Sharing data: Difference between revisions

Jump to navigation Jump to search
no edit summary
m (added group ACL)
No edit summary
Line 116: Line 116:


<!--T:8-->
<!--T:8-->
The file permissions discussed above have been available in Unix-like operating systems for decades now but they are very coarse-grained. The whole set of users is divided into just three categories: the owner, the group, and everyone else. What if I want to allow a single user who isn't in my group to read a file - do I really need to make the file readable by everyone in that case? The answer, happily, is no. Compute Canada's national systems offer "access control lists" (ACLs) to enable permissions to be set on a user-by-user basis if desired. The two commands needed to manipulate these extended permissions are  
The file permissions discussed above have been available in Unix-like operating systems for decades now but they are very coarse-grained. The whole set of users is divided into just three categories: the owner, the group, and everyone else. What if you want to allow someone who isn't in your group to read a file - do you really need to make the file readable by everyone in that case? The answer, happily, is no. Compute Canada's national systems offer "access control lists" (ACLs) to enable permissions to be set on a user-by-user basis if desired. The two commands needed to manipulate these extended permissions are  
* <tt>getfacl</tt> to see the ACL permissions, and  
* <tt>getfacl</tt> to see the ACL permissions, and  
* <tt>setfacl</tt> to alter them.  
* <tt>setfacl</tt> to alter them.  
If I want to allow a single person with username <tt>smithj</tt> to have read and execute permission on the file <tt>my_script.py</tt> I can achieve this with the command
 
To allow a single person with username <tt>smithj</tt> to have read and execute permission on the file <tt>my_script.py</tt>, use:
{{Command|setfacl -m u:smithj:rx my_script.py}}
{{Command|setfacl -m u:smithj:rx my_script.py}}
Recommended approach is to allow access to specific path (for example ''/home/smithj/projects/def-smithj/shared_data'') for particular group (for example ''wg-datasharing''), using <tt>setfacl</tt> with following command
 
To allow access to everything within a certain directory (for example ''/home/smithj/projects/def-smithj/shared_data'') for particular group (for example ''wg-datasharing''), use the following command:
{{Command|setfacl -m g:wg-datasharing:rwx /home/smithj/projects/def-smithj/shared_data}}
{{Command|setfacl -m g:wg-datasharing:rwx /home/smithj/projects/def-smithj/shared_data}}
In order for this method to work following needs to be in place:
In order for this method to work the following things need to be in place:
# Group wg-datasharing (or any other name I prefer), used for sharing data, created in CCDB and I am assigned an ownership of this group, allowing me add or remove members of the group in CCDB
# Group wg-datasharing (or any other name you prefer), used for sharing data, must be created in CCDB and you must be assigned ownership of this group. This allows you to add or remove members of the group in [[https://ccdb.computecanada.ca CCDB]].
# Directory (or file, if I prefer to do that)  /home/smithj/projects/def-smithj/shared_data is owned by me
# The directory, <code>/home/smithj/projects/def-smithj/shared_data</code> in our example, must be owned by you.
# Since data sharing group is not necessary (most likely -- not) the owner of the directory or file I'd like to share, all nested parent directories in path should allow public entry, but not public read (unless I decide to allow it)
# Since the data sharing group (<code>wg-datasharing</code> in this example) is not necessarily the owner of the directory you would like to share (<code>shared_data</code> in this example), all parent directories in its path should allow public entry. They do not need to have public read permission, unless you decide to allow it.
How do I achieve these three requirements?  
 
* I send email to [mailto:support@computecanada.ca support@computecanada.ca] requesting creation of data sharing group, indicate name of the group I'd like to have and set me as an owner.
How does you achieve these three requirements?  
* As soon as I receive a confirmation from ComputeCanada Support regarding creation of the group, I go to [https://ccdb.computecanada.ca/services/ ccdb.computecanada.ca/services/] and access my group:
* Send email to [mailto:support@computecanada.ca support@computecanada.ca] requesting creation of data sharing group, indicate name of the group you would like to have and that you should be the owner.
[[File:Cc services screen.png|1036px|Services screen displays groups I can manage]]
* When you receive confirmation from ComputeCanada Support regarding creation of the group, go to [https://ccdb.computecanada.ca/services/ ccdb.computecanada.ca/services/] and access it:
[[File:Cc services screen.png|1036px|Services screen displaying groups you can manage]]


* Clicking on group's name I enter group management screen:
* Clicking on the group's name, enter the group management screen:
[[File:Cc service management screen.png|1036px|Services screen shows group's owner]]
[[File:Cc service management screen.png|1036px|Services screen showing group's owner]]
   
   
* I add member (Victor Van Doom with CCI vdv-888, for example) to the group as a member:
* Add member (Victor Van Doom with CCI vdv-888, for example) to the group as a member:
[[File:Cc service add member success screen.png|1036px|Services screen shows members of the group]]
[[File:Cc service add member success screen.png|1036px|Services screen showing members of the group]]


* I make sure that path /home/smithj/projects/def-smithj open for public access:
* Make sure that path <code>/home/smithj/projects/def-smithj</code> is open for public access:
{{Command|chmod -R o+X /home/smithj/projects/def-smithj}}
{{Command|chmod -R o+X /home/smithj/projects/def-smithj}}
*I set up ACL for the path I have in mind and new group:
* Set up ACL for the path you have in mind and new group:
{{Command|setfacl -m g:wg-datasharing:rwx /home/smithj/projects/def-smithj/shared_data}}
{{Command|setfacl -m g:wg-datasharing:rwx /home/smithj/projects/def-smithj/shared_data}}


Bureaucrats, cc_docs_admin, cc_staff
2,915

edits

Navigation menu