File access modes

The implementation and testing of Scitokens for access creates a need to revisit the file access modes and restrictions in XrdCeph. This document provides a basic reference of the current permissions that are sent for certain types of operations. (using 5.5.0 of XrootD)

Writes

operation

davs (certificate)

root (certificate)

operation

davs (certificate)

root (certificate)

gfal-copy

O_RDWR | O_CREAT | O_EXCL

O_RDWR | O_CREAT | O_EXCL

gfal-copy -f

O_RDWR | O_CREAT | O_TRUNC

O_RDWR | O_CREAT | O_TRUNC

xrdcp

X

O_RDWR | O_CREAT | O_EXCL

xrdcp -f

X

O_RDWR | O_CREAT | O_TRUNC

curlproxy --upload-file

O_RDWR | O_CREAT | O_TRUNC

X

WLCG scitokens upload

O_RDWR | O_CREAT | O_TRUNC

X

WLCG scitokens upload (no overwrite)

O_RDWR | O_CREAT | O_EXCL

X

 

Read operations produce a flag 0, for O_RDONLY.

 

Required changes for WLCG token support

If we tried to overwrite an existing file but do not have the AOP_Create privilege, then ensure we generate a 'permission denied' instead of 'exists'

(https://github.com/xrootd/xrootd/blob/f2ce196355d956fac0785b07eb6a00308f88f8ba/src/XrdOfs/XrdOfs.cc#L630 )

 

Changes:

Currently in the CephPosix open we have:

if (fileExists) { if (flags & O_TRUNC) { int rc = ceph_posix_unlink(env, pathname); if (rc < 0 && rc != -ENOENT) { return rc; } } else { return -EEXIST; }

The return -EEXIST will need to be modified to return instead -EACCES if O_EXCL is set.