release notes | Book: 1.9.5, 1.9.12 (opt, FHS), 2.11 (FHS), 2.12 (FHS), 2.13 (FHS), 2.14 (FHS), | Wiki | Q&A black_bg
Web: Multi-page, Single page | PDF: A4-size, Letter-size | eBook: epub black_bg
Definition of the White List
Prev Chapter 18.  Stage Protection  Next
The dCache Book > Configuration of dCache > Stage Protection > Definition of the White List

Definition of the White List

The Stage Configuration File will contain a white list. Each line of the white list may contain one or two regular expressions enclosed in double quotes. The first regular expression matches the DN, and the second matches the FQAN :

"<DN>" ["<FQAN>"]

Lines starting with a hash symbol # are discarded as comments.

The regular expression syntax follows the syntax defined for the Java Pattern class .

Here are some examples of the White List Records for the 1.9.5 series: 

".*" "/atlas/Role=production"
"/C=DE/O=DESY/CN=Kermit the frog"
"/C=DE/O=DESY/CN=Beaker" "/desy"
"/O=GermanGrid/.*" "/desy/Role=.*"

This example authorizes a number of different groups of users:

  • Any user with the FQAN /atlas/Role=production.
  • The user with the DN /C=DE/O=DESY/CN=Kermit the frog, irrespective of which VOMS groups he belongs to.
  • The user with the DN /C=DE/O=DESY/CN=Beaker but only if he is also identified as a member of VO desy (FQAN /desy)
  • Any user with DN and FQAN that match /O=GermanGrid/.* and /atlas/Role=.* respectively.

With the plain dCap protocol the DN and FQAN are not known for any users. Therefore, there is a special case for dCap users in 1.9.5. In order to allow all dCap users to stage files the white list should contain the following record: 

"Unknown" "nobody"

If this line is commented or not present in the white list, all dCap users will be disallowed to stage files.

[return to top]

Authorizing Only Certain Storage Groups

In 1.9.5-20 release, an optional storage group parameter can be specified. Each line of the white list may contain up to three regular expressions enclosed in double quotes. The regular expressions match the DN, FQAN, and Storage Group written in the following format:

"<DN>" ["<FQAN>" ["<StorageGroup>"] ]

If a storage group is specified all three parameters must be provided. The regular expression ".*" may be used to authorize any DN or any FQAN. Consider the following example: 

".*" "/atlas/Role=production" "h1:raw@osm"
"/C=DE/O=DESY/CN=Scooter" ".*" "sql:chimera@osm"

In the example above:

  • Any user with FQAN /atlas/Role=production is allowed to stage files located in the storage group h1:raw@osm.
  • The user /C=DE/O=DESY/CN=Scooter, irrespective of which VOMS groups he belongs to, is allowed to stage files located in the storage group sql:chimera@osm.

In the following example, all dCap users are allowed to stage files located in the storage group h1:raw@osm: 

"Unknown" "nobody" "h1:raw@osm"
Prev Up Next
Configuration of Stage Protection Home Part III. Cookbook