There is a potential security risk from this, especially since we don't have any way to authenticate connections to the copytools. Currently, there is relatively low risk of some rogue process copying files to the archive, but if we allow arbitrary commands from a remote system this could be a problem.

The question is whether there is a limited set of operations that are needed and could be plumbed in? What are the proposed use cases for this?

Rather than repurpose HSMA_NONE, why not just add a new operation type?

I believe hdoreau had some use cases in mind, but we didn't go into details. I can imagine it would be useful for users to manage the archive storage pools and archive rules together in one tool. I suppose it could also be used by the policy engine to tell the archive to pre-fetch a data set it needs to restore or flush the disk cache to make room for the large about of data it's about to send.

Another possible use case I've been thinking about creating a test mover that used parameters in do failure injection, such pause the request for XX seconds, drop request, fail with error, etc. When I heard about the exec idea, I thought it might also be useful for this as well.

Submitting HSM actions requires root privilege, so a service that accepts HSM actions from the network should certainly be reasonable secured, agreed. The mover would be responsible for ensuring that only the commands it exposed could be executed, and not arbitrary commands.

It seems whatever purpose HSMA_NONE has now could be achieved with HSMA_EXEC("").