dcache.kpwd plugin, authorization mapping is a two-step process. First, a username is obtained from a mapping of the user’s DN or DN and role, then a mapping of username to uid, gid, rootpath is performed. The storage-authzdb file is used for the second mapping.

[return to top]

Preparing storage-authzdb

The location of storage-authzdb is /etc/grid-security/storage-authzdb. The file must contain a line specifying the version of the storage-authdb format. 

version 2.1

The other lines in the file each contain eight fields: the string "authorize", followed by the username, read-write permission, uid, gid, and three paths. 

authorize uscms01 read-write 60076 5063 / /pnfs/fnal.gov/resilient/uscms01 /

In the storage-authzdb file, there must be a line for each username to be authorized. The existence of three paths is for legacy puposes. The second path is of most importance; it is the path under which the user is allowed to access files. It is permissible to simply use a / for the second path. 

authorize uscms01 read-write 60076 5063 / / /

in which case the user will be authorized for any path (the filesystem permissions in pnfs must also allow the transfer).

The first path is nearly always left as /, but it may be used as a home directory in interactive session, as a subdirectory of the second path. Upon login, the second path is used as the user’s root, and a cd is performed to the first path. The first path is always defined as being relative to the second path.

Starting with dCache 1.9, multiple gids can be assigned by using comma-separated values for the GID file, as in 

authorize uscms01 read-write 60076 5063,5071,6843 / / /

The lines of the storage-authzdb file are similar to the login lines of the dcache.kpwd file. If you alreay have a dcache.kwpd file, create storage-authzdb by taking the lines from your dcache.kpwd file that start with the word "login", for example, 

login uscms01 read-write 60076 5063 / /pnfs/fnal.gov/resilient/uscms01 /

and replacing the word login with authorize.

[return to top]

Support for the Priority Field in storage-authzdb

In the future, dCache services may support the use of priorites, to be assigned in storage-authzdb. To assign priorities in storage-authzdb, replace the stated version number with "2.2" 

version 2.2

In the remainder of the file, the fourth field of each line is the priority, which is an integer. Otherwise the fields have the same definitions as in version 2.1. 

authorize uscms01     read-write    2       60076 5063   / /pnfs/fnal.gov/resilient/uscms01 /
authorize cmssoft     read-write    0       60501 5502   / /pnfs/fnal.gov/reduction/cmssoft /

Using version 2.1, the default priority is 0, therefore use this value if it is desired to have the same behavior as in 2.2. Interpretation of the priority value is dependent on the implementation of any dCache service which may use it, however, the convention is that higher numerical values of the field result in higher priority. See the documentation of the specific service in question for details.

There are currently no dCache services which make use of the priority field.

Prev Up Next
Configuring the grid-mapfile Plugin Home Configuring the gplazmalite-vorole-mapping Plugin