The implementation and testing of Scitokens for access creates a need to revisit the file access modes and restrictions in XrdCeph. This document provides a basic reference of the current permissions that are sent for certain types of operations. (using 5.5.0 of XrootD)
Writes
operation | davs (certificate) | root (certificate) |
|---|---|---|
gfal-copy | O_RDWR | O_CREAT | O_EXCL | O_RDWR | O_CREAT | O_EXCL |
gfal-copy -f | O_RDWR | O_CREAT | O_TRUNC | O_RDWR | O_CREAT | O_TRUNC |
xrdcp | X | O_RDWR | O_CREAT | O_EXCL |
xrdcp -f | X | O_RDWR | O_CREAT | O_TRUNC |
curlproxy --upload-file | O_RDWR | O_CREAT | O_TRUNC | X |
WLCG scitokens upload | O_RDWR | O_CREAT | O_TRUNC | X |
WLCG scitokens upload (no overwrite) | O_RDWR | O_CREAT | O_EXCL | X |
Read operations produce a flag 0, for O_RDONLY.
Required changes for WLCG token support
If we tried to overwrite an existing file but do not have the AOP_Create privilege, then ensure we generate a 'permission denied' instead of 'exists'
Changes:
Currently in the CephPosix open we have:
if (fileExists) {
if (flags & O_TRUNC) {
int rc = ceph_posix_unlink(env, pathname);
if (rc < 0 && rc != -ENOENT) {
return rc;
}
} else {
return -EEXIST;
}
The return -EEXIST will need to be modified to return instead -EACCES if O_EXCL is set instead of O_TRUNC