gPlazma is the Grid-aware PLuggable AuthoiZation MAnagement (jeez, what an acronym, it should be gPlasma I think) system for dCache. It runs as a dCache cell that authorizes users to perform certain actions (like reading and writing files) in the dCache namespace. Cells make requests to gPlazma by submitting the user credentials (DN) and they receive back site specific user information such as gid, uid and rootpath. It is pluggable in that it supports different authorization methods. Full documentation is in the dCache Book.

Configuration of gPlazma Cell

gPlazma comes installed by default in dCache 1.7 and above. By default is is configured to use the standard authorisation mechanism of dCache, th dcache.kpwd file. To perform VO role mapping (i.e. were different VOMS groups and roles are mapped to different local users) you need to switch on a more advanced plugin. In the case of LCG this will be the grid-vorolemap plugin (OSG people may use the saml one, which uses GUMS servers).

You need to edit/create three files:

/etc/grid-security/grid-vorolemap

This maps the roles to local accounts. A simple file looks like:

"/C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=greig cowan" "/dteam/Role=NULL/Capability=NULL" dteam001
"*" "/lhcb/Role=NULL/Capability=NULL" lhcb001

This means that my DN is mapped to dteam001 if I come in with a dteam voms proxy (i.e. voms-proxy-init -voms dteam) and any DN with an lhcb voms proxy gets mapped to lhcb001. The VO group ("/lhcb") has to be included, but the Role and Capability are optional. If these are present and set to NULL, then they are ignored.

/etc/grid-security/storage-authzdb

This is similar to the login lines in the kpwd file and is used to authorize accounts to only access certain parts of the filesystem. You need the version line somewhere in the file:

version 2.1
authorize dteam001 read-write 18118 2688 / /pnfs/epcc.ed.ac.uk/data/dteam /pnfs/epcc.ed.ac.uk/data/dteam
authorize alice001 read-write 10417 1395 / /pnfs/epcc.ed.ac.uk/data/alice /pnfs/epcc.ed.ac.uk/data/alice
authorize atlas001 read-write 10761 1307 / /pnfs/epcc.ed.ac.uk/data/atlas /pnfs/epcc.ed.ac.uk/data/atlas
authorize bio001 read-write 44001 44000 / /pnfs/epcc.ed.ac.uk/data/biomed /pnfs/epcc.ed.ac.uk/data/biomed
authorize cms001 read-write 11410 1399 / /pnfs/epcc.ed.ac.uk/data/cms /pnfs/epcc.ed.ac.uk/data/cms
authorize lhcb001 read-write 12238 1470 / /pnfs/epcc.ed.ac.uk/data/lhcb /pnfs/epcc.ed.ac.uk/data/lhcb

The accounts still need UNIX file permissions on the pnfs file system. Just lift these from the dcache.kpwd file. Note that by restricting the user to a particular pnfs path, the TURLs that dCache returns to clients during copying will all be relative to these paths, e.g. gsiftp://hostname:2811//test-dir/testfile, for a dteam transfer into /pnfs/epcc.ed.ac.uk/data/dteam/test-dir/testfile .

/opt/d-cache/etc/dcachesrm-gplazma.policy

Change:

gplazmalite-vorole-mapping="OFF"

to

gplazmalite-vorole-mapping="ON"

kpwd can be left on so that the traditional mechanism would not break. You then need to set the priorites for each plugin. Make sure that gplazmalite-vorole-mapping has a higher number than kpwd so that the full VOMS mapping is tried first.

/opt/d-cache/config/dCacheSetup

Make sure that these lines are set and uncommented.

useGPlazmaAuthorizationModule=false
useGPlazmaAuthorizationCell=true

If the Module line is true, then dCache cells can directly call the gPlazma methods without going to the gPlazma cell first of all.

/opt/d-cache/etc/node_config

gPlazmaService=yes

After all of this you will need to start up the gPlazma cell.

Configuring dCache to use the gPlazma module

Rather than using a dedicated gPlazma cell, it is possible for other dCache cells to directly call the gPlazma methods. This has the advantage in that there should not be any timeouts during authorisation calls. This can happen when using the dedicated cell due to problems in inter-cell communication. Instructions for setting up the module can be found in the book. Essentially, each node that you would want to be able to call the gPlazma methods should have the gPlamza config files on it that are referred to above.

Make sure that these lines are set and uncommented.

useGPlazmaAuthorizationModule=true
useGPlazmaAuthorizationCell=false

It is actually possible to set both to true, and then there is a fallback mechanism.