In order to be able to take advantage of the Virtual Organization (VO) infrastructure and VO based authorization and VO Based Access Control to the Space in dCache, certain things need to be in place:
User needs to be registered with the VO.
User needs to use voms-proxy-init to create a vo proxy.
dCache needs to use
dcache.kpwdplugin, but other modules that know how to extract VO attributes from the proxy. (see Chapter 12, gPlazma authorization in dCache, have a look at
Only if these 3 conditions are satisfied the VO based authorization of the Space Manager can work.
If a client uses a regular grid proxy, created with
grid-proxy-init, and not a Virtual
Organization (VO) proxy, which is created with the
voms-proxy-init, when he is communicating
SRM server in dCache, then the VO attributes can not
be extracted its
credential. voms-proxy-init adds a Fully
Qualified Attribute Name (FQAN) section(s) to the grid proxy,
which contain informaton about user’s VO membership, in
particular it contain VO Group name and VO Role that the
client intends to play at this time. In this case the name of
the user is extracted on basis of the direct Distinguished
Name (DN) to use name mapping. For the purposes of the space
reservation the name of the user is used as its VO Group name,
and the VO Role is left empty.
dCache Space Reservation Functionality Access Control is
currently performed at the level of the LinkGroups. The access
to making reservations in each LinkGroup is controlled by the
The file described by
has following syntax:
LinkGroup Name followed by the list of the Fully Qualified
Attribute Names (FQANs), each FQAN on separate line,
followed by an empty line, which is used as a record
separator, or by the end of file. FQAN is usually a string
of the form <VO>/Role=<VORole>. Both <VO>
and <VORole> could be set to
this case all VOs or VO Roles will be allowed to make
reservations in this LinkGroup. Any line that starts with #
is a comment and may appear anywhere.
File location is specified by defining
in the dCacheSetup
# this is comment and is ignored LinkGroup LFSOnly-LinkGroup /atlas/Role=/atlas/role1 LinkGroup CMS-LinkGroup /cms/Role=* #/dteam/Role=/tester LinkGroup default-LinkGroup #allow anyone :-) */Role=* #/dteam/Role=/tester
Successful VO and Experiment specific examples of dCache
SRM Space Manager configurations are or will be published
dCache WIKI documentation pages .