[Next] [Previous] [Up] [Top] [Contents] [Index]
Chapter 7: The AFS File System
An AFS protection group is a list of usernames grouped to share a set of permissions on one or more directories. Any user can include any existing protection group in any ACL within your AFS cell. A protection group is designated in the format:[35]
{group_owner}:{group_name}
AFS provides three predefined protection groups:
system:anyuser This is similar to world permissions in UNIX. Any AFS user (anywhere in the world, and not necessarily authenticated) can access files or directories, according to the permissions granted (e.g., read, write).
system:authuser This is a more restrictive version of system:anyuser. Only users who have authenticated within the local cell (/afs/fnal at Fermilab) may access files, according to the permissions granted (e.g., read, write).
system:administrators This group includes only the few people in the /afs/fnal cell authorized to administer AFS.
As determined by your project's /afs area manager(s), you may need to manage, and possibly create, protection groups.
Groups can be owned by other groups or by individual userids. Group members often are not allowed to add or remove other members of the group. If a group is owned by a group, then all the members of the owner group can by default add or remove other members from the owned group. This can avoid problems when key individuals are unavailable. Having one group consisting of a few key individuals, and using this group as the owner for all your other groups is a nice, neat way to organize your groups. Find out from your /afs area manager how group ownership and permissions are assigned within your project or on your system.
AFS provides the pts command (protection server) for group-related tasks. Like the fs command, pts has several main options. [Missing image]Also like the fs command, you need to use an underscore between pts and the main option to access the man page. Issue the command pts help to list the main options (this list has been abbreviated to contain only the options we discuss in this section):
pts: Commands are: adduser add a user to a group chown change ownership of a group creategroup create a new group delete delete a user or group from database examine examine an entry listowned list groups owned by an entry or zero id gets orphaned groups membership list membership of a user or group removeuser remove a user from a group setfields set fields for an entry
Group characteristics (e.g., membership, ownership) can only be seen and/or modified according to the permissions set on the group. We refer you to the man page for pts_setfields (notice the underscore) for the full story, and present only a brief explanation here.
Every group has a set of five access flags, which represent permissions for performing sensitive tasks regarding (1) status, (2) ownership, (3) membership, (4) adding members, and (5) removing members. There is a pts main option associated with each of these tasks:
pts examine
pts listowned
pts membership
pts adduser
pts removeuser
Each flag has one of three possible values: its first letter in lowercase, its first letter in uppercase, or a hyphen. The value determines which users can issue the corresponding command option for the group as follows:
s, o, etc.) all members of the group
S, O, etc.) all users (i.e. system:anyuser)
-) group owner and members of system:administrators only
As an example, we'll issue a pts examine command and examine its output:
% pts examine lisa:uss-group Name: lisa:uss-group, id: -316, owner: lisa, creator: hanson, membership: 14, flags: S-M--, group quota: 0.
The permissions information is contained in the flags entry. The flags S-M-- are the default flags when a group is created (all users can check status and membership information, only group owner and administrators can verify ownership and add/remove group members).
[Missing image]If you can't successfully issue one of the pts command options, check the access flags! Of course if you can't issue pts examine to check the flags, then you don't have status permissions for the group.
To list the members in a group, use the command:
% pts membership group
For example:
% pts membership lauram:www_cd_webwg_tools
returns the output:
Members of lauram:www_cd_webwg_tools (id: -454) are:
nicholls
hathaway
stolz
george
lauram
dwalsh
nelly
To list the groups to which an individual belongs, again use pts membership, but with the user's id as the argument:
% pts membership username
For example:
% pts membership aheavey Groups aheavey (id: 6302) is a member of: nicholls:www_reports
To show what groups a particular group or user owns, issue the command:
% pts listowned group
where group is actually either a group or an individual username. If you try to list groups owned by someone other than yourself, you may find that you do not have permission to do so.
Here are a couple of examples. To check groups owned by the group nicholls:wwwdocs, issue the command:
% pts listowned nicholls:wwwdocs
Output is returned in the format:
Groups owned by nicholls:wwwdocs (id: -306) are: nicholls:www_cd_support nicholls:www_cd_mgmt nicholls:www_faw_events nicholls:www_orgs_folkclub nicholls:www_directorate nicholls:www_cd_ups nicholls:www_cd_webwg
To check groups owned by the individual user lauram, issue the command:
% pts listowned lauram
Output is returned in the format:
Groups owned by lauram (id: 1866) are: lauram:wwwmachine lauram:expwwwmachine lauram:expwwwadm
To find a group's owner, use the command:
% pts examine -name group
This is helpful to determine if a group is owned by an individual or a group. For example, to find the owner of the group nicholls:www_reports, run the command:
% pts examine nicholls:www_reports Name: nicholls:www_reports, id: -378, owner: nicholls:wwwdocs, creator: hanson, membership: 5, flags: S-M--, group quota: 0.
Its output in the entry owner indicates that it is owned by a group (nicholls:wwwdocs), not by the individual nicholls.
[Missing image]Note: It is best to change the owner of the group before you run fs setacl to add directory permissions for the owned group.
You can change ownership of a group using the command:
% pts chown -name owned_group -owner owner_group
Let's take for example the group owner1:groupname1, where owner1 is an individual. We want to change its ownership to a group. The group we want to own it is designated owner2:groupname2. We issue the command:
% pts chown -name owner1:groupname1 -owner owner2:groupname2
The owned group is now designated owner2:groupname1. Notice that it takes its owner designation from the owner group, and maintains its former group name. Here's a more real-life example for clarity:
% pts chown -name lauram:www_cd_webwg_tools -owner \ nicholls:wwwdocs
The old lauram:www_cd_webwg_tools is now designated nicholls:www_cd_webwg_tools.
You can change a group's ownership to itself (and set the group's access flags appropriately if needed) to allow all members of the group to add/remove other members and perform other administrative tasks. To change the group's ownership to itself, issue the pts chown command with the same group as both arguments:
% pts chown -name nicholls:wwwdocs -owner nicholls:wwwdocs
The group designation {group_owner}:{group_name} does not change. If you need to reset the group's access flags, see man pts_setfields.
[Missing image]Note that there is a potentially confusing consequence of the way the group names change. All groups look like they're owned by individuals. You can always issue the command:
% pts examine -name group
to determine if the owner is an individual or a group, as shown under Show Group Ownership in section 7.7.2.
To add a member, use the command:
% pts adduser -user username -group group
For example:
% pts adduser -user nelly -group lauram:www_cd_webwg_tools
The new member (nelly) must have an account on the system/cluster that mounts the AFS files he or she needs to access.
To remove a member from a group, use the command:
% pts removeuser -user username -group group
[Missing image]Check with your /afs area manager before creating new groups. As groups proliferate, system management can become more difficult.
To create a new AFS protection group, use the command:
% pts creategroup -name group
or, leaving off the -name option flag for simplicity:
% pts creategroup group
Always enter a group in the format {group_owner}:{group_name}; don't enter only the {group_owner} portion. By default, the group owner is yourself.[36]
As an example, user lauram could run the command:
% pts creategroup lauram:www_cd_webwg
To remove a group, use the command:
% pts delete -nameorid group
For example:
% pts delete -nameorid lauram:www_cd_webwg_tools