Present: Matt, Stephen, John B, Brian, Sam, Wahid, John H, Gareth, Duncan, Robert, Alessandra, Chris, Elena, Jens, Govind, Ewan, Pete. DPM can't do group and user (composite) ACLs at the same time, might be able to do it directly in the database but that seems a bit fiddly. Default ACLs should be inherited by subdirectories, but only new ones. Need to change recursively. CMS might have told the storage group rather than hearing it indirectly. It wasn't clear how urgent the original request was, and that the UK was expected to implement it... Stuart raised the question but it seemed like a technical question rather than a request for an implementation. Also, four days to implement a change is not sufficient for the whole UK, particularly something as complex as this (the problem is more complex than otherwise expectced). How are ACLs supposed to work? The tools that allow setting ACLs are documented but only by example. Do we know what it's using internally - doesn't use LCAS; it validates the certificate and extracts the DN, which is the _user_, and extracts VOMS attr which maps to the role. GridFTP gets transient mappings which map to pool account. Which site s need to implement this: Brunel Imperial QMUL RHUL ECDF Glasgow ... so we need to do it for dCache and StoRM as well. For StoRM, anybody can write into the space... hacking stuff for CMS (eg a new role) might affect other VOs in some form (eg if they want the same), so will need to be thought out a bit first. StoRM has both SRM and filesystem permissions; originally the feature was documented but didn't work, but things are changing. Stuart has production role and Daniela needs this but only to move data??? Do we need a new role, a "data production"? Do other VOs want this? The really serious role is deletion of data. Of course one could also use a robot certificate... which would make lots of things simpler. We should have a think about this... Currently sites should implement group ACL. Stuart has left CMS, so we need to ensure that they are represented in the group - and that they know where to go... DMLite - is it easier to support than DPM? Tests have not fully progressed. Wahid has a test DMLite, and was considering a production DMLite. Test system was fine - is supposed to be production ready. WebDAV would be the main benefit of DMLite. Also newer If this is the future of "DPM" then we need to move sites onto DMLite, but need to move to EMI first. DPM 1.8.4 is sort of DMLite, and running a DPM 1.8.4 with DMLIte=yes would be good - need to consider the migration path - Wahid will give it a go. Database will still be the same. Also future versions may take over more stuff into DMlite, so future versions (1.8.5) may support both DMLite=no and DMLite=yes but may become increasingly DMLiteified. DMLite modules are written to handle new functionality; are they also building new modules or will they be developed by the new "collaborative" support... there might not be an RFIO DMliet module...? Information systems coming up at GDB in November; storage security. Chris spoke to Jon Perkins - would like a way to assess their usage. RAL still needs to roll out the accounting bugfix which affected T2K (and LHCb). Resources are being shared, so not clear for the individual VO how much they are using. ... related, do they need space tokens? Yes, they do... ECDF upgrades (see chat) - on upgrading to EMI, see chat log. Ewan is supposed to be T2 rep, Stephen Burke is going Slow transfers seen on some links, is there a DPM/dCache interop issue affecting ECDF. Local copies are fast but 3rd party copying slow. Send info to list... there was a mail on dpm user forum. [10:01:36] Matt Doidge joined [10:01:40] Duncan Rand joined [10:02:17] Robert Frank joined [10:02:18] Alessandra Forti joined [10:02:26] PPRC QMUL joined [10:05:27] Elena Korolkova joined [10:06:03] Govind Songara joined [10:09:22] Ewan Mac Mahon joined [10:13:55] Ewan Mac Mahon e.g. Oxford runs as a CMS T3, but they've not asked us to do anything. [10:14:09] Ewan Mac Mahon Don't know if we don't need to do it, or they haven't asked. [10:15:10] Ewan Mac Mahon left [10:15:13] Ewan Mac Mahon joined [10:15:51] Robert Frank left [10:16:01] Robert Frank joined [10:16:31] Duncan Rand oxford uses ralppd's phedex [10:17:41] Alessandra Forti cms should separate the roles [10:17:58] Duncan Rand the new role is cmsphedex [10:18:25] Ewan Mac Mahon Well, the ATLAS systems do have separate data movers too; they just don't seem to have a problem giving them the production role. [10:18:38] Alessandra Forti indeed [10:19:10] Ewan Mac Mahon I'm not sure it makes sense to have someone trusted to move (and delete) all your data, but not to burn some CPU time. [10:19:17] Ewan Mac Mahon It's the wrong way round. [10:19:42] Ewan Mac Mahon I can see limiting the data access to fewer people than production job submission, but this way makes no sense. [10:20:07] Pete Gronbech joined [10:23:40] Ewan Mac Mahon You still have to trust whoever controls the robot not to use it to submit production jobs. [10:24:04] Robert Frank left [10:24:05] Ewan Mac Mahon If you trusted her, you'd trust her not to submit production jobs. [10:24:14] Robert Frank joined [10:28:11] Ewan Mac Mahon Should his grid cert be being revoked too? [10:28:23] Jens Jensen Depends on where he is going [10:28:35] Pete Gronbech The city for cash!! [10:28:42] Ewan Mac Mahon Well, presumably it's an Imperial cert, and he's not going to be at Imperial/ [10:29:00] Ewan Mac Mahon Of course, if we can get the City folks to use the grid...... [10:29:47] Jens Jensen In that case we should revoke his cert... [10:33:52] Duncan Rand where is it going into production? [10:34:01] Duncan Rand ecdf? [10:34:03] Jens Jensen Edinburgh [10:34:33] Ewan Mac Mahon We really do need someone to install a non-DMlite DPM, then change to DMLITE=yes on their config and re-YAIM (or whatever the upgrade path is) [10:34:47] Ewan Mac Mahon rather than just installing a new DMlite system from scratch [10:35:17] Duncan Rand it is meant to be the evolution of dom isn;t it? [10:35:20] Duncan Rand dpm [10:35:32] Duncan Rand i mean there will be no DPM anymore [10:35:37] Duncan Rand as I understand it [10:36:44] Wahid Bhimji they are the same thing [10:37:32] Ewan Mac Mahon But there's this how to configure it question [10:37:52] Ewan Mac Mahon You can configure it in a 'traditional' style, or 'net hotness' style. [10:37:58] Ewan Mac Mahon Er - new. [10:38:04] Ewan Mac Mahon AIUI [10:38:17] Ewan Mac Mahon Which is this DMLITE=yes site-info.def option. [10:38:28] Ewan Mac Mahon Be useful to know exactly what that switch controls though. [10:40:05] Wahid Bhimji ps - you have to set DMLITE=no for disk servers [10:40:34] Ewan Mac Mahon Wah, really? That sucks. [10:40:43] Ewan Mac Mahon I like my common configs for everything. [10:40:47] John Bland oh great, incompatible siteinfos [10:41:11] Wahid Bhimji ah what happens if you set a yaim variable that isn't used [10:41:21] Ewan Mac Mahon Nothing happens. [10:41:30] Wahid Bhimji I mean can't you just put DMLITE=no in evertyhting then so whats the problem [10:41:34] Ewan Mac Mahon The scripts only read the ones they care about. [10:41:59] John Bland wahid: on the headnode it would eventuially be YES [10:41:59] Ewan Mac Mahon Well yes, but at some point I want to be able to set DMLITE=yes without breaking my disk servers. [10:42:25] Wahid Bhimji well at that point you can have yes on the disk servers too - no ? [10:42:39] Ewan Mac Mahon I don't know; you said it. [10:42:54] Ewan Mac Mahon Are we saying it needs to be set consistently across a DPM? [10:43:26] Wahid Bhimji All I was saying is that for now - you will also have to set it to no - unless you want to also set a bunch of webdav variables which may or may not work [10:43:57] Wahid Bhimji when you are using it then I think you will want it consistantly yet - though I don't know that is actually essential ont he disk servers [10:44:16] Wahid Bhimji but the variable is needed one way or the other on the 1.8.4 dpm disk [10:44:42] John Bland in that case it's fine, apologies [10:44:57] Wahid Bhimji oh no [10:44:58] Ewan Mac Mahon Right. So, immediate plan - set DMLITE=no on everything, then upgrade to 1.8.4, then see how you're getting on with the testing. [10:45:25] Jens Jensen http://indico.cern.ch/conferenceDisplay.py?confId=155074 [10:45:25] Wahid Bhimji Info system is not interesting to me [10:46:23] Wahid Bhimji https://www.gridpp.ac.uk/wiki/DPMUpgradeTips [10:50:00] Ewan Mac Mahon Yes, they do. [10:50:04] Ewan Mac Mahon Next. [10:50:13] John Bland t2k *have* space tokens, at least at our site [10:53:12] Ewan Mac Mahon Yes? [10:53:17] Ewan Mac Mahon Ah, you did.