08 February 2007

So I had suggested to the DPM team that what I needed to do to overcome the error reported in the blog was to add a new ACL, which would allow the ordinary (i.e., non-VOMS role) ATLAS users to write into the generated directories, regardless of who had first created them.

The magic command to do this is:

# dpns-setacl -m d:g:atlas:rwx /dpm/gla.scotgrid.ac.uk/home/atlas/generated

(Your domain may vary...)

The intital "d" means "default" and ensures that this ACL is inherited by all newly created sub-directories (and the "g" means a "group" ACL).

I set this two days ago and found a friendly Melbourne ATLAS user (thanks Glen!) to help me test this - and it worked. In the 2007-02-07 directory, which had been created with the atlas/Role=lcgadmin group Glen was able to write a file as a normal ATLAS user.

So, the current situation for fixing up your DPM for ATLAS involves:

  1. Running the new script, which doesn't mess up the ACL owning user and group of the "root" directory - you can get than from http://www.physics.gla.ac.uk/~graeme/misc/update_acl_formysql.tar.gz.
  2. Then adding the additional ACL above to the generated directory.

Of course, you might just want to wait for some more complete fix to emerge from WLCG.

In addition, I have also raised the issue of the dq2 directory with ATLAS, but have yet to receive any response - so at the moment I haven't added any ACLs here.

1 comment:

Graeme Stewart said...

If you ran the original UpdateACLForMySQL, then you also need to fix the broken ACL uid/gid on the "root" directory. To do this:

1. Use "dpns-ls -d /dpm/DOMAIN/home/atlas/{generated,dq2}" to get the correct uid/gid pair for these directories.

2. Do a "dpns-chown uid:gid" on these directories - this will reset the ACL uid:gid correctly.

3. Check it looks right with "dpns-getacl".