- Generalities
- Authentication
- Access Control Lists (ACL)
- Access rights
- Quotas
- Protection groups
- Access to other cells
- PHENIX AFS organisation (TBD)
Generalities
AFS (Andrew File System) is a distributed file system. The top directory of the AFS hierarchy is unique all over the world, and is /afs.
Every institution which has an AFS license has been attributed a sub-directory under /afs. In the AFS world, those directories are named cells. RHIC does have a cell, named /afs/rhic.
Within a cell, files are located on data servers and are grouped within entities named volumes. Volumes are partition of physical disks (of the data servers), in which quotas are applied.
Every PHENIX user has a personal "home" directory under AFS, located at /afs/rhic/phenix/users/username. Initial quota is 20MB.
Authentication
To have full access to AFS, you need to get a token, using your identifier (username) and your AFS password (which might be different from your Unix one). You get a token with the klog command:
% klog Password:
Your token has a limited lifetime, which is 1 day at RHIC. To check your token's expiration date, use the tokens command:
% tokens Tokens held by the Cache Manager: User's (AFS ID 3692) tokens for afs@rhic [Expires Feb 17 20:19] --End of list--
Your AFS password may be changed with the kpasswd command.
You can destroy your token with the unlog command.
Access Control Lists (ACL)
An Access Control List (ACL) is the AFS mechanism which let you
access directories and files. This access mechanism is quite
different from the Unix one :
- base permissions apply to directories (not files)
- sub-directories inherit from parent directory permissions
- files have no individual protection. They inherit the protection from the directory they sit in.
ACL are manipulated with the AFS fs command (try a fs help). Typical ACL are :
% fs listacl /afs/rhic/phenix/users/aphecetc/ Access list for /afs/rhic/phenix/users/aphecetc/ is Normal rights: system:administrators rlidwka system:authuser rl aphecetc rlidwka
ACLs are composed of pairs [ protection group or user, access rights ]. In the above example, the system:authuser group has the rights rl, while the user aphecetc has the rights rlidwka
Access rights
Access rights are different from Unix ones. There are 7 access
rights. 4 deals with directory :
- a (administer) : right to administer of the ACLs of this directory
- l (loopkup) : right to list the content of the directory
- d (delete) : right to delete files or sub-directories
- i (insert) : right to create new files or directories
The 3 others deals with files within their directory :
- r (read) : right to read a file
- w (write) : right to write in a file
- k (lock) : right to lock a file
The fs setacl command let you change the ACL of
directories, and uses some aliases to the above rights :
- read = rl
- write = =rlidwk
- all = rlidwka
- none = no right at all
Quotas
The AFS quotas (in kB) are shown by the command 'fs listquota' :
% fs listquota /afs/rhic/phenix/users/aphecetc/ Volume Name Quota Used %Used Partition phenix.usr.aphecetc 250000 2 0% 11%
Users who need more space should send in their requests via the CTS ticket system.
Protection groups
Protection group in AFS are similar to a Unix group, but with
AFS user handles those groups himself. There are 3 pre-existing
groups that you cannot modify :
- system:administrators
- whose members are the AFS administrators of the current cell
- system:authuser
- whose members are defined users in the current cell
- system:anyuser
- every users, being or not authenticated within this cell or another cell.
Apart from those 3 groups, you can create the groups you want, and include some users in those groups. Once a group is created, you can set protections related to this group using ACL in some directory.
A phenix group has already been defined, and you should be a member of it.
Protection groups are handled by the pts command (try a pts help). With pts you can create/delete groups, add or remove members, etc... E.g. you can examine a group :
% pts examine phenix Name: phenix, id: -207, owner: admin, creator: admin, membership: 491, flags: S-M--, group quota: 0.
which tells you that 491 users are in PHENIX. You can list those members by a 'pts membership phenix' command.
If you want your Phenix collegues to be able to read some of your files, it could be a good idea to add the phenix group to your ACLs:
% cd /afs/rhic/phenix/users/username/ % mkdir public % fs setacl public phenix rl
Access to other cells
The very nice thing with AFS is that you can have more than one token at the same time (but only one token per cell). E.g. if you want to access your CERN files under AFS, do :
% klog username Password: % klog username -cell cern.ch Password: % tokens: Tokens held by the Cache Manager: User's (AFS ID 1530) tokens for afs@cern.ch [Expires Feb 19 21:01] User's (AFS ID 3692) tokens for afs@rhic [Expires Feb 17 20:19] --End of list--
You can then simply copy files from CERN to RCF with the cp command !