You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Reason for change

The xrootd redirectors are configured to forward a file remove request of a client to all of its data server. Therefore it has to be configured that only certain clients are allowed to
remove files. Only one production user should be allowed to remove files either through the redirector or data server.

Testing

Authorization was setup for the Fermi test xrootd redirectors. It was confirmed that clients are still able to read and write files, But only glastxrw is able to remove files.

Rollback

The configuration can be rolled back by using the old xrootd configuration and authorization. A restart of the xrootd servers is needed.

CCB Request

https://jira.slac.stanford.edu/browse/SSC-185

Details

Authentication and authorization was turned on for all of the xrootd data server in order to restrict access to the Fermi data to Fermi members only and write and remove privileges are granted to only to production accounts. No restrictions were needed for the redirectors as all they did was to redirect clients to the data server.

The redirectors got reconfigured so that they are able to remove files and therefore authentication and authorization has to be turned on.
The same authentication scheme as used for the data servers will be used and the authorization will be very simple:
1. All users are allowed to read and write files (this is later restricted by the data servers)
2. Only glastxrw is allowed to remove files

For the data servers we would like to change the authorization so that only the glastxrw user is able to remove files (so far other production accounts are also allowed).

After changing the authorization files and xrootd config file the redirectors have to be restarted in order to activate these changes.
The data server do not need to be restarted as they reread the authorization file periodically.

  • No labels