What's new in dCache 12.0
Release notes
Highlights
Incompatibilities
- Removed SRM and SRM server functionality.
- Removed NIS support.
- Removed the
gridmap-filegPlazma plugin. Sites must migrate to themultimapplugin.
Acknowledgments
We want to thank Shawn McKee and Niklas Edmundsson for the contributions.
Release 12.0.0
Billing
Cells
The cell command route find, in addition to the regular cell routing output, also displays TOPIC routes.
Frontend
Update REST API to allow space reservations:
curl -X POST \
'https://dcache-frontent-endpoint:3881/api/v1/space/tokens?accessLatency=online&retentionPolicy=replica&minSize=8192&description=foobar' \
-d ''
{"sizeInBytes":8192,"description":"foobar","id":8}
Respond with the Retry-After HTTP header when the client hits the rate limit.
gPlazma
Removed the NIS plugin as sites are (hopefully) not using it anymore.
The gridmap-file plugin has been removed. It was redundant with the multimap plugin, which covers all the same use cases. A conversion script to migrate existing gridmap files to multimap format is provided in the documentation.
NFS
Pool
If the pool identifies that the underlying repository operates in READ-ONLY mode, then all running checksum scrubbing processes will be stopped.
Scripts
Added dcache pool benchmark command that executes a predefined fio benchmark for all pools on the host.
Pool Manager
dCache now supports zone-aware pool selection. Zones are useful in multi-site deployments to direct traffic to pools that are geographically or topologically closest to the client.
All protocol doors (WebDAV, NFS, FTP, xrootd, etc.) propagate their zone tag through transfer messages to the pool manager. The pool manager then applies best-effort (“soft”) filtering — preferring pools in the same zone as the requesting door, with automatic fallback to the full pool list if no eligible pool in the correct zone is found.
Zone-aware routing applies to:
- Read and write selection
- Pool-to-pool (p2p) transfers — destination pools are filtered by zone in all partition types
- Staging — files recalled from tape land in a pool in the client’s zone where possible; if the selected stage pool is not a read pool, a p2p copy to the client’s zone is triggered automatically
To enable zones, assign a zone tag to pools and doors in the pool manager configuration:
psu set pool <poolname> -zone=<zonename>
And in the layout file for doors:
<door>.zone=<zonename>
SRM / SRM Client
The SRM server and SRM client are excluded from the project build and test process.
WebDAV
The browser now handles downloads natively via a temporary anchor element, showing its own progress indicator immediately upon initiation. Users can select multiple files and download them all at once from the context menu. Short-lived Macaroon tokens are generated automatically for authenticated downloads where HTTP Basic credentials cannot be passed to the browser. Certificate-based sessions are unaffected. The shared-files view, including subdirectories, now uses the same download logic as the main namespace view.
Respond with the Retry-After HTTP header when the client hits the rate limit.
dCache now supports RFC 9530 for HTTP content digest negotiation. RFC 9530 supersedes RFC 3230 and introduces Want-Repr-Digest / Repr-Digest headers. WLCG transfer tools such as FTS are adopting RFC 9530, so this change is required for compatibility.
- Clients sending
Want-Repr-Digestreceive aRepr-Digestresponse header from both the WebDAV door and pool HTTP movers. - TPC Pull: outgoing GET and HEAD requests include both
Want-Repr-DigestandWant-Digest. - TPC Push: the
Repr-Digest(orDigestas fallback) from incoming COPY requests is forwarded to the destination PUT. - TPC Passive:
Repr-Digestvalues on incoming PUT requests are verified against the pool checksum.
dCache-view
This release adds OIDC Authorization Code Flow support to the dcache-view web interface.
Users can now log in to dcache-view using their institutional identity via for example Keycloak (Helmholtz AAI).
Configuration Changes
1. etc/dcache.conf — Frontend OIDC Settings
Add or verify the following properties:
# OIDC client credentials
frontend.authn.oidc.client-id=1234
frontend.authn.oidc.client-secret=OSwvvbbF26vioqGkeKVXy4IV7QHFbmUv
frontend.authn.oidc.token-url=https://keycloak.desy.de/auth/realms/dcache-dev/protocol/openid-connect/token
# dcache-view UI settings
frontend.static!dcache-view.endpoints.webdav=https://localhost:2881/
frontend.static!dcache-view.oidc-authz-endpoint-list=https://keycloak.desy.de/auth/realms/dcache-dev/protocol/openid-connect/auth
frontend.static!dcache-view.oidc-client-id-list=1234
frontend.static!dcache-view.oidc-provider-name-list=Helmholtz%20AAI(Keycloak)
frontend.static!dcache-view.oidc-authz-redirect-url=https://localhost:3881/api/v1/auth/callback
frontend.static!dcache-view.oidc-authz-endpoint-extra=-
2. etc/gplazma.conf — gPlazma Authentication Stack
Ensure the following plugins are configured in the correct stages:
# Auth stage — verify OIDC token
auth optional oidc
# Map stage — resolve identity to local user
map optional multimap gplazma.multimap.file=/pathtodcache/dcache/packages/system-test/target/dcache/etc/multimap-id-to-username.conf
3. etc/multimap-id-to-username.conf — Identity Mappings
Map OIDC subject identifiers to local usernames and Unix attributes:
# Keycloak identity
oidc:47055fee-1@keycloak username:usernameoidc uid:1000 gid:1000,true
---
### 4. `etc/grid-security/storage-authzdb` — Authorization
Verify the file starts with `version 2.1` and contains the following entries:
version 2.1
authorize username:usernameoidc read-write 1000 1000 / /
---
### Xrootd
### Zookeeper
Updated the apache-curator library, which is used to implement zookeeper-related functionality, such as leader election.
TLS encryption is now supported for connections between dCache and ZooKeeper. The feature uses the standard dCache PEM certificate files (`hostcert.pem`, `hostkey.pem`, `ca-certificates.pem`) already used by other services, rather than separate JKS or PKCS12 keystores. The CRL and OCSP modes are shared with the rest of dCache via the existing `dcache.authn.crl-mode` and `dcache.authn.ocsp-mode` properties.
To enable TLS for ZooKeeper, add the following to your layout or `dcache.conf`:
dcache.zookeeper.tls.enabled = true
The connection will use the host certificate and trust store already configured for the domain. See the dCache Book (config-zookeeper) for full details.