DPM Filesystem Access Control Lists
From GridPPwiki
DPM Access Control Lists
DPM supports (and, indeed, requires) access control lists on its namespace. These are POSIXy (http://www.suse.de/~agruen/acl/linux-acls/online/), and can be read, and set, by the commands
dpns-getacl /dpm/domain.name/path/to/directory
and
dpns-setacl some-acl[,some-more-acl] /dpm/domain.name/path/to/directory
For example, YAIM autoconfigures the ACLs for supported VOs with the following commands:
dpns-chmod 775 /dpm dpns-chmod 775 /dpm/domain.name dpns-chmod 775 /dpm/domain.name/home dpns-chmod 775 /dpm/domain.name/home/VO
dpns-entergrpmap --group VO dpns-chown root:VO /dpm/domain.name/home/VO
dpns-setacl -m d:u::7,d:g::7,d:o:5 /dpm dpns-setacl -m d:u::7,d:g::7,d:o:5 /dpm/domain.name dpns-setacl -m d:u::7,d:g::7,d:o:5 /dpm/domain.name/home dpns-setacl -m d:u::7,d:g::7,d:o:5 /dpm/domain.name/home/VO
which sets both the default user access mode (with dpns-chmod) to rwxrwxr-x, and also the default access control lists to rwxrwxr-x (with dpns-setacl).
Of course, ACLs are more flexible than chmod-based access control, so, for example, we could allow only users jbloggs and ppecker to have full permissions on a branch of the filesystem with
dpns-setacl -m d:u::5,u:jbloggs:7,u:ppecker:7 /dpm/domain.name/home/VO/stuff/jbloggs-special-area/
where the "d" sets the default ACL for the default user.
The dpns-setacl manpage (http://grid-deployment.web.cern.ch/grid-deployment/documentation/LFC_DPM/dpm/man1/dpns-setacl.1.html) can be useful.
