The xrootd redirectors are configured to forward a file remove request of a client to all of its data server. Therefore it has to be configured that only certain clients are allowed to
remove files. Only one production user should be allowed to remove files either through the redirector or data server.
Authorization was setup for the Fermi test xrootd redirectors. It was confirmed that clients are still able to read and write files, But only glastxrw is able to remove files.
The configuration can be rolled back by using the old xrootd configuration and authorization. A restart of the xrootd servers is needed.
https://jira.slac.stanford.edu/browse/SSC-199
Authentication and authorization was turned on for all of the xrootd data server in order to restrict access to the Fermi data to Fermi members only and write and remove privileges are granted to only to production accounts. No restrictions were needed for the redirectors as all they did was to redirect clients to the data server.
The redirectors got reconfigured so that they are able to remove files and therefore authentication and authorization has to be turned on.
The same authentication scheme as used for the data servers will be used and the authorization will be very simple:
1. All users are allowed to read and write files (this is later restricted by the data servers)
2. Only glastxrw is allowed to remove files
For the data servers we would like to change the authorization so that only the glastxrw user is able to remove files (so far other production accounts are also allowed).
After changing the authorization files and xrootd config file the redirectors have to be restarted in order to activate these changes.
The data server do not need to be restarted as they reread the authorization file periodically.