UGCS uses the OpenAFS implementation of AFS, the Andrew File System, for most of its network filesystems. It provides a number of advantages over normal NFS, including:
- Kerberos authentication
- Versatile Access Control Lists (ACL's)
- Unified namespace
- Automatic failover
- Easier management
However, AFS has some differences from normal UNIX filesystems. Most importantly, normal Unix permissions do not work- you must use ACLs instead.
If you want to learn more about AFS, we suggest you read the OpenAFS User's Guide
Our cell name is ugcs.caltech.edu
We have daily snapshots that are made around 6:45am each morning. If you accidentally delete a file, or you can (hopefully) find it in these backups. They are located in /afs/.ugcs/backups/user/username for home directories in /afs/.ugcs/backups/mail/username for mail backups.
If you need a file from earlier than "this morning", please contact us. We try to run regular backups, but due to sysadmin time constraints, they are occasionally not run.
Access Control Lists
Access Control Lists (ACL's) control who has access to files. They can be viewed, set, and cleared with the 'fs' tool. AFS sets ACLs by directory, not file- so every file in a directory has the same ACL. Although this may seem like a huge limitation at first, it has not caused any real problems- just a new way of thinking. Users do not have any access on your files unless they are granted them in an ACL- so if the acl for a directory was empty, no one could view the files in it.
ACLs can be viewed by running
fs listacl [-dir directory] If -dir is omitted, the current directory is used.
ACLs are set with
fs setacl -dir dir -acl aclspec [aclspec2] [-clear] If -clear is specified, the directory ACL is cleared before the new one is set (this is useful for removing old ACLs). ACL specifications are of the form 'user rights [-negative]', where user may be a username or 'system:anyuser' for any user (including unauthenticated users). If -negative is specified, the specified rights are taken away instead of granted (they will show up as their own entry in 'fs listacl') Rights may be any combination of the follow letters:
- a Administrative rights (can change ACLs)
- d User may delete files from the directory
- i User may add files to the directory
- k User may set locks in the directory
- l User may view the list of files in the directory
- r User may read files in the directory
- w User may write to files in the directory (this is separate from insert)
- read- the same as rl
- write- everything except 'a'
- none- none
- all- everything
By default, your home directory is 'username all system:anyuser l', so anyone can list the files in your directory (but not read them). Do not remove this permission- it is necessary for things like web hosting to work. Your public directory is 'username all system:anyuser read'.
fs setacl -dir /afs/ugcs/user/username -acl system:anyuser read # Lets anyone read the files in a directory
- Let everyone except bob read the 'notbob' folder
fs setacl -dir /afs/ugcs/user/username/notbob -acl system:anyuser read fs setacl -dir /afs/ugcs/user/username/notbob -acl bob read -negative
- Make a public drop folder
fs setacl -dir /afs/ugcs/user/username/drop -acl system:anyuser liw # Let anyone create new files, but nothing else
Accessing AFS from home
Because AFS relies on Kerberos authentication instead of trusting its clients, we allow access to AFS from outside of UGCS. To use this, you must first set up kerberos on your computer, install AFS, and then point your AFS client at our servers. Our database servers are:
>ugcs.caltech.edu 188.8.131.52 # afs-a.ugcs.caltech.edu 184.108.40.206 # afs-b.ugcs.caltech.edu 220.127.116.11 # afs-c.ugcs.caltech.edu
Recent versions of the public CellServDB have our servers in them.
To use AFS in Debian or Ubuntu, you need to install the following packages:
You must also install the OpenAFS kernel module. Install "openafs-module-source" and build it using module-assistant. The default CellServDB already contains our database servers, so you don't have to add them yourself- just make sure "ugcs.caltech.edu" is the default cell.
Once you've installed everything, get kerberos and afs tokens with
kinit && aklog You should then see afs tokens in "klist" output. If they do, you're ready to go exploring afs in /afs/.ugcs/