Changing the ACL on a tree of directories

What you need

You need three things from the user:

• <DIR> The top directory to change the permissions on
• <ROLE> The Role to be added. For instance atlas/Role=production or lhcb/lhcbprod
• <LFCHOST> The host which runs the lfc daemon for the VO

Finding the names of the directories

Before performing the changes one has to find the names of the directories affected. This should be done using the binary lfc-find tool. For performance reasons it is better to run this command on the LFC host itself. You have to be careful as this entails running the command as root.

• Log on the host
• export the environmental variable $LFC_HOST

 #export LFC_HOST=`hostname` 

• source the grid environment

#source /afs/cern.ch/project/gd/LCG-share/sl3/etc/profile.d/grid_env.sh 

• Run the lfc-find tool

#afs/cern.ch/project/gd/SC3/lfc-find/lfc-find <DIR> -type d | tee -a ./directories.out   

Changing the ACL

For each directory you need to run the set-acl command. It is recommended to have a log file, as it is an easy way to determine the time of the last entry made in the catalogue.

 
#export LFC_LIST_FILE=directories.out
#export LFC_LOG_FILE=`echo ${LFC_LIST_FILE} | cut -f 1 -d.`.log
#for dir in `cat  ${LFC_LIST_FILE}` ; do /opt/lcg/bin/lfc-setacl -m
g:<ROLE>:rwx,m:rwx,d:g:<ROLE>:rwx,d:m:rwx ${dir} >> ${LFC_LOG_FILE} 2>&1 ; echo $dir >> ${LFC_LOG_FILE} ; done

Checking that everything went fine

Check that last entry in the log file of the LFC corresponds to the last entry you were supposed to change, i.e. the last entry in the ${LFC_DIR_FILE} . For instance, try to determine the time of the last entry (e.g. timestamp of the log file from the setacl for loop in the step above) and check in the log file (look for last "setacl") which directories it corresponds to.

Changing the ACL on all files within a directory

What you need

You need three things from the user:

• <DIR> The top directory to change the permissions on
• <ROLE> The Role to be added. For instance atlas/Role=production or lhcb/lhcbprod
• <LFCHOST> The host which runs the lfc daemon for the VO

Finding the names of the files

Before performing the changes one has to find the names of all the files inside the directory affected. This should be done using the binary lfc-find tool. For performance reasons it is better to run this command on the LFC host itself. You have to be careful as this entails running the command as root.

• Log on the host
• export the environmental variable $LFC_HOST

 #export LFC_HOST=`hostname` 

• source the grid environment

#source /afs/cern.ch/project/gd/LCG-share/sl3/etc/profile.d/grid_env.sh 

• Run the lfc-find tool

#afs/cern.ch/project/gd/SC3/lfc-find/lfc-find <DIR> -type f | tee -a ./file_names.out   

Changing the ACL

#export LFC_LIST_FILE=file_names.out #export LFC_LOG_FILE=`echo ${LFC_DIR_FILE} | cut -f 1 -d.`.log For each file you need to run the set-acl command

 #for file in `cat $LFC_LIST_FILE`; do /opt/lcg/bin/lfc-setacl -m
g:<ROLE>:rw,m:rwx ${file} >> ${LFC_LOG_FILE} 2>&1 ; echo $file >> ${LFC_LOG_FILE} ; done

Checking that everything went fine

• Check that the number of lines in the log file is the same as the number of lines in the file listing the entries to change

wc -l $LFC_LIST_FILE
wc -l $LFC_LOG_FILE

• Check the LFC log file. For instance you can check that the last entry in the log file of the LFC corresponds to the last entry you were supposed to change, i.e. the last entry in the ${LFC_DIR_FILE} . For instance, try to determine the time of the last entry (e.g. timestamp of the log file from the setacl for loop in the step above) and check in the log file (look for last "setacl") which files it corresponds to.

-- Main.diana - 26 Oct 2006