3.2.2.1. ADA interface¶
Our ADA (Advanced dCache API) interface is based on the dCache API and the webdav protocol to access and process your data on dCache from any platform and with various authentication methods.
rclone is a webdav client that supports by default 4 parallel streams of data, and is installed on the spider platform.
macaroons are a token based authentication method supported by dCache. Macaroons can be used to give access to dCache data in a very granular way. This enables data managers autonomously share their data in dCache without having to reach out to SURFsara to request access.
A quick start up guide for ADA is captured in the video below:
3.2.2.1.1. Browser view¶
dCache storage can be viewed both through the Ada tools or through your browser using the web client, this is just one additional way you can explore the storage space.
As a Data manager you have direct credentials on dCache and it is possible to access the browser view using you Spider credentials [project-username] in the following link:
https://webdav-secure.grid.surfsara.nl/pnfs/grid.sara.nl/data/[PROJECT]/
Note
You may be asked for a browser certificate, just select cancel and you will be asked for your credentials
3.2.2.1.2. Using ADA¶
ADA is a wrapper of tools created by SURFsara to simplify your interactions with dCache. Rclone can support uploading and downloading data but other operations such as listing or deleting files and directories can be performed directly on the dCache API. ADA wraps all of this functionality into one clean package saving you the hassle of having to download and troubleshoot multiple packages and dependencies. ADA is installed on Spider.
This section provides examples and the steps to start using ADA to interact with your dCache storage.
3.2.2.1.2.1. Create a macaroon¶
- Requirements: credential to dCache
- username/pwd or
- x509 proxy
- Spider role: Data manager
- Action: Create a macaroon
- Output: rclone tokenfile [PROJECT_tokenfile].conf. You can share this file with any member in the project in next step.
- Description: the DM creates a macaroon for a shared directory (including the sub-directories & files). In the next step he will share the macaroon with the project team in a non-public space, either user’s home directories, or the ‘shared’ or ‘data’ project space directories.
- Example:
get-macaroon \
--url https://webdav.grid.surfsara.nl:2880/pnfs/grid.sara.nl/data/[PROJECT] \
--duration P7D \
--chroot \
--user [PROJECT]-[USER] \
--permissions DOWNLOAD,UPLOAD,DELETE,MANAGE,LIST,READ_METADATA,UPDATE_METADATA \
--ip [IP RANGE] \
--output rclone [PROJECT_tokenfile]
These permissions can be given comma separated upon creation of the macaroon:
| Permission | Function |
|---|---|
| DOWNLOAD | Read a file |
| UPLOAD | Write a file |
| DELETE | Delete a file or directory |
| MANAGE | Rename or move a file or directory |
| LIST | List objects in a directory |
| READ_METADATA | Read file status |
| UPDATE_METADATA | Stage/unstage a file, change QoS |
3.2.2.1.2.3. Inspect the macaroon¶
- Requirements: the rclone tokenfile [PROJECT_tokenfile].conf
- Spider role: Normal user
- Actions: View macaroon
- Output: the list activities and directories that you can use on dCache
- Example:
# Your macaroon is the value of 'bearer_token'
$ cat [PROJECT_tokenfile].conf
[tokenfile]
type = webdav
bearer_token = MDAxY2xvY2F0aWXXXXXXXXXXXXXXXX
url = https://webdav.grid.surfsara.nl:2880/
vendor = other
user =
password =
#View the macaroon details
$ view-macaroon [PROJECT_tokenfile].conf
location Optional.empty
identifier NDFXzXXX
cid iid:03FXXX//
cid id:39147;35932,30013;[Data Manager Name]
cid before:2020-02-05T11:01:11.577Z
cid home:/[Project folder]
cid root:/[Project folder]
cid activity:DOWNLOAD,UPLOAD,MANAGE,LIST
signature fefef25a4973e59b10ad464054dXXXXXXX
3.2.2.1.2.4. Use the macaroon¶
This section describes how to work with your files.
- Requirements: the rclone tokenfile [PROJECT_tokenfile].conf
- Spider role: Normal user
Tip
If you want to use an environment variable to set the token file, rather than having to pass it on the command line every time then you can do: $export ada_tokenfile=/path-to-mytoken/[PROJECT_tokenfile].conf and then you can omit the option ‘–tokenfile’ from all of the ada commands
Tip
You can get extra information about the submitted command and the rest call details by using the –debug option in your ada command.
3.2.2.1.2.4.1. Check your access to the system¶
–whoami
- Action: request authentication details
- Output: information about the token owner and permissions
- Example:
ada --tokenfile [PROJECT_tokenfile].conf --whoami
{
"status": "AUTHENTICATED",
"uid": 515XX,
"gids": [
511XX
],
"username": "[Data Manager name]",
"rootDirectory": "/pnfs/grid.sara.nl/data/[Project]/disk",
"homeDirectory": "/"
}
3.2.2.1.2.4.2. Listing files¶
–list <directory>
–longlist <file|directory>
–longlist –from-file <file-list>
- Action: List files or directories
- Output: List or long list of the files from the directory that the macaroon allows permission
- Example:
ada --tokenfile [PROJECT_tokenfile].conf --longlist /[DIRECTORY]
3.2.2.1.2.4.3. Get file or directory details¶
–stat <file|directory>
- Action: Show all details of a file or directory
- Output: metadata information
- Example:
ada --tokenfile [PROJECT_tokenfile].conf --stat /[FILE or DIRECTORY]
3.2.2.1.2.4.4. Create a directory on dCache¶
–mkdir <directory>
- Action: Create directories
- Output: New directory created
- Example:
ada --tokenfile [PROJECT_tokenfile].conf --mkdir /[DIRECTORY]
3.2.2.1.2.4.5. Moving or renaming files¶
–mv <file|directory> <destination>
- Action: Move file or directory. This can be used as an option also to rename a directory if the move is done in the same directory. Specify the full path and name to the source and target directory
- Output: File or Directory moved to a different dCache location or renamed
- Example:
ada --tokenfile [PROJECT_tokenfile].conf --mv /[SOURCE] /[DESTINATION]
3.2.2.1.2.4.6. Recursively remove folders¶
–delete <file|directory> [–recursive [–force]]
- Action: Delete files or directories
- Output: File or Directory is deleted
- Recursive deletion: To recursively delete a directory and ALL of its contents, add –recursive. You will need to confirm deletion of each subdir, unless you add –force.
- Alternative: rclone purge
- Example:
ada --tokenfile [PROJECT_tokenfile].conf --delete /[FILE or DIRECTORY]
ada --tokenfile [PROJECT_tokenfile].conf --delete /[FILE or DIRECTORY] --recursive
ada --tokenfile [PROJECT_tokenfile].conf --delete /[DIRECTORY] --recursive --force
# alternative
$ rclone --config=[PROJECT_tokenfile].conf purge PROJECT_tokenfile]:/disk/rec-delete/
3.2.2.1.2.4.7. Checksum¶
–checksum <file>
–checksum <directory>
–checksum –from-file <file-list>
- Action: Get the checksum of a files or files inside a directory or list of files
- Output: Show MD5/Adler32 checksums for files
- Example:
ada --tokenfile [PROJECT_tokenfile].conf --checksum /[FILE or DIRECTORY]
# create a filelist and get checksums for files in it
ada --tokenfile [PROJECT_tokenfile].conf --list /disk/mydir > files-to-checksum
sed -i -e 's/^/\/disk\/mydir\//' files-to-checksum
ada --tokenfile [PROJECT_tokenfile].conf --checksum --from-file files-to-checksum
#/disk/file1 ADLER32=80690001
#/disk/file2 ADLER32=80690001
#/disk/file3 ADLER32=80690001
3.2.2.1.2.4.8. View your usage¶
- Action: get your storage usage with Rclone
- Example:
rclone --config=[PROJECT_tokenfile].conf size [PROJECT_tokenfile]:/
3.2.2.1.2.4.9. Staging¶
The dCache storage at SURFsara consists of magnetic tape storage and hard disk storage. If your quota allocation includes tape storage, then the data stored on magnetic tape has to be copied to a hard drive before it can be used. This action is called Staging files or ‘bringing a file online’.
Your macaroon needs to be created with UPDATE_METADATA permissions to allow for staging operations.
–stage <file>
–stage <directory>
–stage –from-file <file-list>
- Action: Stage a file from tape or files in directory or a list of files (restore, bring it online)
- Output: the file or list of files comes online on disk
- Example:
#list files to get the status
ada --tokenfile [PROJECT_tokenfile].conf --longlist /[PROJECT_tape_dir]
#file1 1186443 2020-02-13 16:27 UTC tape NEARLINE
#file2 1635 2018-10-24 15:34 UTC tape NEARLINE
#stage a single file
ada --tokenfile [PROJECT_tokenfile].conf --stage /[PROJECT_tape_dir]/file1
#stage a list of files
ada --tokenfile [PROJECT_tokenfile].conf --stage --from-file files-to-unstage
3.2.2.1.2.4.10. Unstaging¶
Your macaroon needs to be created with UPDATE_METADATA permissions to allow for unstaging operations.
–unstage <file>
–unstage <directory>
–unstage –from-file <file-list>
- Action: Unstage/Release a file from tape or files in directory or a list of files
- Output: the file or list of files is unstaged and may be removed for the disk any time so dCache may purge its online replica.
#unstage a single file
ada --tokenfile [PROJECT_tokenfile].conf --unstage /[PROJECT_tape_dir]/file1
#unstage a list of files
ada --tokenfile [PROJECT_tokenfile].conf --list /tape > files-to-unstage
sed -i -e 's/^/\/tape\//' files-to-unstage
ada --tokenfile [PROJECT_tokenfile].conf --unstage --from-file files-to-unstage
3.2.2.1.2.5. Transfer Data¶
In order to transfer files from/to dCache we use the same [PROJECT_tokenfile].conf and the rclone client to trigger webdav transfers as shown below.
3.2.2.1.2.5.1. Copy data from dCache¶
rclone --config=[PROJECT_tokenfile].conf copy [PROJECT_tokenfile]:/[SOURCE] ./[DESTINATION] -P
Example, copy an existing test folder to Spider:
rclone --config=[PROJECT_tokenfile].conf copy [PROJECT_tokenfile]:/tests/ ./tests/ -P
3.2.2.1.2.5.2. Write data to dCache¶
rclone --config=[PROJECT_tokenfile].conf copy ./[SOURCE]/ [PROJECT_tokenfile]:[DESTINATION] -P
Notes on data transfers:
- The rclone ‘copy’ mode will just copy new/changed files. The rclone ‘sync’ (one way) mode will create a directory identical to the source so be careful because this can cause data loss and test first with the –dry-run flag to see exactly what would be copied and deleted
- You can increase the number of parallel transfers with the ‘–transfers [Number]’ option
- For very large files it is important to set the –timeout’ option high enough. As a rule of thumb, set it to 10 minutes for every GB of the biggest file in a collection. This may look ridiculously large, but it provides a safe margin to avoid problems with timeout issues
- Using –multi-thread-streams 1 increases the performance for large files
#example command to upload a big file
rclone --timeout=240m --multi-thread-streams 1 --config=[PROJECT_tokenfile].conf copy ./[SOURCE]/ [PROJECT_tokenfile]:[DESTINATION] -P
3.2.2.1.3. Event-driven processing¶
Events are useful when you want to know something you’re interested in happened in your dCache project space, such as when new data is available or when files are staged from tape, etc.
- Subscribe to changes in a given directory:
ada --tokenfile [PROJECT_tokenfile].conf --events changes-in-dir /[PROJECT_directory] --recursive
- Check the available channels listening to events:
ada --tokenfile [PROJECT_tokenfile].conf --channels
- Report staging events
When you start this channel, all files in the scope will be listed, including their locality and QoS. This allows your event handler to take actions, like starting jobs to process the files that are online. When all files have been listed, the command will keep listening and reporting all locality and QoS changes.
ada --tokenfile [PROJECT_tokenfile].conf --report-staged staging-in-tape-dir /[PROJECT_directory] --recursive
3.2.2.1.4. Authentication¶
In this page we gave an extended example on using ada with macaroons authentication. Ada can be used with multiple authentication options.
| Authentication | ADA commands | When to use |
|---|---|---|
| Macaroon | ada --tokenfile <filename> |
You don’t have direct access on dCache but you have a token from the project data manager that allows you certain permissions on the data |
| Username/password | ada --netrc [filename] |
You have direct usr/pwd access credentials on dCache |
| X509 Certificate | ada --proxy [filename] |
You have direct VO membership access on dCache |
Here is an example of a .netrc file that you can create in your home to use username/password authentication:
$ cat ~/.netrc:
machine webdav.grid.surfsara.nl
login [your-ui-username]
password [your-ui-password]
machine dcacheview.grid.surfsara.nl
login [your-ui-username]
password [your-ui-password]
3.2.2.1.5. Run ADA anywhere¶
In this page we gave an extended example on using ada on the Spider platform. Ada is portable and can be used on any platform. On the SURFsara UIs ADA is already on board. If you want to interact with the dCache API and transfer files from your own machine then you need to install the following prerequisites:
jq: the only dependency for executing ada commandsrclone: the client to perform transfers (MacOS: brew install rclone)
As a Data manager if you wish to create macaroons from any platform, e.g. your local machine, then you need to install the following get-macaroon and view-macaroon scripts:
wget https://raw.githubusercontent.com/sara-nl/GridScripts/master/get-macaroonwget https://raw.githubusercontent.com/sara-nl/GridScripts/master/view-macaroon- And their dependencies:
pymacaroons, python3-html2text
3.2.2.1.6. Ada configuration files¶
The user specific configuration files are written in ~/.ada/
- The URL to query the API is stored in /etc/ada.conf (system default) or ~/.ada/ada.conf (user specific, optional)
- The bearer tokens information based on a tokenfile is stored in ~/.ada/headers/. The authorization_header is created for security to prevent from reading the token as argument and be displayed in ‘ps’ info. This way the token is read from a hidden file in the user home dir
- The Events information such as the last eventID is stored in ~/.ada/channels/