Introducing Advanced Fine-grained Security in dCache-SRM for PetaByte-scale Storage Systems on Global Data Grids: gPLAZMA `grid-aware PLuggable AuthoriZation MAnagement System'

We introduce gPLAZMA (grid-aware PLuggable Authorization MAnagement) for dCache/SRM in this publication. Our work is motivated by a need for fine-grained security (Role Based Access Control or RBAC) in storage systems on global data grids, and utilizes VOMS extended X.509 certificate specification for defining extra attributes (FQANs), based on RFC3281. Our implementation, gPLAZMA in dCache, introduces storage authorization callouts for SRM and GridFTP. It allows using different authorization mechanisms simultaneously, fine-tuned with switches and priorities of mechanisms. Of the four mechanisms currently supported, one is an integration with RBAC services in the open science grid (OSG) USCMS/USATLAS Privilege Project, others are built-in as a lightweight suite of services (gPLAZMA lite authorization services suite) including the legacy dcache.kpwd file, as well as the popular grid-mapfile, augmented with a gPLAZMALite specific RBAC mechanism. Based on our current work, we also outline a list of future tasks. This work was undertaken as collaboration between PPDG Common project, OSG Privilege project, and the dCache/SRM groups at DESY, FNAL and UCSD.