Personal tools
You are here: Home Data Storage AFS Authorisation within AFS
 

Authorisation within AFS

Access control in AFS is done via ACLs( Access Control List). You can give different rights to multiple AFS-users and AFS-groups.
In this respect the access control is more fine-grained than normal Unix-rights.
However, access rights in AFS are based on directories. That means if you have access to one file in a directory, you have access to all of them.
The rights one can give/have are explained in the AFS-Glossary.

 

Using access rights

 

You can list the access rights for a directory in unix with the command "fs listacl <path>".

e.g.

# fs listacl /afs/ipp-garching.mpg.de/
Access list for /afs/ipp-garching.mpg.de/ is
Normal rights:
  system:administrators rlidwka
  system:anyuser rl
  afsbackup rl

! You can get more detailed information on the man-page on the login-node rzgate "man fs_listacl".  Just make sure the path "/afs/ipp-garching.mpg.de/common/man" is in your MANPATH-environment variable.
Similarly, you can set the access rights for a directory in unix with the command "fs setacl <path> (user|group) rights".
The details are given again on the man-page : "man fs_listacl".

Unfortunately, there is no recursive version of the fs setacl command.
However, you can set ACLs recursively by using the (GNU!) "find"  command :

find <path> -noleaf -type d -exec fs setacl {} (user|group) <rights> \;

! Is should be noted, that access rights are inherited when creating a new directory.

 

! Best Practices :

When setting up a shared directory for a project, you should really create a group. With groups it is much easier to give rights to new members of the project.

Usually, 2 groups are better: <Project>-readers and <Project>-Writers.


AFS-groups

 

Each AFS-user can create up to 20 groups for her personal use, which is encouraged when sharing directories with more than 2 persons.

The relevant commands are :

  • pts creategroup : create a new group (man pts_creategroup)
  • pts delete : delete a group (use with care!) (man pts_delete)
  • pts listowned : show your groups (man pts_listowned)
  • pts membership : show the members of a group -- or -- the groups a user is member of. (man pts_membership)
  • pts removeuser : remove a user from a group (man pts_removeuser)

 

In case you wonder, there are some global groups:

  • system:administrators : admins of this cell
  • system:authuser : people with a valid token for this AFS-cell.
  • system:anyuser : Anyone in the world with an AFS-client

 

You should be careful when giving rights to any of those groups.

 

NOTE :

When adding/removing a user to a group, it may take up to 2 hours until it takes effect.
The user added/removed to the group can speed up this process by discarding the old token
and obtaining a new one.

 

Document Actions