cc_staff
37
edits
Sharing data: Difference between revisions
rewritten pursuant to discussion in #general-support to disentangle the notion of using ACLs from Data Sharing Groups
m (the file's group is not really "your" group (singular - though to chgrp yourself, it must be among your groups)) |
(rewritten pursuant to discussion in #general-support to disentangle the notion of using ACLs from Data Sharing Groups) |
||
| Line 116: | Line 116: | ||
== Access control lists (ACLs) == <!--T:10--> | == Access control lists (ACLs) == <!--T:10--> | ||
=== Sharing Access with an Individual === | |||
<!--T:8--> | <!--T:8--> | ||
| Line 122: | Line 124: | ||
* <tt>setfacl</tt> to alter them. | * <tt>setfacl</tt> to alter them. | ||
==== Sharing a single file ==== | |||
<!--T:19--> | <!--T:19--> | ||
To allow a single person with username <tt>smithj</tt> to have read and execute permission on the file <tt>my_script.py</tt>, use: | To allow a single person with username <tt>smithj</tt> to have read and execute permission on the file <tt>my_script.py</tt>, use: | ||
<source lang="console"> | <source lang="console"> | ||
$ setfacl -m u:smithj:rx my_script.py | |||
</source> | </source> | ||
==== Sharing a subdirectory ==== | |||
<!--T:20--> | <!--T:20--> | ||
To allow read and write access to | To allow read and write access to a single user in a whole subdirectory, including new files created in it, you can run the following commands: | ||
<source lang="console"> | <source lang="console"> | ||
$ setfacl -d -m u:smithj:rwx /home/<user>/projects/def-<PI>/shared_data | |||
$ setfacl -R -m u:smithj:rwx /home/<user>/projects/def-<PI>/shared_data | |||
</source> | </source> | ||
The first command sets default access rules to directory <code>/home/<user>/projects/def-<PI>/shared_data</code>, so any file or directory created within it will inherit the same ACL rule. It is required for '''new''' data. The second command sets ACL rules to directory <code>/home/<user>/projects/def-<PI>/shared_data</code> and all its content currently in it. So it is applicable only to '''existing''' data. | |||
In order for this method to work the following things need to be in place: | In order for this method to work the following things need to be in place: | ||
* The directory, <code>/home/smithj/projects/def-smithj/shared_data</code> in our example, must be owned by you. | * The directory, <code>/home/smithj/projects/def-smithj/shared_data</code> in our example, must be owned by you. | ||
* | * All parent directories of the one you are trying to share should allow public entry (i.e. o+x permissions), or at the least execute ACLs for the person you are trying to share with (i.e. <code>u:smithj:r</code> in this example). They do not need to have public read permission, unless the owner decides to allow it. In practical terms, this means that the project directory (/projects/def-<PI>) must give permission for either everyone, or at least the people you are trying to share your data with, execute permission on the project directory. | ||
=== Data Sharing Groups === | |||
For more complicated data sharing scenarios (those involving multiple people on multiple clusters), it is also possible to create a '''data sharing group'''. A data sharing group is a special group to which all people with whom certain data is to be shared are added. This group is then given access permissions through ACLs. | |||
You do not need a data sharing group except in specialized sharing circumstances. | |||
<!--T:21--> | <!--T:21--> | ||
==== Creating a data sharing group ==== | |||
The steps below describe how to create a data sharing group. In this example it is called <code>wg-datasharing</code> | |||
<br />1. Send email to [mailto:support@computecanada.ca support@computecanada.ca] requesting creation of data sharing group, indicate name of the group you would like to have and that you should be the owner. | <br />1. Send email to [mailto:support@computecanada.ca support@computecanada.ca] requesting creation of data sharing group, indicate name of the group you would like to have and that you should be the owner. | ||
<br />2. When you receive confirmation from Compute Canada Support that the group has been created, go to [https://ccdb.computecanada.ca/services/ ccdb.computecanada.ca/services/] and access it:<br /> | <br />2. When you receive confirmation from Compute Canada Support that the group has been created, go to [https://ccdb.computecanada.ca/services/ ccdb.computecanada.ca/services/] and access it:<br /> | ||
| Line 155: | Line 170: | ||
<!--T:23--> | <!--T:23--> | ||
==== Using a data sharing group ==== | |||
<source | |||
Just as with individual user sharing, the parent directories of the data you are trying to share must have execute permissions either for everyone or for the data sharing group. In your project directory, this implies that your PI must give consent as follows (unless you have permission to do this yourself): | |||
<source> | |||
$ chmod o+X /project/def-<PI>/ | |||
</source> | |||
or | |||
<source> | |||
$ setfacl g:wg_datasharing:X /project/def-<PI>/ | |||
</source> | </source> | ||
Finally, you can add your group to the ACL for the directory you are trying to share. The command parallel those needed to share with an individual: | |||
<source lang="console"> | <source lang="console"> | ||
$ setfacl -d -m g:wg-datasharing:rwx /home/<user>/projects/def-<PI>/shared_data | |||
$ setfacl -R -m g:wg-datasharing:rwx /home/<user>/projects/def-<PI>/shared_data | |||
</source> | </source> | ||
</translate> | </translate> | ||