Configuring gPlazma in dCache
gPlazma is the Grid-aware PLuggable AuthoiZation MAnagement (jeez, what an acronym, it should be gPlasma I think) system for dCache. It runs as a dCache cell that authorizes users to perform certain actions (like reading and writing files) in the dCache namespace. Cells make requests to gPlazma by submitting the user credentials (DN) and they receive back site specific user information such as gid, uid and rootpath. It is pluggable in that it supports different authorization methods. Full documentation is in the dCache Book.
Contents
Configuration of gPlazma Cell
gPlazma comes installed by default in dCache 1.7 and above. By default is is configured to use the standard authorisation mechanism of dCache, th dcache.kpwd file. To perform VO role mapping (i.e. were different VOMS groups and roles are mapped to different local users) you need to switch on a more advanced plugin. In the case of LCG this will be the grid-vorolemap plugin (OSG people may use the saml one, which uses GUMS servers).
You need to edit/create three files:
/etc/grid-security/grid-vorolemap
This maps the roles to local accounts. A simple file looks like:
"/C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=greig cowan" "/dteam/Role=NULL/Capability=NULL" dteam001 "*" "/lhcb/Role=NULL/Capability=NULL" lhcb001
This means that my DN is mapped to dteam001 if I come in with a dteam voms proxy (i.e. voms-proxy-init -voms dteam) and any DN with an lhcb voms proxy gets mapped to lhcb001. The VO group ("/lhcb") has to be included, but the Role and Capability are optional. If these are present and set to NULL, then they are ignored.
/etc/grid-security/storage-authzdb
This is similar to the login lines in the kpwd file and is used to authorize accounts to only access certain parts of the filesystem. You need the version line somewhere in the file:
version 2.1 authorize dteam001 read-write 18118 2688 / /pnfs/epcc.ed.ac.uk/data/dteam /pnfs/epcc.ed.ac.uk/data/dteam authorize alice001 read-write 10417 1395 / /pnfs/epcc.ed.ac.uk/data/alice /pnfs/epcc.ed.ac.uk/data/alice authorize atlas001 read-write 10761 1307 / /pnfs/epcc.ed.ac.uk/data/atlas /pnfs/epcc.ed.ac.uk/data/atlas authorize bio001 read-write 44001 44000 / /pnfs/epcc.ed.ac.uk/data/biomed /pnfs/epcc.ed.ac.uk/data/biomed authorize cms001 read-write 11410 1399 / /pnfs/epcc.ed.ac.uk/data/cms /pnfs/epcc.ed.ac.uk/data/cms authorize lhcb001 read-write 12238 1470 / /pnfs/epcc.ed.ac.uk/data/lhcb /pnfs/epcc.ed.ac.uk/data/lhcb
The accounts still need UNIX file permissions on the pnfs file system. Just lift these from the dcache.kpwd file. Note that by restricting the user to a particular pnfs path, the TURLs that dCache returns to clients during copying will all be relative to these paths, e.g. gsiftp://hostname:2811//test-dir/testfile, for a dteam transfer into /pnfs/epcc.ed.ac.uk/data/dteam/test-dir/testfile .
/opt/d-cache/etc/dcachesrm-gplazma.policy
Change:
gplazmalite-vorole-mapping="OFF"
to
gplazmalite-vorole-mapping="ON"
kpwd can be left on so that the traditional mechanism would not break. You then need to set the priorites for each plugin. Make sure that gplazmalite-vorole-mapping has a higher number than kpwd so that the full VOMS mapping is tried first.
/opt/d-cache/config/dCacheSetup
Make sure that these lines are set and uncommented.
useGPlazmaAuthorizationModule=false useGPlazmaAuthorizationCell=true
If the Module line is true, then dCache cells can directly call the gPlazma methods without going to the gPlazma cell first of all.
/opt/d-cache/etc/node_config
gPlazmaService=yes
After all of this you will need to start up the gPlazma cell.
Configuring dCache to use the gPlazma module
Rather than using a dedicated gPlazma cell, it is possible for other dCache cells to directly call the gPlazma methods. This has the advantage in that there should not be any timeouts during authorisation calls. This can happen when using the dedicated cell due to problems in inter-cell communication. Instructions for setting up the module can be found in the book. Essentially, each node that you would want to be able to call the gPlazma methods should have the gPlamza config files on it that are referred to above.
Make sure that these lines are set and uncommented.
useGPlazmaAuthorizationModule=true useGPlazmaAuthorizationCell=false
It is actually possible to set both to true, and then there is a fallback mechanism.