Dr Patrick Fuhrmann (DESY/dCache.org)
For over a decade, dCache.ORG has provided robust software that is used at more than 80 Universities and research institutes around the world, allowing these sites to provide reliable storage services for the WLCG experiments and many other scientific communities. The flexible architecture of dCache allows its component services to be deployed in a wide variety of configurations and platforms, from a single Raspberry Pi up to hundreds of nodes in multi-petabyte infrastructures. One problem that storage services, like dCache, share with other computer-related services is how to allow a user to share data with people the system does not know without making that data public: delegated access. In dCache, a user can shared data with other users by specifying POSIX group-ownership and ACLs; however, it does not allow a user to share data with people who are are not known to dCache. While some services support delegated access by first requiring unknown recipients to register themselves, users often find this awkward and unnecessary. Providing true delegated access is that it facilitates building aggregate services: services that depend on dCache for storage. A web portal that provides an enriched view on the data stored in dCache (by including additional metadata) is an example of such an aggregate service. Without a means for delegating access, either the users of the aggregate service must be known to the dCache instance or the portal must proxy all data transfers. We present macaroons as a mechanism to support sharing data with people dCache does not know. Macaroons are a new cryptographic authorisation token that allows safe delegation. We describe various scenarios in which delegated access is useful, how macaroons are going to be supported in dCache, and the timeline including this support in future versions of dCache.