X-Git-Url: https://sipb.mit.edu/gitweb.cgi/wiki.git/blobdiff_plain/7af3d62e99ad383b40dae7e5d33f1d5b81bf0050..04ffeb2bb0b6b6bf48060f2f20c508d2b01aa16f:/doc/afs-and-you.html diff --git a/doc/afs-and-you.html b/doc/afs-and-you.html index 0ebf903..f2c85c8 100644 --- a/doc/afs-and-you.html +++ b/doc/afs-and-you.html @@ -19,7 +19,7 @@
  • Troubleshooting
      -
    1. I'm trying to access my files, fs la says I should have permissions …
    2. +
    3. I'm trying to access my files, fs listacl says I should have permissions …
    4. I'd really prefer that not everyone could list my files, how should I stop …
    5. It was around 6am on a Sunday morning and suddenly I couldn't access my …
    6. It isn't Sunday and I can't get to my files
    7. @@ -43,7 +43,7 @@ Credit goes to them, blame goes to him.

      What is AFS?

      -AFS (previously the Andrew File System or ) is a distributed network file system invented at Carnegie Mellon University as part of Project Andrew (approximately their equivalent of MIT's Project Athena). More importantly, it is the file system used to store most files on Athena today. This includes your personal home directory, the data and websites of many living groups and student groups on campus, and probably some of the software you run (if you ever use Athena clusters). (Though most user directories were migrated from NFS in the summer of 1992, some files still remain on NFS and, of course, various file systems are used on personal computers and servers.) +AFS (previously the Andrew File System or ) is a distributed network file system invented at Carnegie Mellon University as part of Project Andrew (approximately their equivalent of MIT's Project Athena). More importantly, it is the file system used to store most files on Athena today. This includes your personal home directory, the data and websites of many living groups and student groups on campus, and probably some of the software you run (if you ever use Athena clusters). (Though most user directories were migrated from NFS in the summer of 1992, some files still remain on NFS and, of course, various file systems are used on personal computers and servers.)

      @@ -80,7 +80,7 @@ By default, this directory can only be read and can only be listed by you This folder is a link to a read-only copy of a backup of your files (created nightly around 3 a.m.). This copy cannot be edited and does not count against the locker's quota. From a technical standpoint, this is a separate volume with .backup appended (e.g. user.<username>.backup ) and is stored only as changes against the current copy.

      www
      -Where you should put a website, if you want one. There is very little special about this directory from an AFS standpoint, but it is world-readable (like Public) and is linked directly to http://www.mit.edu/~<lockername> as well as http://web.mit.edu/<lockername>/www/. +Where you should put a website, if you want one. There is very little special about this directory from an AFS standpoint, but it is world-readable (like Public) and is linked directly to https://www.mit.edu/~<lockername> as well as https://web.mit.edu/<lockername>/www/.

      Accessing Lockers

      From Athena

      @@ -89,7 +89,7 @@ Where you should put a website, if you want one. There is very little special ab On Athena, you can access a locker either as its full AFS path, if you know it (e.g. /afs/athena.mit.edu/course/6/6.01), or under /mit if it is "attached." Though you can always use the full path, you often want to attach lockers because it is easier to refer to them and software is set up to run with a path under /mit. There are a few ways to attach a locker:

      -

      From the Web

      -Generally any locker that you would access on Athena as /mit/<locker> is accessible on the web as http://web.mit.edu/<locker>. For example, the barnowl locker is at http://web.mit.edu/barnowl. As you can see, if there is no index.html (see below), the files in the directory are listed. By default, however, none of the contents are readable except in the www and Public folders. +Generally any locker that you would access on Athena as /mit/<locker> is accessible on the web as https://web.mit.edu/<locker>. For example, the barnowl locker is at https://web.mit.edu/barnowl. As you can see, if there is no index.html (see below), the files in the directory are listed. By default, however, none of the contents are readable except in the www and Public folders.

      -Also, you may access something in one of the MIT AFS cells by typing its full AFS path after web.mit.edu (http://web.mit.edu/afs/athena.mit.edu/activity/c/chess-club). (That link also shows that if you have a text file named README readable, as a link to Public/README for example, its contents will be displayed below the directory listing). +Also, you may access something in one of the MIT AFS cells by typing its full AFS path after web.mit.edu (https://web.mit.edu/afs/athena.mit.edu/activity/c/chess-club). (That link also shows that if you have a text file named README readable, as a link to Public/README for example, its contents will be displayed below the directory listing). -Note that when accessed from web.mit.edu (or www.mit.edu), only static files may be shown. If you are interested in serving dynamic content (such as a blog or wiki using PHP, Perl, Python, Ruby, etc.), you should check out SIPB's Scripts dynamic web service. See http://scripts.mit.edu for more information. +Note that when accessed from web.mit.edu (or www.mit.edu), only static files may be shown. If you are interested in serving dynamic content (such as a blog or wiki using PHP, Perl, Python, Ruby, etc.), you should check out SIPB's Scripts dynamic web service. See https://scripts.mit.edu for more information.

      Checking Quota

      @@ -122,10 +122,10 @@ If this information is good enough for you, then you are done. If not, read on. You may be familiar with Unix permissions. Sad to say, but that knowledge is more or less useless here. While Unix permissions are per-file, AFS permissions are controlled by Access Control Lists (ACLs) on a per-directory basis. (AFS does however, attend to the execute Unix permission on a file. )

      -To view the ACL for a given directory (where you have permission to do so), run fs listacl or fs la, for short. For a typical user locker, the ACL in the top level will look like this +To view the ACL for a given directory (where you have permission to do so), run fs listacl, or fs la for short. For a typical user locker, the ACL in the top level will look like this

      -
      user@host:~$ fs la
      +
      user@host:~$ fs listacl
       Access list for . is
       Normal rights:
         system:expunge ld
      @@ -152,7 +152,7 @@ This is a list of users or AFS groups and thei
       To add a user or group to the ACL for a given directory simply run fs setacl or fs sa as follows:
       
       

      -
      fs sa <directory> <user or group> <permissions> [<user or group> <permissions>]*
      +
      fs setacl -dir <directory> [<directory>]* -acl <user or group> <permissions> [<user or group> <permissions>]*
       
      <directory>
      can be an absolute or relative path, usually you will want .
      <user or group>
      @@ -166,11 +166,11 @@ can be a string of the above letters (in any order) or any of the words read For example, if user wants his friends sipbtest and jarandom to be able to read and write files and anyone to be able to read files in his awesome_project directory, he might have a session that looks like this

      user@host:~$ cd awesome_project/
      -user@host:~/awesome_project$ fs sa . system:anyuser read
      -user@host:~/awesome_project$ fs sa . jarandom write
      -user@host:~/awesome_project$ fs sa . sipbtest write
      -user@host:~/awesome_project$ #alternatively: fs sa . system:anyuser read jarandom write sipbtest write
      -user@host:~/awesome_project$ fs la
      +user@host:~/awesome_project$ fs setacl -dir . -acl system:anyuser read
      +user@host:~/awesome_project$ fs setacl -dir . -acl jarandom write
      +user@host:~/awesome_project$ fs setacl -dir . -acl sipbtest write
      +user@host:~/awesome_project$ #alternatively: fs setacl -dir . -acl system:anyuser read jarandom write sipbtest write
      +user@host:~/awesome_project$ fs listacl
       Access list for . is
       Normal rights:
         system:expunge ld
      @@ -183,13 +183,13 @@ user@host:~/awesome_project$
       

      See also: man 1 fs, fs help <command>, man fs_listacl. -There is also such thing as negative permissions to deny rights to certain members of a larger group to which positive permissions are granted. In the words of the fs_setacl manpage, however,

      Setting negative permissions is generally unnecessary and not recommended. Simply omitting a user or group from the "Normal rights" section of the ACL is normally adequate to prevent access. In particular, note that it is futile to deny permissions that are granted to members of the system:anyuser group on the same ACL; the user needs only to issue the unlog command to receive the denied permissions.
      For an example of negative permissions used on Athena run fs la /afs/athena.mit.edu/contrib/games/. +There is also such thing as negative permissions to deny rights to certain members of a larger group to which positive permissions are granted. In the words of the fs_setacl manpage, however,
      Setting negative permissions is generally unnecessary and not recommended. Simply omitting a user or group from the "Normal rights" section of the ACL is normally adequate to prevent access. In particular, note that it is futile to deny permissions that are granted to members of the system:anyuser group on the same ACL; the user needs only to issue the unlog command to receive the denied permissions.
      For an example of negative permissions used on Athena run fs listacl /afs/athena.mit.edu/contrib/games/.

      Creating an AFS Group

      -The "normal" way to make an AFS group would be with a command similar to pts creategroup <your user name>:<group name> and then add people with pts adduser <user> <full group name>(e.g. If Donald Guy wanted to created a group for people to edit his www directory (including sipbtest and jflorey, he might use the following chain of commands pts creategroup fawkes:www ; pts adduser sipbtest fawkes:www; pts adduser jflorey fawkes:www; fs sa /mit/fawkes/www fawkes:www write +The "normal" way to make an AFS group would be with a command similar to pts creategroup <your user name>:<group name> and then add people with pts adduser <user> <full group name>(e.g. If Donald Guy wanted to created a group for people to edit his www directory (including sipbtest and jflorey, he might use the following chain of commands pts creategroup fawkes:www; pts adduser sipbtest fawkes:www; pts adduser jflorey fawkes:www; fs setacl -dir /mit/fawkes/www -acl fawkes:www write

      You can see general information about a group by running pts examine <group> and see the membership of a group by running pts membership <group>. In the above example: @@ -197,7 +197,7 @@ You can see general information about a group by running pts examine <gro fawkes@dr-wily:~$ pts examine fawkes:www Name: fawkes:www, id: -33555072, owner: fawkes, creator: fawkes, membership: 2, flags: S-M--, group quota: 0. -fawkes@dr-wily:~$ pts mem fawkes:www +fawkes@dr-wily:~$ pts membership fawkes:www Members of fawkes:www (id: -33555072) are: jflorey sipbtest @@ -226,31 +226,24 @@ Unfortunately, adding specific users to an AFS ACL does not mean they can see th

      • You can require that the user have valid certificates: -
          <limit GET>
        -  require valid-user
        -  </limit>
        +
        require valid-user
         
      • You can require the reader be (a) specific user(s), for example: -
          <limit GET>
        -  require user fawkes jflorey sipbtest jarandom
        -  </limit>
        -
        +
        require user fawkes jflorey sipbtest jarandom
         
      • You can require that the reader be a member of one of certain moira groups (notice these are moira groups, there is no "system:". For example: -
         <limit GET>
        -  require group sipb-staff sipb-prospectives
        - </limit>
        +
        require group sipb-staff sipb-prospectives
         

      -

      Note that you cannot mix users and groups in the same directory

      . +

      Note that you cannot mix users and groups in the same directory.

      -

      Finally fs sa <dir> system:htaccess.mit read .

      +

      Finally fs setacl -dir <dir> -acl system:htaccess.mit read.

      Thereafter, the users should be able to get to the folders at https://web.mit.edu/<locker>/<path to folder> if they have certificates and no one should be able to reach it via http. Make sure to add yourself if you are going to be accessing it.

      -see also: http://ist.mit.edu/services/web/reference/web-resources/https +see also: https://ist.mit.edu/services/web/reference/web-resources/https

      Troubleshooting

      -

      I'm trying to access my files, fs la says I should have permissions here, but it still says : Permission denied

      +

      I'm trying to access my files, fs litacl says I should have permissions here, but it still says : Permission denied

      There are two likely possibilities. First, its likely that your tokens may have expired. You can check this by running tokens. If they are, in fact, expired (or missing) get new tokens as follows: first, make sure you have valid kerberos tickets and then run aklog. Another possibility is that you have tokens but not for the correct cell. tokens will tell you what tokens you already have. In all likelihood, if you are reading this, you probably want aklog athena sipb. Finally, a third possibility is that your group membership has changed since you acquired tokens. Try running aklog -force @@ -262,10 +255,10 @@ What you don't want to do is take away the l permission from

      <html>
       <head>
      -  <meta http-equiv="Refresh" content="0; url=http://web.mit.edu/<lockername>/www">
      +  <meta http-equiv="Refresh" content="0; url=https://web.mit.edu/<lockername>/www">
       </head>
       <body>
      -  <p>Please go to my <a href="http://web.mit.edu/<lockername>/www">www/a>!</p>
      +  <p>Please go to my <a href="https://web.mit.edu/<lockername>/www">www</a>!</p>
       
       </body>
       </html>
      @@ -279,7 +272,7 @@ Most AFS servers restart weekly at 6 AM on Sunday.
       

      It isn't Sunday and I can't get to my files

      -There may be a non-scheduled AFS outage. Check 3down, hopefully it will be back up soon :-(. You can check up on the AFS servers by running fs checkservers (or fs checks). If there is no reported outage and you can't access the AFS servers (but can access the rest of the net), contact OLC. +There may be a non-scheduled AFS outage. Check 3down, hopefully it will be back up soon :-(. You can check up on the AFS servers by running fs checkservers (or fs checks). If there is no reported outage and you can't access the AFS servers (but can access the rest of the net), contact OLC.

      Advanced Tasks

      Putting Software in a Locker

      @@ -326,7 +319,7 @@ While it is easily possible to make an AFS group for yourself, it is harder to g

      Find out technical information about my locker

      -

      Figure out the volume name of the locker. One way to do this is to run fs lq . in the directory and look in the left column. Once you have the volume name, run vos examine <volume name>. This will tell you information such as what server it is located on, its ID numbers, when it was last accessed, when it was last backed up, etc. For example: +

      Figure out the volume name of the locker. One way to do this is to run fs listquota . in the directory and look in the left column. Once you have the volume name, run vos examine <volume name>. This will tell you information such as what server it is located on, its ID numbers, when it was last accessed, when it was last backed up, etc. For example:

       $ vos examine user.sipbtest
       user.sipbtest                     537058147 RW      69785 K  On-line
      @@ -348,6 +341,6 @@ user.sipbtest                     537058147 RW      69785 K  On-line
       

      See Also

      -

      SIPB's older guide, Inessential AFS
      OpenAFS documentation at http://www.openafs.org/ +

      SIPB's older guide, Inessential AFS
      OpenAFS documentation at https://www.openafs.org/