Documentation:AFS

From UGCS
Jump to: navigation, search

AFS

UGCS uses the OpenAFS implementation of AFS, the Andrew File System, for most of its network filesystems. It provides a number of advantages over normal NFS, including:

  • Kerberos authentication
  • Versatile Access Control Lists (ACL's)
  • Unified namespace
  • Automatic failover
  • Easier management

However, AFS has some differences from normal UNIX filesystems. Most importantly, normal Unix permissions do not work- you must use ACLs instead.

If you want to learn more about AFS, we suggest you read the OpenAFS User's Guide

Our cell name is ugcs.caltech.edu

Backups

We have daily snapshots that are made around 6:45am each morning. If you accidentally delete a file, or you can (hopefully) find it in these backups. They are located in /afs/.ugcs/backups/user/username for home directories in /afs/.ugcs/backups/mail/username for mail backups.

If you need a file from earlier than "this morning", please contact us. We try to run regular backups, but due to sysadmin time constraints, they are occasionally not run.


Access Control Lists

Access Control Lists (ACL's) control who has access to files. They can be viewed, set, and cleared with the 'fs' tool. AFS sets ACLs by directory, not file- so every file in a directory has the same ACL. Although this may seem like a huge limitation at first, it has not caused any real problems- just a new way of thinking. Users do not have any access on your files unless they are granted them in an ACL- so if the acl for a directory was empty, no one could view the files in it.

ACLs can be viewed by running fs listacl [-dir directory] If -dir is omitted, the current directory is used.

ACLs are set with fs setacl -dir dir -acl aclspec [aclspec2] [-clear] If -clear is specified, the directory ACL is cleared before the new one is set (this is useful for removing old ACLs). ACL specifications are of the form 'user rights [-negative]', where user may be a username or 'system:anyuser' for any user (including unauthenticated users). If -negative is specified, the specified rights are taken away instead of granted (they will show up as their own entry in 'fs listacl') Rights may be any combination of the follow letters:

  • a Administrative rights (can change ACLs)
  • d User may delete files from the directory
  • i User may add files to the directory
  • k User may set locks in the directory
  • l User may view the list of files in the directory
  • r User may read files in the directory
  • w User may write to files in the directory (this is separate from insert)
  • read- the same as rl
  • write- everything except 'a'
  • none- none
  • all- everything

By default, your home directory is 'username all system:anyuser l', so anyone can list the files in your directory (but not read them). Do not remove this permission- it is necessary for things like web hosting to work. Your public directory is 'username all system:anyuser read'.

ACL Examples

fs setacl -dir /afs/ugcs/user/username -acl system:anyuser read  # Lets anyone read the files in a directory
  1. Let everyone except bob read the 'notbob' folder 
fs setacl -dir /afs/ugcs/user/username/notbob -acl system:anyuser read 
fs setacl -dir /afs/ugcs/user/username/notbob -acl bob read -negative
  1. Make a public drop folder 
fs setacl -dir /afs/ugcs/user/username/drop -acl system:anyuser liw # Let anyone create new files, but nothing else

Accessing AFS from home

Because AFS relies on Kerberos authentication instead of trusting its clients, we allow access to AFS from outside of UGCS. To use this, you must first set up kerberos on your computer, install AFS, and then point your AFS client at our servers. Our database servers are: 

>ugcs.caltech.edu
131.215.176.67		# afs-a.ugcs.caltech.edu
131.215.176.68      # afs-b.ugcs.caltech.edu
131.215.176.81      # afs-c.ugcs.caltech.edu

Recent versions of the public CellServDB have our servers in them.

Debian/Ubuntu

To use AFS in Debian or Ubuntu, you need to install the following packages:

  • openafs-client
  • openafs-krb5

You must also install the OpenAFS kernel module. Install "openafs-module-source" and build it using module-assistant. The default CellServDB already contains our database servers, so you don't have to add them yourself- just make sure "ugcs.caltech.edu" is the default cell.

Once you've installed everything, get kerberos and afs tokens with kinit && aklog You should then see afs tokens in "klist" output. If they do, you're ready to go exploring afs in /afs/.ugcs/

See Also

Retrieved from "http://www.ugcs.caltech.edu/wiki/Documentation:AFS"
Personal tools