Sharing data: Difference between revisions

Jump to navigation Jump to search
no edit summary
No edit summary
No edit summary
Line 116: Line 116:


<!--T:8-->
<!--T:8-->
The file permissions discussed above have been available in Unix-like operating systems for decades now but they are very coarse-grained. The whole set of users is divided into just three categories: the owner, the group, and everyone else. What if you want to allow someone who isn't in your group to read a file - do you really need to make the file readable by everyone in that case? The answer, happily, is no. Compute Canada's national systems offer "access control lists" (ACLs) to enable permissions to be set on a user-by-user basis if desired. The two commands needed to manipulate these extended permissions are  
The file permissions discussed above have been available in Unix-like operating systems for decades now but they are very coarse-grained. The whole set of users is divided into just three categories: the owner, the group, and everyone else. What if you want to allow someone who isn't in your group to read a file - do you really need to make the file readable by everyone in that case? The answer, happily, is no. Compute Canada's national systems offer ''access control lists'' (ACLs) to enable permissions to be set on a user-by-user basis if desired. The two commands needed to manipulate these extended permissions are  
* <tt>getfacl</tt> to see the ACL permissions, and  
* <tt>getfacl</tt> to see the ACL permissions, and  
* <tt>setfacl</tt> to alter them.  
* <tt>setfacl</tt> to alter them.  
Line 123: Line 123:
{{Command|setfacl -m u:smithj:rx my_script.py}}
{{Command|setfacl -m u:smithj:rx my_script.py}}


To allow access to everything within a certain directory (for example ''/home/smithj/projects/def-smithj/shared_data'') for particular group (for example ''wg-datasharing''), use the following command:
To allow read and write access to everything within a certain directory (for example ''/home/smithj/projects/def-smithj/shared_data'') for particular group (for example ''wg-datasharing''), use the following command:
{{Command|setfacl -m g:wg-datasharing:rwx /home/smithj/projects/def-smithj/shared_data}}
{{Command|setfacl -m g:wg-datasharing:rwx /home/smithj/projects/def-smithj/shared_data}}
In order for this method to work the following things need to be in place:
In order for this method to work the following things need to be in place:
# Group wg-datasharing (or any other name you prefer), used for sharing data, must be created in CCDB and you must be assigned ownership of this group. This allows you to add or remove members of the group in [[https://ccdb.computecanada.ca CCDB]].
# Group <code>wg-datasharing</code> (or any other name you prefer) must be created in CCDB and you must be assigned ownership of this group. This allows you to add or remove members of the group in [[https://ccdb.computecanada.ca CCDB]].
# The directory, <code>/home/smithj/projects/def-smithj/shared_data</code> in our example, must be owned by you.  
# The directory, <code>/home/smithj/projects/def-smithj/shared_data</code> in our example, must be owned by you.  
# Since the data sharing group (<code>wg-datasharing</code> in this example) is not necessarily the owner of the directory you would like to share (<code>shared_data</code> in this example), all parent directories in its path should allow public entry. They do not need to have public read permission, unless you decide to allow it.
# Since the data sharing group (<code>wg-datasharing</code> in this example) is not necessarily the owner of the directory you would like to share (<code>shared_data</code> in this example), all parent directories in its path should allow public entry, that is, execute permission. They do not need to have public read permission, unless you decide to allow it.


How does you achieve these three requirements?  
How does you achieve these three requirements?  
* Send email to [mailto:support@computecanada.ca support@computecanada.ca] requesting creation of data sharing group, indicate name of the group you would like to have and that you should be the owner.
* Send email to [mailto:support@computecanada.ca support@computecanada.ca] requesting creation of data sharing group, indicate name of the group you would like to have and that you should be the owner.
* When you receive confirmation from ComputeCanada Support regarding creation of the group, go to [https://ccdb.computecanada.ca/services/ ccdb.computecanada.ca/services/] and access it:
* When you receive confirmation from Compute Canada Support that the group has been created, go to [https://ccdb.computecanada.ca/services/ ccdb.computecanada.ca/services/] and access it:
[[File:Cc services screen.png|1036px|Services screen displaying groups you can manage]]
[[File:Cc services screen.png|1036px|Services screen displaying groups you can manage]]


Line 141: Line 141:
[[File:Cc service add member success screen.png|1036px|Services screen showing members of the group]]
[[File:Cc service add member success screen.png|1036px|Services screen showing members of the group]]


* Make sure that path <code>/home/smithj/projects/def-smithj</code> is open for public access:
* Make sure that <code>/home/smithj/projects/def-smithj</code> can be traversed by anyone, that is, ensure it has execute permission turned on:
{{Command|chmod -R o+X /home/smithj/projects/def-smithj}}
{{Command|chmod -R o+X /home/smithj/projects/def-smithj}}
* Set up ACL for the path you have in mind and new group:
* Add the new group to the access control list (ACL) for the directory:
{{Command|setfacl -m g:wg-datasharing:rwx /home/smithj/projects/def-smithj/shared_data}}
{{Command|setfacl -m g:wg-datasharing:rwx /home/smithj/projects/def-smithj/shared_data}}


Bureaucrats, cc_docs_admin, cc_staff
2,915

edits

Navigation menu