search

simonsobs-uk / data-centre

This tracks the issues in the baseline design of the SO:UK Data Centre at Blackett
https://souk-data-centre.readthedocs.io
BSD 3-Clause "New" or "Revised" License
2 stars 1 forks source link

how to "chgrp" in grid storage system? #33

Open ickc opened 7 months ago

ickc commented 7 months ago

In traditional POSIX compliant FS, we can just chgrp and the group permission bits to share to other collaborators in the same group. In a grid storage system, how to achieve that?

In particular, under the SO:UK VO, @earosenberg is trying to share a sub-directory erosenberg/toast_sims to others, but to me it is empty.

ickc commented 7 months ago

More info:

@earosenberg tried to gfal-chmod it to be world-readable, and apparently it is, but we can't still read it.

$ gfal-ls root://bohr3226.tier2.hep.manchester.ac.uk:1094//dpm/tier2.hep.manchester.ac.uk/home/souk.ac.uk/erosenberg -l 
dr-xr-xr-x   0 0     0     3220151681 Nov 20 11:10 conda_tarballs
----------   0 0     0            11 Nov 20 12:18 hello-davs.txt
----------   0 0     0            11 Nov 20 12:18 hello-root.txt
dr-xr-xr-x   0 0     0     202252714 Dec 13 15:15 toast_sims
$ gfal-ls root://bohr3226.tier2.hep.manchester.ac.uk:1094//dpm/tier2.hep.manchester.ac.uk/home/souk.ac.uk/erosenberg/toast_sims
gfal-ls error: 84 (Invalid or incomplete multibyte or wide character) - Failed reading directory: [ERROR] Error response: invalid argument (Unknown error 400)
$ xrdfs bohr3226.tier2.hep.manchester.ac.uk
[bohr3226.tier2.hep.manchester.ac.uk:1094] / > cd souk.ac.uk/erosenberg
[bohr3226.tier2.hep.manchester.ac.uk:1094] /souk.ac.uk/erosenberg > ls
/souk.ac.uk/erosenberg/conda_tarballs
/souk.ac.uk/erosenberg/hello-davs.txt
/souk.ac.uk/erosenberg/hello-root.txt
/souk.ac.uk/erosenberg/toast_sims
[bohr3226.tier2.hep.manchester.ac.uk:1094] /souk.ac.uk/erosenberg > ls toast_sims
[ERROR] Server responded with an error: [3000] Unable to open directory /souk.ac.uk/erosenberg/toast_sims; invalid argument

@afortiorama, what should we be doing to make sure others can read it? For now we are ok with it being world-readable, but we'd also want to know how group permission work in the grid storage system. For example, if we make it not world-readable but group readable, what are the "groups" here, is it anyone within the same VO?

afortiorama commented 7 months ago

it seems gfal-chmod doesn't work. The ACLs reported by root in xrdfs are not the real ones. The ACLs in DPM are stored in a mysql database, so the only way to really change them is as DPM administrator. The default is rwx for group, I've added a mask which hopefully will allow to create the directories with wider permissions. gfal-mkdir uses 750 by default now I think and if you use gfal-mkdir -m 770 it should create it with 770

I've changed the erosenberg/toast_sims to 750 now it should be accessible. Can you try? Can you also test creating new directories?

xrdfs creates also by default 750 and you can try mkdir -mrwxrwx--- test10 to create it with 770. This worked for me but you cannot change it anymore once it is created.

afortiorama commented 7 months ago

PS the grid storage was not really created to behave like a live file system. This has always been cause of frustration to the single users. But it works well for the large experiments with a framework and a data management. I set the ATLAS ACLs in 2010 and never had to change them again just to explain why things are like this.

ickc commented 7 months ago

Thanks, @afortiorama. I now have access to that directory. I think I remember you asking about this in a mailing list. Now I see how they are connected.

I am still not completely sure what happened. Because rwx for group should be fine. Is group here means people from the same VO? More strangely, there are other directories by @earosenberg where I can read and ls (x), but just not that one above.

Also, you mention a mask is added, what does that exactly mean? Would it be world readable by default?

Is there anything we should add to the documentation to inform the users? E.g. should we tell the users always use gfal-mkdir -m 750 ...? Or as you said it is the new default and we do not need to inform users to do so? How about when gfal-copy is used? The man page of gfal-copy doesn't seem to have a similar flag.

ickc commented 7 months ago

We'll assume no documentation is needed and things will happens automatically. We'll leave this open for a bit with the next release as deadline.

ickc commented 5 months ago

@afortiorama, we are seeing a similar problem at root://bohr3226.tier2.hep.manchester.ac.uk:1094//dpm/tier2.hep.manchester.ac.uk/home/souk.ac.uk/chervias/BBMASTER/schedules

Could you help changing the permission there? Thanks.

@chervias, I assume you're ok with this, as you share your job script to me which need to read from here?

chervias commented 5 months ago

yes go ahead. Let me know if you have any troubles accessing a file.

ickc commented 5 months ago

@afortiorama, is there any update on this? We have trouble accessing root://bohr3226.tier2.hep.manchester.ac.uk:1094//dpm/tier2.hep.manchester.ac.uk/home/souk.ac.uk/chervias/BBMASTER/schedules with a similar problem. Could you help fixing the permission? Thanks.