Bureaucrats, cc_docs_admin, cc_staff
2,320
edits
Sharing data: Difference between revisions
Jump to navigation
Jump to search
Marked this version for translation
(rewritten pursuant to discussion in #general-support to disentangle the notion of using ACLs from Data Sharing Groups) |
(Marked this version for translation) |
||
| Line 117: | Line 117: | ||
== Access control lists (ACLs) == <!--T:10--> | == Access control lists (ACLs) == <!--T:10--> | ||
=== Sharing Access with an Individual === | === Sharing Access with an Individual === <!--T:25--> | ||
<!--T:8--> | <!--T:8--> | ||
| Line 124: | Line 124: | ||
* <tt>setfacl</tt> to alter them. | * <tt>setfacl</tt> to alter them. | ||
==== Sharing a single file ==== | ==== Sharing a single file ==== <!--T:19--> | ||
<!--T:19--> | |||
To allow a single person with username <tt>smithj</tt> to have read and execute permission on the file <tt>my_script.py</tt>, use: | To allow a single person with username <tt>smithj</tt> to have read and execute permission on the file <tt>my_script.py</tt>, use: | ||
<source lang="console"> | <source lang="console"> | ||
| Line 131: | Line 130: | ||
</source> | </source> | ||
==== Sharing a subdirectory ==== | ==== Sharing a subdirectory ==== <!--T:26--> | ||
<!--T:20--> | <!--T:20--> | ||
To allow read and write access to a single user in a whole subdirectory, including new files created in it, you can run the following commands: | To allow read and write access to a single user in a whole subdirectory, including new files created in it, you can run the following commands: | ||
<!--T:27--> | |||
<source lang="console"> | <source lang="console"> | ||
$ setfacl -d -m u:smithj:rwx /home/<user>/projects/def-<PI>/shared_data | $ setfacl -d -m u:smithj:rwx /home/<user>/projects/def-<PI>/shared_data | ||
| Line 141: | Line 141: | ||
</source> | </source> | ||
<!--T:28--> | |||
The first command sets default access rules to directory <code>/home/<user>/projects/def-<PI>/shared_data</code>, so any file or directory created within it will inherit the same ACL rule. It is required for '''new''' data. The second command sets ACL rules to directory <code>/home/<user>/projects/def-<PI>/shared_data</code> and all its content currently in it. So it is applicable only to '''existing''' data. | The first command sets default access rules to directory <code>/home/<user>/projects/def-<PI>/shared_data</code>, so any file or directory created within it will inherit the same ACL rule. It is required for '''new''' data. The second command sets ACL rules to directory <code>/home/<user>/projects/def-<PI>/shared_data</code> and all its content currently in it. So it is applicable only to '''existing''' data. | ||
<!--T:29--> | |||
In order for this method to work the following things need to be in place: | In order for this method to work the following things need to be in place: | ||
* The directory, <code>/home/smithj/projects/def-smithj/shared_data</code> in our example, must be owned by you. | * The directory, <code>/home/smithj/projects/def-smithj/shared_data</code> in our example, must be owned by you. | ||
* All parent directories of the one you are trying to share should allow public entry (i.e. o+x permissions), or at the least execute ACLs for the person you are trying to share with (i.e. <code>u:smithj:r</code> in this example). They do not need to have public read permission, unless the owner decides to allow it. In practical terms, this means that the project directory (/projects/def-<PI>) must give permission for either everyone, or at least the people you are trying to share your data with, execute permission on the project directory. | * All parent directories of the one you are trying to share should allow public entry (i.e. o+x permissions), or at the least execute ACLs for the person you are trying to share with (i.e. <code>u:smithj:r</code> in this example). They do not need to have public read permission, unless the owner decides to allow it. In practical terms, this means that the project directory (/projects/def-<PI>) must give permission for either everyone, or at least the people you are trying to share your data with, execute permission on the project directory. | ||
=== Data Sharing Groups === | === Data Sharing Groups === <!--T:30--> | ||
<!--T:31--> | |||
For more complicated data sharing scenarios (those involving multiple people on multiple clusters), it is also possible to create a '''data sharing group'''. A data sharing group is a special group to which all people with whom certain data is to be shared are added. This group is then given access permissions through ACLs. | For more complicated data sharing scenarios (those involving multiple people on multiple clusters), it is also possible to create a '''data sharing group'''. A data sharing group is a special group to which all people with whom certain data is to be shared are added. This group is then given access permissions through ACLs. | ||
<!--T:32--> | |||
You do not need a data sharing group except in specialized sharing circumstances. | You do not need a data sharing group except in specialized sharing circumstances. | ||
==== Creating a data sharing group ==== <!--T:21--> | |||
==== Creating a data sharing group ==== | |||
<!--T:33--> | |||
The steps below describe how to create a data sharing group. In this example it is called <code>wg-datasharing</code> | The steps below describe how to create a data sharing group. In this example it is called <code>wg-datasharing</code> | ||
<!--T:34--> | |||
<br />1. Send email to [mailto:support@computecanada.ca support@computecanada.ca] requesting creation of data sharing group, indicate name of the group you would like to have and that you should be the owner. | <br />1. Send email to [mailto:support@computecanada.ca support@computecanada.ca] requesting creation of data sharing group, indicate name of the group you would like to have and that you should be the owner. | ||
<br />2. When you receive confirmation from Compute Canada Support that the group has been created, go to [https://ccdb.computecanada.ca/services/ ccdb.computecanada.ca/services/] and access it:<br /> | <br />2. When you receive confirmation from Compute Canada Support that the group has been created, go to [https://ccdb.computecanada.ca/services/ ccdb.computecanada.ca/services/] and access it:<br /> | ||
| Line 169: | Line 174: | ||
[[File:Cc service add member success screen.png|1036px|Services screen showing members of the group]] | [[File:Cc service add member success screen.png|1036px|Services screen showing members of the group]] | ||
==== Using a data sharing group ==== <!--T:23--> | |||
==== Using a data sharing group ==== | |||
<!--T:35--> | |||
Just as with individual user sharing, the parent directories of the data you are trying to share must have execute permissions either for everyone or for the data sharing group. In your project directory, this implies that your PI must give consent as follows (unless you have permission to do this yourself): | Just as with individual user sharing, the parent directories of the data you are trying to share must have execute permissions either for everyone or for the data sharing group. In your project directory, this implies that your PI must give consent as follows (unless you have permission to do this yourself): | ||
<!--T:36--> | |||
<source> | <source> | ||
$ chmod o+X /project/def-<PI>/ | $ chmod o+X /project/def-<PI>/ | ||
| Line 182: | Line 188: | ||
</source> | </source> | ||
<!--T:37--> | |||
Finally, you can add your group to the ACL for the directory you are trying to share. The command parallel those needed to share with an individual: | Finally, you can add your group to the ACL for the directory you are trying to share. The command parallel those needed to share with an individual: | ||
<!--T:38--> | |||
<source lang="console"> | <source lang="console"> | ||
$ setfacl -d -m g:wg-datasharing:rwx /home/<user>/projects/def-<PI>/shared_data | $ setfacl -d -m g:wg-datasharing:rwx /home/<user>/projects/def-<PI>/shared_data | ||