Meant for:
- iRODS admins
Requirements:
- access to change iRODS rulesets and configuration files on server
In order to make optimal use of different iRODS storage resources, it is necessary to either make adjustments in the configuration of iRODS (e.g., '.irods/irods_environment.json' of the iRODS service account or '/etc/irods/service_config.json' on iRODS servers) or to modify the iRODS rulebase as defined in '/etc/irods/server_config.json'.
Usually, you do not want users to be able to choose from or interact with storage resources. For example, users should not directly interact with the SURF Data Archive resource (surfArchive) as it requires certain policies to be upheld (e.g., no small files). Here we show how to enforce these user restrictions.
In order to accomplish this you have to alter the iRODS rule base. Here follows the documentation from iRODS (https://docs.irods.org/4.2.10/system_overview/configuration/#Default%20Resource%20Configuration):
acSetRescSchemeForCreate {msiSetDefaultResc("irodsResc","null");
'acSetRescSchemeForCreate' is a preprocessing rule for creating a data object. It can be used for setting the resource selection scheme when creating a data object which is used by the put, copy and replicate operations. It takes into consideration the conditional input from the client request and the default resource as defined on the server (usually in core.re) and, along with the configuration of msiSetDefaultResc(), selects an appropriate target resource.
When the client is an administrator (rodsadmin), the following results can be expected:
| Client | Server | Result |
|---|---|---|
| iput foo | msiSetDefaultResc('surfResc1', 'preferred') | 'surfResc1' |
| iput -R 'surfArchive' foo | msiSetDefaultResc('surfResc1', 'preferred') | 'surfArchive' |
| iput foo | msiSetDefaultResc('surfResc1', 'forced') | 'surfResc1' |
| iput -R 'surfArchive' foo | msiSetDefaultResc('surfResc1', 'forced') | 'surfArchive' |
| iput foo | msiSetDefaultResc('surfResc1', 'null') | 'surfResc1' |
| iput -R 'surfArchive' foo | msiSetDefaultResc('surfResc1', 'null') | 'surfArchive' |
When the client is a regular user (rodsuser), the following results can be expected:
| Client | Server | Result |
|---|---|---|
| iput foo | msiSetDefaultResc('surfResc1', 'preferred') | 'surfResc1' |
| iput -R 'surfArchive' foo | msiSetDefaultResc('surfResc1', 'preferred') | 'surfArchive' |
| iput foo | msiSetDefaultResc('surfResc1', 'forced') | 'surfResc1' |
| iput -R 'surfArchive' foo | msiSetDefaultResc('surfResc1', 'forced') | 'surfResc1' |
| iput foo | msiSetDefaultResc('surfResc1', 'null') | 'surfResc1' |
| iput -R 'surfArchive' foo | msiSetDefaultResc('surfResc1', 'null') | 'surfArchive' |
In the line with "msiSetDefaultResc('surfResc1', 'forced')", 'surfResc1' is the resource we wish to enforce on the user. Even if the user signifies that they will use 'surfArchive', they will still be forced to use 'surfResc1'. This does not hold for the rodsadmin.
Note that in such a way, you can enforce the user to choose the correct storage resource and to only allow data objects to put in 'surfArchive' through curated data workflows.