Introduction to AFS Duties and Powers of WWW Space Owners

18 Jul 1998

Highlighted Home Detailed Home

Contents

Overview

This document is an introduction for new owners of production WWW subdirectories on their AFS duties and powers. It assumes you are already familiar with How to Install Pages in the Production SLAC Web.

The page uses Damping Ring group space as an example. Please substitute your AFS WWW subdirectory for /afs/slac/www/grp/ad/addr, your "all" AFS group for g-www:g-addr, and your "owner" AFS group for g-www:owner-g-addr. Your subdirectory and the AFS groups are in the email you receive announcing their creation.

For the purposes of this example, the damping ring production Web space has been set up. You are one of its owners. As an "owner" of /afs/slac/www/grp/ad/addr space, you have certain duties and powers regarding access and space usage.

By default you may write and perform "all" AFS actions in this subdirectory and any sub-subdirs under it because you are a member of the AFS group g-www:g-addr. To see who's in this group, issue the command:

pts member g-www:g-addr

For more information, read Introduction to AFS Commands for WWW Authors.

You are also the "owner" of this "write" group by virtue of being in the associated AFS group g-www:owner-g-addr. This means you control who's in group g-www:g-addr.

Changing Membership in the AFS Authoring Group

To add a user to g-www:g-addr so that that person may add, modify, and delete files in the .../grp/ad/addr subdir, the potential member must first have obtained AFS privileges for his or her UNIX account. Only then may you issue the necessary AFS commands to add the user to or delete the person from the group.

Checking the Account Privileges

To see if the account has AFS privileges, issue the command:

pts examine username

where username is thought to be a valid UNIX user name.

If the output is something like:

Name: username, id: 2222, owner: system:administrators, creator: sysctl,
  membership: 11, flags: S----, group quota: 19.

the account is a UNIX account that has been authorized for AFS. You may proceed to Modifying the AFS Group.

If the output is something like:

pts: User or group doesn't exist so couldn't look up id for username

the username is not authorized for AFS.

Next check to see if the username is a valid UNIX account by issuing the command:

ypmatch username passwd

If the output is something like:

username:J3iuQsf0Mx..o:2222:1000:Firstname Lastname:/u/sf/username:/bin/tcsh

the username is a valid UNIX account.

If the output is something like:

ypmatch: 1831-150 Cannot match key username in map passwd.byname.
    Reason: no such key in map.

the user needs to get a UNIX account.

Obtaining Account Privileges

To obtain a UNIX account, get a "SLAC Computer Account Form" from the Help Desk in the Computer Building (50) Lobby and have the user fill it out. Or you may print off the online copy. See UNIX at SLAC: Getting Started" for specifics.

After the UNIX account has been established, the user may obtain AFS privileges for it by issuing the command:

afsacct

and following the prompts.

There are actually two UNIX passwords now, the regular UNIX one and and an AFS one. It is generally easier to set both to the same value. (We're moving in a direction of have only one, encrypted password; but we won't be there for a while yet.)

Modifying the AFS Group

When the user's account is setup for UNIX with AFS privileges, you may actually add the person, username, to the AFS "write" group, g-www:g-addr.

The next instructions assume you are already familiar with basic AFS commands like tokens and klog. If not, please take a few minutes to review the SLAC AFS Users' Guide or obtain a printed copy at the Help Desk.

As a member of group g-www:owner-g-addr, you issue the AFS command:

pts adduser -user username -group g-www:g-addr

where username is the AFS-privileged user name of the person being added.

To see the syntax of the pts adduser command, issue:

pts adduser -help

To make sure he or she has gotten in OK, issue:

pts member g-www:g-addr

If you need to remove a member of the group, issue:

pts removeuser -user username -group g-www:g-addr

where username is an AFS user name in the group.

Reviewing the Subdirectory's Access Control List

To see what AFS group(s) have write or other "rights" on the subdirectory /afs/slac/www/grp/ad/addr, issue the command:

fs listacl /afs/slac/www/grp/ad/addr

This displays the subdir's Access Control List (ACL).

In addition to the group g-www:g-addr, you will see g-www:g-admin, which gives authorized people on the WWW-Tech Committee emergency access, and three "system" groups described in the subsection "A Typical SLAC Directory" in the AFS Users' Guide.

To see the syntax of the fs listacl command, issue:

fs listacl -help

Space Monitoring

Your group has been allocated production WWW space on its own AFS volume, www.grp.ad.addr, mounted at /afs/slac/www/grp/ad/addr.

This means you are not affected by being on a shared volume used by many groups when someone else suddenly takes up a lot of space. It also means you are responsible for monitoring the fullness of your own AFS volume. To query the percentage used, issue the command:

fs listquota /afs/slac/www/grp/ad/addr

To see all volumes associated with any subdirectories in the addr subdirectory (one level down only) and their usage, issue the command:

fs listquota /afs/slac/www/grp/ad/addr/*

To see the syntax of the fs listquota command

fs listquota -help

If you find your volume getting full, send email to unix-admin@slac.stanford.edu requesting more. If you know you will be needing a large amount more, please give unix-admin advance notice.

Again, you may find more information about AFS at SLAC in the AFS Users' Guide. If you have any suggestions for how to make this document more useful, please send feedback here.

Winters