The storage-authzdb file
Prev Section 3. VOMS and gPlazma Next
dCache Workshop > VOMS and gPlazma > The storage-authzdb file

The storage-authzdb file

The file /etc/grid-security/storage-authzdb maps abstract users to uids and gids to allow authorisation to

The first non-comment line specifies the file format version number. This allows future versions of gPlazma to safely parse older, existing files.

The following lists an example storage-authzdb file that was auto-generated by dcacheVoms2Gplasma.py command. 

# storage-authzdb created by dcacheVoms2Gplasma
version 2.1

# authzdb for dteam001 added by dcacheVoms2Gplasma
authorize dteam001 read-write 18118 2688 / / /

# authzdb for prddtm01 added by dcacheVoms2Gplasma
authorize prddtm01 read-write 50501 2689 / / /

# authzdb for sgmdtm01 added by dcacheVoms2Gplasma
authorize sgmdtm01 read-write 60501 2690 / / /

# authzdb for ops001 added by dcacheVoms2Gplasma
authorize ops001 read-write 45001 45000 / / /

# authzdb for sgmops01 added by dcacheVoms2Gplasma
authorize sgmops01 read-write 60701 46001 / / /

Each abstract user mapping is described by a single line. The line starts with the word authorise and the name of the abstract user. The attributes that follow describe how that user is mapped.

The next item after the abstract user name describes whether the user is allowed to write (read-write) or not (read-only). After that is the user's uid and gid values.

The final three items are absolute paths. Of these, only the second is the most pertinent as it specifies under which directory the user is authorised.

Not Carte Blanche

Please note that, an operation acting on some portion of the namespace within a user's authorisation base directory is not guaranteed to succeed. A user attempting to write into a subdirectory of their authorisation base directory may still fail.

Whether an operation success will also depend on the abstract users uid and gid and the directory permissions within the namespace. For example, if a user that is mapped to an abstract user with an authorisation base directory of /pnfs/fzk.de/data/gks tries to write into the directory /pnfs/fzk.de/data/gks/test-1 then this operation may still fail if directory test-1 is not owned by the user's uid and has group- and world- write permissions switched off.

The simplest configuration is to specify all three paths as the root path (/). This is the configuration adopted by default.

Prev Up Next
The grid-vorolemap file Home Section 4. Space management, SRM & dCache