Sharing data: Difference between revisions

Jump to navigation Jump to search

Sharing data (view source)

Revision as of 14:48, 26 August 2019

489 bytes added ,  5 years ago
rewritten pursuant to discussion in #general-support to disentangle the notion of using ACLs from Data Sharing Groups
m (the file's group is not really "your" group (singular - though to chgrp yourself, it must be among your groups))
(rewritten pursuant to discussion in #general-support to disentangle the notion of using ACLs from Data Sharing Groups)
Line 116: Line 116:


== Access control lists (ACLs) == <!--T:10-->
== Access control lists (ACLs) == <!--T:10-->
=== Sharing Access with an Individual ===


<!--T:8-->
<!--T:8-->
Line 122: Line 124:
* <tt>setfacl</tt> to alter them.  
* <tt>setfacl</tt> to alter them.  


==== Sharing a single file ====
<!--T:19-->
<!--T:19-->
To allow a single person with username <tt>smithj</tt> to have read and execute permission on the file <tt>my_script.py</tt>, use:
To allow a single person with username <tt>smithj</tt> to have read and execute permission on the file <tt>my_script.py</tt>, use:
<source lang="console">
<source lang="console">
[ someuser@server ]$ setfacl -m u:smithj:rx my_script.py
$ setfacl -m u:smithj:rx my_script.py
</source>
</source>
==== Sharing a subdirectory ====


<!--T:20-->
<!--T:20-->
To allow read and write access to everything within a certain directory (for example ''/home/smithj/projects/def-smithj/shared_data'') for particular group (for example ''wg-datasharing''), use the following commands:
To allow read and write access to a single user in a whole subdirectory, including new files created in it, you can run the following commands:
 
<source lang="console">
<source lang="console">
[ someuser@server ]$ setfacl -d -m g:wg-datasharing:rwx /home/smithj/projects/def-smithj/shared_data
$ setfacl -d -m u:smithj:rwx /home/<user>/projects/def-<PI>/shared_data
[ someuser@server ]$ setfacl -R -m g:wg-datasharing:rwx /home/smithj/projects/def-smithj/shared_data
$ setfacl -R -m u:smithj:rwx /home/<user>/projects/def-<PI>/shared_data
</source>
</source>
First command sets default access rules to directory <code>/home/smithj/projects/def-smithj/shared_data</code>, so any file or directory created within it will inherit the same ACL rule. It is required for '''new''' data.
 
Second command sets ACL rules to directory <code>/home/smithj/projects/def-smithj/shared_data</code> and all its content currently in it. So it is applicable only to '''existing''' data.
The first command sets default access rules to directory <code>/home/<user>/projects/def-<PI>/shared_data</code>, so any file or directory created within it will inherit the same ACL rule. It is required for '''new''' data. The second command sets ACL rules to directory <code>/home/<user>/projects/def-<PI>/shared_data</code> and all its content currently in it. So it is applicable only to '''existing''' data.
 
In order for this method to work the following things need to be in place:
In order for this method to work the following things need to be in place:
* Group <code>wg-datasharing</code> (or any other name you prefer) must be created in CCDB and you must be assigned ownership of this group. This allows you to add or remove members of the group in [[https://ccdb.computecanada.ca CCDB]].
* The directory, <code>/home/smithj/projects/def-smithj/shared_data</code> in our example, must be owned by you.  
* The directory, <code>/home/smithj/projects/def-smithj/shared_data</code> in our example, must be owned by you.  
* Since the data sharing group (<code>wg-datasharing</code> in this example) is not necessarily the owner of the directory you would like to share (<code>shared_data</code> in this example), all parent directories in its path should allow public entry, that is, execute permission. They do not need to have public read permission, unless you decide to allow it.
* All parent directories of the one you are trying to share should allow public entry (i.e. o+x permissions), or at the least execute ACLs for the person you are trying to share with (i.e. <code>u:smithj:r</code> in this example). They do not need to have public read permission, unless the owner decides to allow it. In practical terms, this means that the project directory (/projects/def-<PI>) must give permission for either everyone, or at least the people you are trying to share your data with, execute permission on the project directory.
 
=== Data Sharing Groups ===
 
For more complicated data sharing scenarios (those involving multiple people on multiple clusters), it is also possible to create a '''data sharing group'''. A data sharing group is a special group to which all people with whom certain data is to be shared are added. This group is then given access permissions through ACLs.
 
You do not need a data sharing group except in specialized sharing circumstances.


<!--T:21-->
<!--T:21-->
How do you achieve these three requirements?
==== Creating a data sharing group ====
 
The steps below describe how to create a data sharing group. In this example it is called <code>wg-datasharing</code>
 
<br />1. Send email to [mailto:support@computecanada.ca support@computecanada.ca] requesting creation of data sharing group, indicate name of the group you would like to have and that you should be the owner.
<br />1. Send email to [mailto:support@computecanada.ca support@computecanada.ca] requesting creation of data sharing group, indicate name of the group you would like to have and that you should be the owner.
<br />2. When you receive confirmation from Compute Canada Support that the group has been created, go to [https://ccdb.computecanada.ca/services/ ccdb.computecanada.ca/services/] and access it:<br />
<br />2. When you receive confirmation from Compute Canada Support that the group has been created, go to [https://ccdb.computecanada.ca/services/ ccdb.computecanada.ca/services/] and access it:<br />
Line 155: Line 170:


<!--T:23-->
<!--T:23-->
<br />5. Make sure that <code>/home/smithj/projects/def-smithj</code> can be traversed by anyone, that is, ensure it has execute permission turned on:
==== Using a data sharing group ====
<source lang="console">
 
[ someuser@server ]$ chmod  o+X /home/smithj/projects/def-smithj
Just as with individual user sharing, the parent directories of the data you are trying to share must have execute permissions either for everyone or for the data sharing group. In your project directory, this implies that your PI must give consent as follows (unless you have permission to do this yourself):
 
<source>
$ chmod  o+X /project/def-<PI>/
</source>
or
<source>
$ setfacl g:wg_datasharing:X /project/def-<PI>/
</source>
</source>
If you cannot execute this command due to lack of permissions, you should either contact owner of <code>def-smithj</code> directory (usually it is your PI) or contact [mailto:support@computecanada.ca support@computecanada.ca]
 
<br />6. Add the new group to the access control list (ACL) for the directory:
Finally, you can add your group to the ACL for the directory you are trying to share. The command parallel those needed to share with an individual:
 
<source lang="console">
<source lang="console">
[ someuser@server ]$ setfacl -d -m g:wg-datasharing:rwx /home/smithj/projects/def-smithj/shared_data
$ setfacl -d -m g:wg-datasharing:rwx /home/<user>/projects/def-<PI>/shared_data
[ someuser@server ]$ setfacl -R -m g:wg-datasharing:rwx /home/smithj/projects/def-smithj/shared_data
$ setfacl -R -m g:wg-datasharing:rwx /home/<user>/projects/def-<PI>/shared_data
</source>
</source>


</translate>
</translate>
Enaumov
cc_staff
37

edits

Retrieved from "https://docs.alliancecan.ca/wiki/Special:MobileDiff/75698"

Navigation menu