Website:AFS

From UGCS
Jump to: navigation, search

AFS

UGCS uses the OpenAFS implementation of AFS, the Andrew File System, for most of its network filesystems. It provides a number of advantages over normal NFS, including:

  • Kerberos authentication
  • ACL's
  • Automatic failover
  • Easier management

However, it requires some changes in the way you may be used to doing this. Most importantly, normal Unix permissions do not work- you must use ACLs instead.

ACLs

ACL's can be viewed, set, and cleared with the 'fs' tool. AFS sets ACLs by directory, not file- so every file in a directory has the same ACL. Although this may seem like a huge limitation at first, it has not caused any real problems- just a new way of thinking. Users do not have any access on your files unless they are granted them in an ACL- so if the acl for a directory was empty, no one could view the files in it.

ACLs can be viewed by running 'fs listacl <-dir directory>' If -dir is omitted, the current directory is used.

ACLs are set with 'fs setacl -dir dir -acl aclspec [aclspec2] [-clear]' If -clear is specified, the directory ACL is cleared before the new one is set (this is useful for removing old ACLs). ACL specifications are of the form 'user rights [-negative]', where user may be a username or 'system:anyuser' for any user. If -negative is specified, the specified rights are taken away instead of granted (they will show up as their own entry in 'fs listacl') Rights may be any combination of the follow letters:

  • a Administrative rights (can change ACLs)
  • d User may delete files from the directory
  • i User may add files to the directory
  • k User may set locks in the directory
  • l User may view the list of files in the directory
  • r User may read files in the directory
  • w User may write to files in the directory (this is separate from insert)
  • read- the same as rl
  • write- everything except 'a'
  • none- none
  • all- everything

By default, your home directory is 'username all system:anyuser l', so anyone can list the files in your directory (but not read them). Do not remove this permission- it is necessary for things like web hosting to work. Your public directory is 'username all system:anyuser read'.

Examples

fs setacl -dir /afs/ugcs/user/username -acl system:anyuser read  # Lets anyone read the files in a directory

# Let everyone except bob read the 'notbob' folder
fs setacl -dir /afs/ugcs/user/username/notbob -acl system:anyuser read 
fs setacl -dir /afs/ugcs/user/username/notbob -acl bob read -negative

# Make a public drop folder
fs setacl -dir /afs/ugcs/user/username/drop -acl system:anyuser liw # Let anyone create new files, but nothing else
Retrieved from "http://www.ugcs.caltech.edu/wiki/Website:AFS"
Personal tools