j jensen cclrc ral data management auzn (mostly about srm though) ggf 16, athens j jensen
TRANSCRIPT
![Page 1: J Jensen CCLRC RAL Data Management AUZN (mostly about SRM though) GGF 16, Athens J Jensen](https://reader036.vdocument.in/reader036/viewer/2022081518/5515f3e3550346a2308b45f6/html5/thumbnails/1.jpg)
J Jensen
CCLRC RAL
Data Management AUZN(mostly about SRM though)
GGF 16, Athens
J Jensen <[email protected]>
![Page 2: J Jensen CCLRC RAL Data Management AUZN (mostly about SRM though) GGF 16, Athens J Jensen](https://reader036.vdocument.in/reader036/viewer/2022081518/5515f3e3550346a2308b45f6/html5/thumbnails/2.jpg)
J Jensen
CCLRC RAL
GIN!
“Gimme Interoperability Now!!”
SRB ISLAND SRM ISLAND
![Page 3: J Jensen CCLRC RAL Data Management AUZN (mostly about SRM though) GGF 16, Athens J Jensen](https://reader036.vdocument.in/reader036/viewer/2022081518/5515f3e3550346a2308b45f6/html5/thumbnails/3.jpg)
J Jensen
CCLRC RAL
SRB - IANASRBE• SRB is not SRM
– Different aims, different users– SRB provides its own Data Grid
• AUCN:– Username/password– GSI for S commands (if compiled in)– Define id mapping…
• Access control replicated with data– Group permissions
![Page 4: J Jensen CCLRC RAL Data Management AUZN (mostly about SRM though) GGF 16, Athens J Jensen](https://reader036.vdocument.in/reader036/viewer/2022081518/5515f3e3550346a2308b45f6/html5/thumbnails/4.jpg)
J Jensen
CCLRC RAL
SRM Overview
• SRM is a file control protocol
– GGF standard – GSM-WG
– SOAP/HTTP over GSI sockets
• Something else does the transfer
– WAN: Usually GridFTP
– LAN: “local” protocol (RFIO, DCAP,…)
![Page 5: J Jensen CCLRC RAL Data Management AUZN (mostly about SRM though) GGF 16, Athens J Jensen](https://reader036.vdocument.in/reader036/viewer/2022081518/5515f3e3550346a2308b45f6/html5/thumbnails/5.jpg)
J Jensen
CCLRC RAL
Implementations
• “Special” ones – for specific tape MSS
– JLAB, LBNL, CERN/RAL
• General purpose (usually to disk)
– DPM from CERN/LCG,
– dCache from DESY/FNAL,
– StoRM from INFN
![Page 6: J Jensen CCLRC RAL Data Management AUZN (mostly about SRM though) GGF 16, Athens J Jensen](https://reader036.vdocument.in/reader036/viewer/2022081518/5515f3e3550346a2308b45f6/html5/thumbnails/6.jpg)
J Jensen
CCLRC RAL
SRM Versions
• Designers:– “ACL not a major
priority”• Implementers:
– Listen to users (often)
• Users:– “ACL not a major
priority” (HEP)
• Version 1.1– Secure (GSI),
but…– No functions for
ACL• Version 2.1
– Unixy +rwxrwxrwx– …POSIX
![Page 7: J Jensen CCLRC RAL Data Management AUZN (mostly about SRM though) GGF 16, Athens J Jensen](https://reader036.vdocument.in/reader036/viewer/2022081518/5515f3e3550346a2308b45f6/html5/thumbnails/7.jpg)
J Jensen
CCLRC RAL
Implementations
provides
SRM
SRM1.1 SRM2.1
dCache YES Not seen yet
DPM YES YES
CASTOR1 YES NO
CASTOR2 NO YES
![Page 8: J Jensen CCLRC RAL Data Management AUZN (mostly about SRM though) GGF 16, Athens J Jensen](https://reader036.vdocument.in/reader036/viewer/2022081518/5515f3e3550346a2308b45f6/html5/thumbnails/8.jpg)
J Jensen
CCLRC RAL
File Transfer
Area
Implementation
LAN WAN
dCache DCAP GridFTP
DPM RFIO GridFTP
CASTOR RFIO GridFTP
![Page 9: J Jensen CCLRC RAL Data Management AUZN (mostly about SRM though) GGF 16, Athens J Jensen](https://reader036.vdocument.in/reader036/viewer/2022081518/5515f3e3550346a2308b45f6/html5/thumbnails/9.jpg)
J Jensen
CCLRC RAL
“Local” Protocols
• Traditional insecure versions…– Use Unix UID for authentication– No data confidentiality (encryption)
• Both RFIO and DCAP have GSI versions– Not always used by default– Need hostcerts for pool nodes– Don’t necessarily encrypt– GSI/SSL negotiations slow
![Page 10: J Jensen CCLRC RAL Data Management AUZN (mostly about SRM though) GGF 16, Athens J Jensen](https://reader036.vdocument.in/reader036/viewer/2022081518/5515f3e3550346a2308b45f6/html5/thumbnails/10.jpg)
J Jensen
CCLRC RAL
GridFTP Implementations
• Use GSI authentication
• Authorise by DN, using gridmap files
• Don’t encrypt data by default
– Or large transfers would be slow
![Page 11: J Jensen CCLRC RAL Data Management AUZN (mostly about SRM though) GGF 16, Athens J Jensen](https://reader036.vdocument.in/reader036/viewer/2022081518/5515f3e3550346a2308b45f6/html5/thumbnails/11.jpg)
J Jensen
CCLRC RAL
DPM 1.5 Improved Security
• Integrated access control in nameserver– GridFTP, SRM, RFIO: consistent ACL
• RFIO– GSI only – No Encryption
• Performance vs confidentiality• POSIX ACLs• VOMS
![Page 12: J Jensen CCLRC RAL Data Management AUZN (mostly about SRM though) GGF 16, Athens J Jensen](https://reader036.vdocument.in/reader036/viewer/2022081518/5515f3e3550346a2308b45f6/html5/thumbnails/12.jpg)
J Jensen
CCLRC RAL
StoRM Security
• Requires ACL capable filesystem
– GPFS (, ext3, ReiserFS,…)
• Being tested by INFN CNAF
![Page 13: J Jensen CCLRC RAL Data Management AUZN (mostly about SRM though) GGF 16, Athens J Jensen](https://reader036.vdocument.in/reader036/viewer/2022081518/5515f3e3550346a2308b45f6/html5/thumbnails/13.jpg)
J Jensen
CCLRC RAL
CASTOR 2 SRM
• Access control not implemented yet
• Will rely on CASTOR for ACL
![Page 14: J Jensen CCLRC RAL Data Management AUZN (mostly about SRM though) GGF 16, Athens J Jensen](https://reader036.vdocument.in/reader036/viewer/2022081518/5515f3e3550346a2308b45f6/html5/thumbnails/14.jpg)
J Jensen
CCLRC RAL
SRM Data Movers: Gaps
• Data movers must update ACLs when moving data– Support SRM 2.1– Some copy as user (delegated)– Some as a service
• Not quite trivial– Data movers don’t have special
privileges
![Page 15: J Jensen CCLRC RAL Data Management AUZN (mostly about SRM though) GGF 16, Athens J Jensen](https://reader036.vdocument.in/reader036/viewer/2022081518/5515f3e3550346a2308b45f6/html5/thumbnails/15.jpg)
J Jensen
CCLRC RAL
Back Doors?
• File written via Grid can sometimes be read with local protocol
– Or via SRM 1.1?
• Privileged (root/admin) access
– Storage Filename is often “random”
– Rarely a concern
![Page 16: J Jensen CCLRC RAL Data Management AUZN (mostly about SRM though) GGF 16, Athens J Jensen](https://reader036.vdocument.in/reader036/viewer/2022081518/5515f3e3550346a2308b45f6/html5/thumbnails/16.jpg)
J Jensen
CCLRC RAL
Conclusions
• GIN: Two Islands – SRM and SRB
• WAN protocols secure (sort of)
– But no data encryption by default
• Increasingly, LAN protocols are secured
• Implementations are available (sort of)
– SRM 1.1 is still widely used