rucio-mcp
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@rucio-mcpFind datasets matching 'data16_13TeV*'"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
rucio-mcp v0.6.0
An MCP server that exposes Rucio distributed data management operations as tools for LLMs. Designed for ATLAS physicists working with grid data on analysis facilities, but usable with any Rucio instance.
What it does
rucio-mcp lets Claude (or any MCP-compatible LLM) query and manage your Rucio
data directly:
Find data: search for datasets/containers by pattern, list files, browse DID hierarchies
Check replicas: see where data is physically stored, which sites have a dataset, generate access URLs
Manage rules: list, create, update, move, approve, and delete replication rules
Monitor: check RSE storage usage, account quotas, proxy certificate validity
All tool descriptions include ATLAS dataset naming conventions so the LLM understands scope formats, AMI tags, and DID structure without extra prompting.
Related MCP server: CERN GitLab MCP Server
Installation
pip install rucio-mcpOr with pixi (recommended for ATLAS facilities):
pixi add rucio-mcpRequirements
Python 3.10+
A configured Rucio environment (
rucio.cfgand valid authentication)For x509 proxy auth: a valid VOMS proxy (
voms-proxy-init -voms <VO>)
Quick start
1. Set up authentication
x509 proxy (ATLAS sites):
voms-proxy-init -voms atlas
export RUCIO_ACCOUNT=<your_atlas_account>When installed via pixi (recommended):
ca-policy-lcg is included as a dependency and sets X509_CERT_DIR
automatically to the certificates bundled in the conda environment. No manual
configuration needed.
If you run into an error about expired CRLs
Error: Certificate verification failed.
sslutils.c:1911:error:40000405:lib(128)::outdated CRL found, revoking all certs till you get new CRL
sslutils.c:2106:error:40000411:lib(128)::certificate validation error: CRL has expiredthen you need to run the following to refresh the CRLs:
pixi run sh -c '$X509_CERT_DIR/refresh_crls.sh'or
bash
pixi exec --with rucio-mcp sh -c '$X509_CERT_DIR/refresh_crls.sh'On CVMFS-based facilities without pixi (e.g. UChicago Analysis Facility):
voms-proxy-init -voms atlas
export RUCIO_ACCOUNT=<your_atlas_account>
export X509_CERT_DIR=/cvmfs/atlas.cern.ch/repo/ATLASLocalRootBase/etc/grid-security-emi/certificates
export RUCIO_CONFIG=/cvmfs/atlas.cern.ch/repo/ATLASLocalRootBase/x86_64/rucio-clients/35.6.0/etc/rucio.cfg
rucio-mcp serve --site atlas --auth-type x509x509 proxy (CMS sites):
voms-proxy-init -voms cms
export RUCIO_ACCOUNT=<your_cms_account>
rucio-mcp serve --site cms --auth-type x5092. Test the server
rucio-mcp serveThe server speaks MCP over stdio. Configure your MCP client to launch it.
3. Configure Claude Code
Add to your .mcp.json (project) or ~/.claude.json (global).
The key name (rucio-atlas below) lets you tell Claude which Rucio server to
use — useful when you have multiple Rucio instances configured. Choose any name
you like.
With pixi (X509_CERT_DIR set automatically by ca-policy-lcg):
{
"mcpServers": {
"rucio-atlas": {
"type": "stdio",
"command": "pixi",
"args": [
"run",
"--manifest-path",
"/path/to/rucio-mcp",
"rucio-mcp",
"serve",
"--site",
"atlas",
"--auth-type",
"x509"
],
"env": {
"RUCIO_ACCOUNT": "youraccount"
}
}
}
}Without pixi (if you have CVMFS + ATLAS, use the path below; otherwise point
X509_CERT_DIR at your local CA bundle):
{
"mcpServers": {
"rucio-atlas": {
"type": "stdio",
"command": "rucio-mcp",
"args": ["serve", "--site", "atlas", "--auth-type", "x509"],
"env": {
"RUCIO_ACCOUNT": "youraccount",
"X509_CERT_DIR": "/cvmfs/atlas.cern.ch/repo/ATLASLocalRootBase/etc/grid-security-emi/certificates",
"RUCIO_CONFIG": "/cvmfs/atlas.cern.ch/repo/ATLASLocalRootBase/x86_64/rucio-clients/35.6.0/etc/rucio.cfg"
}
}
}
}4. Configure Claude Desktop
Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS)
or %APPDATA%\Claude\claude_desktop_config.json (Windows).
With pixi:
{
"mcpServers": {
"rucio-atlas": {
"type": "stdio",
"command": "pixi",
"args": [
"run",
"--manifest-path",
"/path/to/rucio-mcp",
"rucio-mcp",
"serve",
"--site",
"atlas",
"--auth-type",
"x509"
],
"env": {
"RUCIO_ACCOUNT": "youraccount"
}
}
}
}Without pixi (if you have CVMFS + ATLAS, use the path below; otherwise point
X509_CERT_DIR at your local CA bundle):
{
"mcpServers": {
"rucio-atlas": {
"type": "stdio",
"command": "rucio-mcp",
"args": ["serve", "--site", "atlas", "--auth-type", "x509"],
"env": {
"RUCIO_ACCOUNT": "youraccount",
"X509_CERT_DIR": "/cvmfs/atlas.cern.ch/repo/ATLASLocalRootBase/etc/grid-security-emi/certificates",
"RUCIO_CONFIG": "/path/to/rucio-clients/etc/rucio.cfg"
}
}
}
}HTTP mode (multi-user, OIDC)
For sites that support OIDC (e.g. the ESCAPE Virtual Research Environment), rucio-mcp can run as a hosted OAuth 2.1 Authorization Server proxy — one server for many users with no IAM registration required:
rucio-mcp serve \
--transport http \
--site escape \
--resource-url https://rucio-mcp.example.com \
--host 0.0.0.0 \
--port 8000Each site is mounted under {resource-url}/site/{name}/. Configure your MCP
client with the site URL:
{
"mcpServers": {
"rucio-escape": {
"type": "http",
"url": "https://rucio-mcp.example.com/site/escape/"
}
}
}See docs/oauth-setup.md for the full setup guide.
Shared-secret HTTP mode (single pre-authenticated client)
To expose a single pre-authenticated instance (e.g. an x509/VOMS-proxy
identity on a service host) over HTTP without the per-user OIDC bridge, start
the server with --shared-secret (or RUCIO_MCP_SHARED_SECRET). It serves one
env-built client (like stdio, honoring --auth-type) gated by a server-wide
static bearer:
export RUCIO_ACCOUNT=<your_account>
voms-proxy-init -voms atlas
rucio-mcp serve \
--transport http \
--site atlas \
--auth-type x509 \
--shared-secret "$(openssl rand -hex 32)" \
--host 0.0.0.0 \
--port 9000Clients send the secret as a bearer token (any other value → 401):
{
"mcpServers": {
"rucio-atlas": {
"type": "http",
"url": "http://host:9000/site/atlas/",
"headers": { "Authorization": "Bearer <secret>" }
}
}
}This mode serves a single --site and bypasses the OAuth bridge entirely (no
/authorize, /token, or /register). See
docs/configuration.md
for details.
Read-only mode
Start the server with --read-only to block all write operations. Tools that
create, modify, or delete replication rules will return an error instead of
executing.
rucio-mcp serve --read-onlyOr in your MCP config:
{
"mcpServers": {
"rucio-escape": {
"command": "rucio-mcp",
"args": ["serve", "--read-only"],
"env": { "...": "..." }
}
}
}Useful when you want the LLM to help explore data without the ability to accidentally create rules or modify existing ones.
Available tools
Connectivity
Tool | Description |
| Check server connectivity and version |
| Show authenticated account info |
| Show VOMS proxy certificate status and expiry |
DID discovery
Tool | Description |
| Search for datasets/containers by wildcard pattern |
| Get type, size, and timestamps for a DID |
| List immediate contents of a container or dataset |
| List all files within a DID |
| Retrieve metadata key-value pairs for a DID |
| Find containers that hold a given DID |
Replicas
Tool | Description |
| Physical replica locations (PFNs) for files |
| Dataset availability summary across RSEs |
| Dataset replica summary aggregated across a container |
Replication rules
Tool | Write? | Description |
| — | List all rules for a specific DID |
| — | List rules globally, filtered by scope/account |
| — | Detailed info for a specific rule |
| — | Full state history of rules for a DID |
| ✓ | Create a new replication rule |
| ✓ | Delete a rule (optionally purge replicas) |
| ✓ | Update lifetime, locked flag, comment, activity |
| ✓ | Reduce the number of copies in a rule |
| ✓ | Move a rule to a different RSE expression |
| ✓ | Approve a rule awaiting approval |
| ✓ | Deny a rule awaiting approval |
RSEs and storage
Tool | Description |
| List RSEs matching an expression |
| Detailed configuration info for an RSE |
| Key-value attributes for an RSE |
| Total, used, and free storage at an RSE |
| Configured space limits for an RSE |
| Transfer protocols supported by an RSE |
| Network distance (ranking) between two RSEs |
| Global transfer limit policies by activity/RSE |
Requests and transfers
Tool | Description |
| Current transfer requests between two RSEs |
| Historical transfer requests between two RSEs |
Accounts and quotas
Tool | Description |
| List accounts, optionally filtered |
| Detailed info for a specific account |
| Storage used per RSE for an account |
| Storage quota limits for an account |
| All replication rules owned by account |
Subscriptions
Tool | Description |
| List subscriptions, optionally filtered |
| Rules generated by a specific subscription |
Locks
Tool | Description |
| Locks on a specific dataset DID |
| All dataset locks at a specific RSE |
Scopes
Tool | Description |
| List all available scopes |
| Scopes owned by a specific account |
Example prompts
Once configured, you can ask Claude things like:
"Find all DAOD_PHYS containers for mc20_13TeV DSID 700320"
"Which sites have dataset X available and how complete is each replica?"
"Create a rule to replicate this dataset to a US Tier-1 disk site for 30 days"
"Is my proxy still valid? How long do I have left?"
"Show me the replication rules for this container and their current states"
"What's my storage quota at CERN-PROD_DATADISK?"
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/kratsg/rucio-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server