Intro to BABAR AFS Usage
========================
T.Glanzman
30 September 1996
Contents:
I. AFS directory protection concepts
II. BABAR AFS Disk Space
III. ACL Scheme for BABAR
IV. Useful references
V. Summary of useful AFS commands
AFS is a hierarchical file system from the user's perspective. Access
is controlled on a per directory basis through the use of access
control lists (ACLs). Three concepts are relevant to a discussion on
directory protection and these are summarized below. The specific
implementation for the AFS-based BABAR group disk scheme is then
presented.
I. AFS directory protection concepts
------------------------------------
Each directory within AFS has one ACL. New subdirectories (mkdir)
inherit access controls from the parent directory, although they may
be subsequently changed. Each item within the ACL contains two
fields: a user/group designator; and a protection string. For
example, a directory might have the following ACL:
dragon rwlidka
g-babar rl
AFS User. "dragon" is my AFS userid (obtained at SLAC by executing
the "afsacct" command). It is, by convention, the same as the Unix
userid -- but this is not required in general. In any case, it is
absolutely distinct from the Unix userid; a person may have one
without the other.
AFS Group. "g-babar" is an AFS group, which is essentially just a
list of AFS userids or other AFS groups. Any AFS user may create any
number (up to a per account limit [20]) of groups. AFS groups
themselves have "owners" and permissions which determine who may
change the membership of a group.
AFS Permissions. Each AFS directory may be protected in up to seven
ways (unlike the native Unix file system which recognizes only
Read/Write/Execute for User/Group/Other). These seven protections are
listed below.
r READ the contents of files in the directory
w WRITE (modify) the contents of existing files in the directory
l LOOKUP status information about the files in the directory
d DELETE files from the directory
i INSERT (create) new files into the directory
k LOCK; set read or write locks on the files in the directory
a ADMINISTER; change the rights on the access control list
The most important combinations of these permissions include:
rl allows reading both files and directory
rwldik allows full R/W access to files and directory
rwldika allows full R/W access AND ability to modify the ACL
II. BABAR AFS Disk Space
------------------------
AFS disk space is allocated according to the following scheme.
"Partition" - a large chunk of disk space (generally a physical disk)
"Volume" - an area on a disk partition with a space quota; a volume
must be smaller than the partition upon which it resides; many
volumes may reside on the same partition; the total space allocated
to volumes (via their space quotas) may oversubscribe a partition
The new BFROOT = /afs/slac.stanford.edu/g/babar
Space has been allocated as follows (in the first column, replace "." with
"/" to see directory path):
AFS Group directories...
Volume Name Quota
g.babar 500000
g.babar.doc 500000
g.babar.src 500000
g.babar.package 500000
g.babar.repo 500000
g.babar.data.01 500000
g.babar.data.02 500000
g.babar.bbsim 500000
g.babar.dist.packages 500000
g.babar.dist.rel.01 500000
g.babar.dist.rel.02 500000
g.babar.dist.rel.03 500000
g.babar.dist.rel.04 500000
g.babar.dist.rel.05 500000
III. ACL Scheme for BABAR
-------------------------
To effectively manage the BABAR group directory space, the following
scheme is in use:
1. The following AFS groups have been created, indention reflects group
ownership:
owner-g-babar Owner group
g-babar Master key group
g-babar:admin Environment administrators
g-babar:member All BABAR collaborators (BBR_MEMBER)
g-babar:community All BABAR community (BBR_CMMNTY)
g-babar:www (currently unused)
g-www:host-www1 WWW server access group
g-babar:cx Computing mgmt
g-babar:rc Release coordinator(s)
g-babar:<pkg> Package coordinator(s) for software package "pkg"
g-babar:pkg-<pkg> [proposed new scheme for g-babar:<pkg>]
g-babar:bbsim bbsim production coordinator(s)
Note: the two groups, g-babar:member and g-babar:community, are
special in that they are automatically updated every 24 hours to
reflect our Oracle personnel database. These lists are believed to be
accurate as the Oracle lists are maintained by BABAR headquarters.
Groups will be protected in either of two ways: anyone in the group
may change the group membership ("A"); or, only someone in the owning
group may change the group membership ("O") as indicated in the
following table.
AFS Group Name Membership Change Owner
-------------- ----------------- ------------
g-babar A owner-g-babar
g-babar:rc A g-babar
g-babar:<pkg> A g-babar:rc
g-babar:<pkg>-d O g-babar:<pkg>
g-babar-admin A g-babar
g-babar:member O g-babar:admin
g-babar:community O g-babar:admin
Note that only three groups restrict the changing of their membership.
The g-babar:<pkg>-d developer's group (if it is used at all) is
controlled exclusively by the package coordinator(s); g-babar:member
and g-babar:community are ultimately controlled by D.Hitlin/T.Boysen
in the Oracle database and reflected by these groups.
2. Protect the BABAR directory tree with ACLs. The following examples
provide general guidelines which attempt to address our various
policies of openness, release/package coordination, maintainability,
and privacy.
$BFROOT, and $BFROOT/... (except as noted below)
g-babar rwldika Admins
g-www:host-www1 rl WWW server
g-babar:community rl Entire BABAR community
g-babar:member rl Entire BABAR membership
system:administrators rlidwka (SCS administrators)
system:authuser rl (klog-ed AFS user)
system:slac rl (any SLAC AFS user)
system:anyuser rl (any AFS user)
(last four permissions are the default at SLAC)
$BFROOT/dist, $BFROOT/dist/releases
g-babar rwldika Admins
g-www:host-www1 rl WWW server
g-babar:community rl Entire BABAR community
g-babar:member rl Entire BABAR membership
g-babar:rc rwldik Release Coordinator
[plus SLAC defaults]
$BFROOT/dist/packages, $BFROOT/dist/packages/<pkg>/...
g-babar rwldika Admins
g-www:host-www1 rl WWW server
g-babar:community rl Entire BABAR community
g-babar:member rl Entire BABAR membership
g-babar:rc rwldika Release Coordinator
g-babar:<pkg> rwldik
[plus SLAC defaults]
[repo is not currently in AFS, scheme below is rough draft]
$BFROOT/repo
g-babar rwldika Admins
g-babar:community rl Entire BABAR community
g-babar:member rl Entire BABAR membership
g-babar:rc rwldik Release Coordinator
g-babar:member rli (any collab may create new module)
[plus SLAC defaults]
$BFROOT/repo/<pkg> (or <module>)
g-babar rwldika Admins
g-babar:community rl Entire BABAR community
g-babar:member rl Entire BABAR membership
g-babar:rc rwldika
g-babar:<pkg> rwlidka
[either
g-babar:member rwlidk
or
g-babar:<pkg>-d rwlidk
g-babar:member rl
depending upon package coordinator's need]
[plus SLAC defaults]
$BFROOT/doc
g-babar rwldika Admins
g-www:host-www1 rl WWW server
g-babar:community rwlidk Entire BABAR community
g-babar:member rwlidk Entire BABAR membership
[plus SLAC defaults]
$BFROOT/data, /src, /bin*, /man*, /lib*, /include, /package
g-babar rwldika Admins
g-www:host-www1 rl WWW server
g-babar:community rwlidk Entire BABAR community
g-babar:member rwlidk Entire BABAR membership
[plus SLAC defaults]
$BFROOT/etc
g-babar rwldika Admins
g-babar:community rl Entire BABAR community
g-babar:member rl Entire BABAR membership
g-babar:admin rwldik
[plus SLAC defaults]
$BFROOT/secrets (imaginary directory for illustrative purposes)
g-babar rwldika Admins
g-babar:member rwlidk (only collaborators have
R/W permission...)
system:administrators rlidwka (SCS administrators)
Note that other non-BABAR SLAC users and the rest of the world are
prevented from reading this directory
3. Create scripts to automate these tasks
1. Pull all BBR_MEMBER names from Oracle DB and build "g-babar"
group ("makebbrc")
2. automate execution of above script ("cron")
3. Create/initialize new <pkg> directory and ACLs ("dirman")
4. Create new CVS module (some of which are packages) and ACLs
IV. Useful references
---------------------
1. Online compendium of AFS information:
http://www.slac.stanford.edu/comp/unix/afs/afs.html, or
directly via /afs/slac.stanford.edu/www/comp/unix/afs/afs.html
2. More detailed information is available from the AFS pseudo-man
pages (e.g. man afs, or man fs)
3. At SCS both Bob Cook and Renata Dart are the experts on AFS and support
its use at SLAC. An old, but still useful document on AFS is available as:
/usr/local/doc/afs/new-acount
4. A presentation at the January 1996 Collaboration meeting in Palaiseau
France is available and discusses sources of AFS client software
V. Summary of useful AFS commands
---------------------------------
The following commands are useful for users. Another set is useful to
system administrators. The bare minimum commands any user should know
are: "klog" and "tokens". AFS commands are stored in /usr/afsws/bin, and
man pages in /usr/afsws/man.
fs - (FileSystem) commands to manage files and ACLs
klog - obtain authentication token
knfs - obtain authentication from non-AFS system (NFS) via translator
kpasswd - change authentication password
pts - (ProTection Server) commands to manage ACL groups
rcp - afs replacement for normal rcp
rsh - afs replacement for normal rsh
tokens - display all tokens
unlog - discard all tokens
(note: "rlogin" and "rdist" are not AFS aware)
The "pts" commands has a number of subcommands:
ad adduser add a user to a group
ap apropos search by help text
ch chown change ownership of a group
cg creategroup create a new group
cu createuser create a new user
del delete delete a user or group from database
e examine examine an entry
h help get help on commands
listm listmax list max id
listo listowned list owned groups
mem membership list membership of a user or group
rem removeuser remove a user from a group
ren rename rename user or group
setf setfields set fields for an entry
setm setmax set max id
The "fs" command has a number of subcommands:
ap apropos search by help text
checks checkservers check local cell's servers
checkv checkvolumes check volumeID/name mappings
cl cleanacl clean up access control list
co copyacl copy access control list
de debug set debugging info
df diskfree show server disk space usage
exa/lv examine display volume status
exp exportafs enable/disable translators to AFS
flush flush file from cache
flushv flushvolume flush all data in volume
getca getcacheparms get cache usage info
getce getcellstatus get cell status
gets/gp getserverprefs get file server ranks
h help get help on commands
la listacl list access control list
listc listcells list configured cells
lq listquota list volume quota
ls lsmount list mount point
me messages control Cache Manager messages
mkmount make mount point
monitor set cache monitor host address
newcell configure new cell
q quota show volume quota usage
rm rmmount remove mount point
sa setacl set access control list
setca setcachesize set cache size
setce setcell set cell status
sq setquota set volume quota
sets/sp setserverprefs set file server ranks
sv setvol set volume status
sy sysname get/set sysname (i.e. @sys) value
whe whereis list file's location
whi whichcell list file's cell
ws wscell list workstation's cell