hello Gregory,
in Lyon, I've set up things in the following way for the
multi-experiment server:
in order to have less administration burden, I've decided to host all
the experiments (3 at the moment, but only 2 really active) on the same
xrootd port. And also, it is less complicated for users belonging to
several experiments as Andy mentionned.
xrootd is used for these experiments in the same way as BaBar, ie access
to ROOT files stored in HPSS.
the daemon is running at the moment on a generic account belonging to
the BaBar group, which is not a big deal: eventhough the files are
belonging to this generic account, they are only accessed in read mode.
The only problem with a setting like this is that a file from D0 (for
example) which does not have the read right for other groups, then the
daemon running under a username belonging to the BaBar group will not be
able to access the file. It has never happened yet, but I am pretty sure
it will.
In order to correct that, here is what I am going to do in the near
future. Suppose that D0 has a file foo.root with the following rights in
HPSS: rw-r-----
1) run xrootd under an account (eg: xrootmgr) belonging to a "neutral"
group (ccin2p3 in my case). However this account will belong to several
groups in HPSS (D0, INDRA etc...), allowing it to access files like
foo.root eventhough xrootmgr does not belong to the D0 group
2) but it is not enough because now foo.txt can be accessed by a user
from an other group via xrootd, which is not possible when trying to
stage it directly from HPSS outside the xrootd framework. This is why
security must be implemented at the same time. And that solves completly
the problem.
3) there is still a problem: what to do in the case that foo.txt has the
following permission in HPSS: rw-------
xrootmgr will not be able to access this file. I talked with Andy about
this issue, he came out with a solution. There is also the possibility
to have xrootmgr to have special rights in HPSS in order to overcome
this problem: the HPSS admin told me it was possible, though he does not
enjoy it that much.
There is also some problems related to a multi-experiment server for
writing: all the files will belong to xrootmgr when first written on the
server, but they can be migrated to HPSS with the right user id, group
id, by running a migration daemon running under root and doing 'su
userid' each time it needs to migrate a file to HPSS: this is what Andy
suggested me when I talked to him about this.
hope this help,
JY
Andrew Hanushevsky wrote:
>Hi Gregory,
>
>
>
>>On Wed, Dec 01, 2004 at 06:35:40PM +0100, Gregory Schott wrote:
>>
>>
>>> During our GridKa meeting today, one has raised the question about
>>>xrootd file access when other experiements are also using xrootd.
>>>
>>>
>
>
>
>>> The question concerns the case when xrootd is also used by another
>>>experiment; how the permissions may be setup that babar data is only
>>>accessible by babar users? Via the xrootd configuration files? How is it
>>>done at IN2P3?
>>>
>>>
>You have two options on how to accomplish this. One is to run multiple
>xrootd servers (one each for each expriment). The drawback is that different
>port numbers would be used for each xrootd and would simply confuse people
>who work on multiple experiments.
>
>The other alternative is to enable authentication and provide an access
>control file that specifies what can be access by whom. This is documented
>in the Security reference manual. Currently, only Kerberos 4 and Kerberos 5
>authentication is supported.
>
>Andy
>
>
>
>
