Niagara Quickstart: Difference between revisions

no edit summary
No edit summary
No edit summary
Line 167: Line 167:


Details of how to use the datamover nodes can be found on the [[Data_Management#Moving_data | Data Management ]] page.
Details of how to use the datamover nodes can be found on the [[Data_Management#Moving_data | Data Management ]] page.
==File/Ownership Management (ACL)== <!--T:124-->
* By default, at SciNet, users within the same group already have read permission to each other's files (not write)
* You may use access control list ('''ACL''') to allow your supervisor (or another user within your group) to manage files for you (i.e., create, move, rename, delete), while still retaining your access and permission as the original owner of the files/directories. You may also let users in other groups or whole other groups access (read, execute) your files using this same mechanism.
<!--
===Using  setfacl/getfacl=== <!--T:125-->
* To allow [supervisor] to manage files in /project/g/group/[owner] using '''setfacl''' and '''getfacl''' commands, follow the 3-steps below as the [owner] account from a shell:
<pre>
1) $ /scinet/gpc/bin/setfacl -d -m user:[supervisor]:rwx /project/g/group/[owner]
  (every *new* file/directory inside [owner] will inherit [supervisor] ownership by default from now on)
<!--T:126-->
2) $ /scinet/gpc/bin/setfacl -d -m user:[owner]:rwx /project/g/group/[owner]
  (but will also inherit [owner] ownership, ie, ownership of both by default, for files/directories created by [supervisor])
<!--T:127-->
3) $ /scinet/gpc/bin/setfacl -Rm user:[supervisor]:rwx /project/g/group/[owner]
  (recursively modify all *existing* files/directories inside [owner] to also be rwx by [supervisor])
  <!--T:128-->
$ /scinet/gpc/bin/getfacl /project/g/group/[owner]
  (to determine the current ACL attributes)
  <!--T:129-->
$ /scinet/gpc/bin/setfacl -b /project/g/group/[owner]
  (to remove any previously set ACL)
<!--T:130-->
PS: on the datamovers getfacl, setfacl and chacl will be on your path
</pre>
For more information on using [http://linux.die.net/man/1/setfacl <tt>setfacl</tt>] or [http://linux.die.net/man/1/getfacl <tt>getfacl</tt>] see their man pages.
-->
===Using mmputacl/mmgetacl=== <!--T:131-->
* You may use gpfs' native '''mmputacl''' and '''mmgetacl''' commands. The advantages are that you can set "control" permission and that [http://publib.boulder.ibm.com/infocenter/clresctr/vxrx/index.jsp?topic=%2Fcom.ibm.cluster.gpfs.doc%2Fgpfs31%2Fbl1adm1160.html POSIX or NFS v4 style ACL] are supported. You will need first to create a /tmp/supervisor.acl file with the following contents:
<pre>
user::rwxc
group::----
other::----
mask::rwxc
user:[owner]:rwxc
user:[supervisor]:rwxc
group:[othegroup]:r-xc
</pre>
<!--T:132-->
Then issue the following 2 commands:
<pre>
1) $ mmputacl -i /tmp/supervisor.acl /project/g/group/[owner]
2) $ mmputacl -d -i /tmp/supervisor.acl /project/g/group/[owner]
  (every *new* file/directory inside [owner] will inherit [supervisor] ownership by default as well as
  [owner] ownership, ie, ownership of both by default, for files/directories created by [supervisor])
  <!--T:133-->
$ mmgetacl /project/g/group/[owner]
  (to determine the current ACL attributes)
  <!--T:134-->
$ mmdelacl -d /project/g/group/[owner]
  (to remove any previously set ACL)
  <!--T:135-->
$ mmeditacl /project/g/group/[owner]
  (to create or change a GPFS access control list)
  (for this command to work set the EDITOR environment variable: export EDITOR=/usr/bin/vi)
</pre>
<!--T:136-->
NOTES:
* There is no option to recursively add or remove ACL attributes using a gpfs built-in command to existing files. You'll need to use the -i option as above for each file or directory individually. [https://docs.scinet.utoronto.ca/index.php/Recursive_ACL_script Here is a sample bash script you may use for that purpose]]
<!--T:137-->
* mmputacl will not overwrite the original linux group permissions for a directory when copied to another directory already with ACLs, hence the "#effective:r-x" note you may see from time to time with mmgetacf. If you want to give rwx permissions to everyone in your group you should simply rely on the plain unix 'chmod g+rwx' command. You may do that before or after copying the original material to another folder with the ACLs.
<!--T:138-->
* In the case of PROJECT, your group's supervisor will need to set proper ACL to the /project/G/GROUP level in order to let users from other groups access your files.
<!--T:139-->
* ACL's won't let you give away permissions to files or directories that do not belong to you.
<!--T:140-->
* We highly recommend that you never give write permission to other users on the top level of your home directory (/home/G/GROUP/[owner]), since that would seriously compromise your privacy, in addition to disable ssh key authentication, among other things. If necessary, make specific sub-directories under your home directory so that other users can manipulate/access files from those.
<!--T:141-->
For more information on using [https://www.ibm.com/support/knowledgecenter/SSFKCN_4.1.0/com.ibm.cluster.gpfs.v4r1.gpfs100.doc/bl1adm_mmputacl.htm <tt>mmputacl</tt>] or [https://www.ibm.com/support/knowledgecenter/SSFKCN_4.1.0/com.ibm.cluster.gpfs.v4r1.gpfs100.doc/bl1adm_mmgetacl.htm <tt>mmgetacl</tt>] see their man pages.
===Recursive ACL script === <!--T:142-->
You may use/adapt '''[https://docs.scinet.utoronto.ca/index.php/Recursive_ACL_script this sample bash script]''' to recursively add or remove ACL attributes using gpfs built-in commands
<!--T:143-->
Courtesy of Agata Disks (http://csngwinfo.in2p3.fr/mediawiki/index.php/GPFS_ACL)


==Scratch Disk Purging Policy== <!--T:144-->
==Scratch Disk Purging Policy== <!--T:144-->
cc_staff
290

edits