Versions Compared

Old Version 1

changes.mady.by.user Wilko Kroeger

Saved on

compared with

New Version Current

changes.mady.by.user Wilko Kroeger

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

The xrootd redirectors are configured to forward a file remove request of a client to all of its data server. Therefore it has to be configured that only certain clients are allowed to
remove files. Only one production user should be we would like to configure the redirectors so that clients have to authenticate them self and only one production account is authorized to remove files.

Testing

The Fermi xrootd test setup was configured to use authentication/authorization for the redirectors and data servers:
1) only glastxrw was allowed to remove files either (through the redirector or data server.

Testing

)
2) all clients were allowed to read/write files if connected to redirector
3) only Fermi users are allowed to read files from the data servers
4) only Fermi production accounts are allowed to write files

These rules were tested using the four accounts one being a Fermi user (read-only access), a production account, the account that that has privileges to remove files and a non Fermi
user accountAuthorization was setup for the Fermi test xrootd redirectors. It was confirmed that clients are still able to read and write files, But only glastxrw is able to remove files.

Rollback

The configuration can be rolled back by using the old previous xrootd configuration and authorization. A restart of the xrootd servers redirectors is needed.

CCB Request

https://jira.slac.stanford.edu/browse/SSC-185199

Details

Authentication and authorization was turned on is required for all of the xrootd data server in order to restrict access to the Fermi data to Fermi members only. Write and write and remove privileges are granted to only to production accounts only. No restrictions were needed for the redirectors as all they did was to redirect clients to the data server.

The redirectors got reconfigured so that they are able to remove files and therefore authentication and authorization has to be turned onenabled.
The same authentication scheme as used for the data servers will be used and the authorization will be very simple:
1. All users are allowed to read and write files (this is later restricted by the data servers)
2. Only glastxrw is allowed to remove files

...

After changing the authorization files and xrootd config file the xrootd on the redirectors have to be restarted in order to activate these the changes.
The data server do not need to be restarted as they reread the authorization file periodically.