Table of Contents
- Configuring the gPlazma Policy File
- Configuring the kpwd Plugin
- Configuring the grid-mapfile Plugin
- Configuring the gplazmalite-vorole-mapping Plugin
- Configuring the saml-vo-mapping Plugin
- Configuring the xacml-vo-mapping Plugin
- An example policy file
- The Setup Files
- Using Direct Calls of gPlazma Methods
gPlazma is a cell in dCache that authorizes users. Cells
make requests to
gPlazma by submitting user credential
information to it, receiving the authorization decision and
site-specific user information such as uid, gid, and rootpath in
The acronym stands for Grid-aware PLuggable AuthoriZation Management, and supports the use of plugins which implement various selectable authorization methods. The four currently-available methods are:
kpwd : This is the “legacy” method. The
dcache.kpwdfile is used to map a user’s DN to a local username, and the same file is used in a second mapping of the username to the uid, gid, and rootpath. As in all methods, if the mappings succeed, file system access is done using the obtained uid and gid, and a check is done that the local path of the transfer starts with the designated rootpath.
grid-mapfile : This method employs a grid mapfile. From the mapfile, the user’s DN is mapped to a username. A second file, storage-authzdb, is used for the mapping of the username to the uid, gid, and rootpath.
gplazmalite-vorole-mapping : In this method the mapping to the username is done from the concatenation of the user’s DN with the user’s Role (or, more precisely, with the user’s Fully Qualified Attribute Name). The mapping of username to uid, gid, and rootpath is through the storage-authzdb file.
saml-vo-mapping : The DN and Role are mapped to a username via a callout to a GUMS server. The GUMS service may run an extension which returns the uid, gid, and rootpath as well. Otherwise, the mapping of username to uid, gid, and rootpath is through the storage-authzdb file.
The following describes how to use gPlazma in dCache.