AFS (on Beskow and Tegner)¶
Location
You can find AFS at /afs/pdc.kth.se
Key features¶
- Storage size:small volume of storage (5 GB in user home directory)
- File access speed: relatively slow access to files (not good for files being accessed by parallel computation)
- Backup: files in user AFS home directory are backed up
- Access from Beskow: files on AFS are not accessible from Beskow’s compute nodes (so any data or program files that you need for running pograms on Beskow must be stored Lustre)
- Access from Tegner: files on AFS can be accessed from Tegner’s compute nodes - so small amounts of data for Tegner computations can be stored on AFS (any large amount of data should be stored on Lustre for reasons of speed of access)
- good for storing small files that need to be backed up
- home directories are on AFS (so you will be in AFS when you first log in to PDC’s systems)
- File access: AFS has its own implementation of Access Control Lists (ACLs), where users can define new groups (Note: In AFS access is set per directory and not on individual files)
- Secure access: uses Kerberos for authentication and is designed for security and robustness. We assume that you have forwarded a valid ticket from your workstation when you logged in, see Kerberos for details.
Home folder structure¶
Your home folder at PDC does from start contain various folders. These folders have different functionality.
Name | Function |
---|---|
Home | Home folder. Only you can read but everybody can list your files/folders |
Public | Public folder where other users can read your files It also contains your .forward e-mail file This is a folder for sharing your files with others |
Private | Your private folder which only you can access |
.OdlFiles | A backup of yesterdays files in case a file is broken or you accidentally deleted a file |
Viewing and modifying access (Access Control List)¶
Every directory in AFS is controlled by the Access Control List (ACL) describing different user rights in that directory. To see this list, use the command fs listacl
or fs la
. This command entered by the user svensson
might result in something like this
fs la
Access list for . is
Normal rights:
svensson rlidwka
system:administrators rlidwka
system:anyuser rl
andersson rlidwk
Before going into the details of this list, we should take a look at what permissions you can set. Each action you can perform in a directory has its own letter:
Notation File action Description r
read read the files in the directory l
list list the files in the directory i
insert create new files d
delete delete files w
write modify files k
lock lock files in the directory a
administer change the ACL for the directory
In the example earlier, we see that the user svensson
has all the rights to his directory, so does the group system:administrators
. The group system:anyuser
which contains all the users of AFS in the whole world may read and list the files in this directory. Finally svensson
’s friend andersson
has all the rights except the right to change the ACL. To alter the ACL you use fs setacl
or fs sa
like
fs sa <directory> <user rights>
Assuming that you are in your home directory and that you want to give the user mysister
some rights in this directory you could write
fs sa . mysister rliw
This would make it possible for mysister
to read, list, create new files, and to modify existing files. By default fs sa
adds to or alters the contents of the ACL instead of replacing it.
For a file to be accessible, you must have the list privilege in all parent directories. So if you want mysister
to access the file ./parent/child/file
you must run both the following commands:
fs sa ./parent/child mysister rlfs sa ./parent mysister l
To revoke the rights given to a user, use the following command:
fs sa [directory] <user> none
Finally, to see all the available commands with fs
use fs help
.
Protecting Your init
files¶
Note
This has already been set up if you got a standard PDC account, check with ls -la ~
Since the file protection is on the directory rather than file level, you cannot not have different levels of rights on the files in directory. Normally, this is not a problem, you just put the files you want to keep secret in a directory (often called Private
) and public files in another directory (called Public
). However this may pose a problem in your home directory which contains files that should be public readable such as .login
, .forward
, .tcshrc
, and others. If these files are not public readable, programs like rlogin will not function properly. You have also files that you don’t want other to read, like the file mbox
where your email is stored.
The trick to solve this is to make a public readable subdirectory containing the files. In your home directory you then create symbolic links to the se files. The links will allow you to read the files which now appear as public readable. You should not make your home directory public readable. One example to clarify the method;
Change to your home directory:
cdmv .bashrc .forward Public
Create the links:
ln -s Public/.bashrc .ln -s Public/.forward .
and so on…
Creating and managing groups¶
Every user in the AFS system can create groups of users. All the members can then be given the same access rights by adding the group to an ACL. This is a very convenient way of giving the same rights to a group.
In the ACL, you recognise groups if they are in a format owner:groupname
, in the example earlier in this document we see the group system:anyuse
. This is one of the systems groups of which the most important are:
system:anyuser
This is all the users of AFS all over the world.system:authuser
This is all the local users of AFS.system:administrators
This is the group of systems administrators, they have all the rights to all your directories, regardless what you define in your ACL.
To create your own groups, use the command pts
as follows:
Create a new group with
creategroup
orcg
, owner should be your usernamepts creategroup <owner>:<groupname>
Add a user to a group with
adduser
orad
pts adduser user <owner>:<groupname>
Deletes a group with
delete
ordel
pts delete <owner>:<groupname>
Removes one user from the group with removeuser
or rem
pts removeuser user <owner>:<groupname>
Lists the members in a group with membership
or m
.
pts membership <owner>:<groupname>
List all commands to pts
with help
pts help
Example
Here is an example, assume that you have two friends svensson and andersson. You want to give them certain rights in a directory called my_secrets. Yor own username is me. First in your home directory, you create the group friends:
cdpts creategroup me:friends
Then you should add the users to the group
pts adduser svensson me:friendspts adduser andersson me:friends
All we have to do now is to add this group to the ACL for the directory my_secrets. Assuming that my_secrets are a subdirectory under your home dire ctory you would type:
fs setacl my_secrets me:friends rlidw
which would let members of the group friends read, list, insert, delete and write files in your directory. You use fs setacl in the same way for users and groups, just remember that a group is written as owner:groupname.
Then you should add the users to the group
pts adduser svensson me:friendspts adduser andersson me:friends
All we have to do now is to add this group to the ACL for the directory my_secrets. Assuming that my_secrets are a subdirectory under your home dire ctory you would type:
fs setacl my_secrets me:friends rlidw
which would let members of the group friends read, list, insert, delete and write files in your directory. You use fs setacl in the same way for us ers and groups, just remember that a group is written as owner:groupname.
Accessing other cells¶
If you want to access files that are located somewhere else, e.g. your home directory at another institution that uses AFS, you need to acquire tokens for that cell (unless the files you want are readable by anyone, in which case you don’t have to do anything special). This is done by first getting Kerberos tickets for the corresponding realm and then getting tokens from those tickets using the command afslog.
As an example, assume that you have an account <user>@PHYSTO.SE
with the home directory /afs/physto.se/home/u/user
. First you need to get Kerberos tickets:
kauth <user>@PHYSTO.SE
Then you need to acquire tokens:
afslog -c physto.se
You should now be able to read and write the files in /afs/physto.se/home/<1st letter username>/<username>
.
Disk usage and quota¶
How much space do you have in your home directory? And how much space is already used? You can find out in the following ways:
To see the size of single files (NOT directories in AFS):
ls -lh
Check your current overall usage:
du -hs ~/*
and WAIT! It will take some time to get the total size of each folder in your home directory.
fs lq <directory_name>
will list the quota of for the given directory. For example:
fs lq ~
In AFS there are two aspects of your storage that are limited - KB of disk space and the number of files you can create in a certain folder.
See also