Bureaucrats, cc_docs_admin, cc_staff
2,915
edits
m (added group ACL) |
No edit summary |
||
Line 116: | Line 116: | ||
<!--T:8--> | <!--T:8--> | ||
The file permissions discussed above have been available in Unix-like operating systems for decades now but they are very coarse-grained. The whole set of users is divided into just three categories: the owner, the group, and everyone else. What if | The file permissions discussed above have been available in Unix-like operating systems for decades now but they are very coarse-grained. The whole set of users is divided into just three categories: the owner, the group, and everyone else. What if you want to allow someone who isn't in your group to read a file - do you really need to make the file readable by everyone in that case? The answer, happily, is no. Compute Canada's national systems offer "access control lists" (ACLs) to enable permissions to be set on a user-by-user basis if desired. The two commands needed to manipulate these extended permissions are | ||
* <tt>getfacl</tt> to see the ACL permissions, and | * <tt>getfacl</tt> to see the ACL permissions, and | ||
* <tt>setfacl</tt> to alter them. | * <tt>setfacl</tt> to alter them. | ||
To allow a single person with username <tt>smithj</tt> to have read and execute permission on the file <tt>my_script.py</tt>, use: | |||
{{Command|setfacl -m u:smithj:rx my_script.py}} | {{Command|setfacl -m u:smithj:rx my_script.py}} | ||
To allow access to everything within a certain directory (for example ''/home/smithj/projects/def-smithj/shared_data'') for particular group (for example ''wg-datasharing''), use the following command: | |||
{{Command|setfacl -m g:wg-datasharing:rwx /home/smithj/projects/def-smithj/shared_data}} | {{Command|setfacl -m g:wg-datasharing:rwx /home/smithj/projects/def-smithj/shared_data}} | ||
In order for this method to work following | In order for this method to work the following things need to be in place: | ||
# Group wg-datasharing (or any other name | # Group wg-datasharing (or any other name you prefer), used for sharing data, must be created in CCDB and you must be assigned ownership of this group. This allows you to add or remove members of the group in [[https://ccdb.computecanada.ca CCDB]]. | ||
# | # The directory, <code>/home/smithj/projects/def-smithj/shared_data</code> in our example, must be owned by you. | ||
# Since data sharing group | # Since the data sharing group (<code>wg-datasharing</code> in this example) is not necessarily the owner of the directory you would like to share (<code>shared_data</code> in this example), all parent directories in its path should allow public entry. They do not need to have public read permission, unless you decide to allow it. | ||
How | |||
* | How does you achieve these three requirements? | ||
* | * Send email to [mailto:support@computecanada.ca support@computecanada.ca] requesting creation of data sharing group, indicate name of the group you would like to have and that you should be the owner. | ||
[[File:Cc services screen.png|1036px|Services screen | * When you receive confirmation from ComputeCanada Support regarding creation of the group, go to [https://ccdb.computecanada.ca/services/ ccdb.computecanada.ca/services/] and access it: | ||
[[File:Cc services screen.png|1036px|Services screen displaying groups you can manage]] | |||
* Clicking on group's name | * Clicking on the group's name, enter the group management screen: | ||
[[File:Cc service management screen.png|1036px|Services screen | [[File:Cc service management screen.png|1036px|Services screen showing group's owner]] | ||
* | * Add member (Victor Van Doom with CCI vdv-888, for example) to the group as a member: | ||
[[File:Cc service add member success screen.png|1036px|Services screen | [[File:Cc service add member success screen.png|1036px|Services screen showing members of the group]] | ||
* | * Make sure that path <code>/home/smithj/projects/def-smithj</code> is open for public access: | ||
{{Command|chmod -R o+X /home/smithj/projects/def-smithj}} | {{Command|chmod -R o+X /home/smithj/projects/def-smithj}} | ||
* | * Set up ACL for the path you have in mind and new group: | ||
{{Command|setfacl -m g:wg-datasharing:rwx /home/smithj/projects/def-smithj/shared_data}} | {{Command|setfacl -m g:wg-datasharing:rwx /home/smithj/projects/def-smithj/shared_data}} | ||