= The Basics =
== The Layout of a Typical MIT Locker ==
-Every Athena user has a locker (their home directory) which mounts at {{{/mit/<username>}}} From a technical standpoint, its stored in the volume {{{user.<username>}}} which is located at {{{/afs/athena.mit.edu/user/<first letter>/<second letter>/<user name>}}} For example, the user {{{sipbtest}}} has a home directory that mounts at {{{/mit/sipbtest}}, is volume {{{user.sipbtest}}, and is accessible at {{{/afs/user/s/i/sipbtest}}}. Projects, Dorms, Classes, etc. are all mounted at {{{/mit/<lockername>}}} and stored at various places in AFS
+Every Athena user has a locker (their home directory) which mounts at {{{/mit/<username>}}} From a technical standpoint, its stored in the volume {{{user.<username>}}} which is located at {{{/afs/athena.mit.edu/user/<first letter>/<second letter>/<user name>}}} For example, the user {{{sipbtest}}} has a home directory that mounts at {{{/mit/sipbtest}}}, is volume {{{user.sipbtest}}}, and is accessible at {{{/afs/user/s/i/sipbtest}}}. Projects, Dorms, Classes, etc. are all mounted at {{{/mit/<lockername>}}} and stored at various places in AFS
Within this folder there are 4 special subdirectories you want to care about
user rlidwka
}}}
-This is a list of users or [#MakinganAFSGroup AFS groups] and their permissions in this directory (and subdirectories that don't have their own ACL modifications). In AFS there are seven permissions as follows
+This is a list of users or [#CreatinganAFSGroup AFS groups] and their permissions in this directory (and subdirectories that don't have their own ACL modifications). In AFS there are seven permissions as follows
||'''r'''|| read || user or members of group can read files in the directory (i.e. see the contents of files) ||
||'''l'''|| list || user or members of group can list files in the directory (i.e. see the names of files) ||
{{{<permissions>}}}::
can be a string of the above letters (in any order) or any of the words `read`, `write`, `all` and `none` which are equivalent to `rl`, `rlidwk`, `rlidwka` and the empty string, respectively
+For example, if `user` wants his friends `sipbtest` and `jarandom` to be able to read and write files and anyone to be able to read files in his `awesome_project` directory, he might have a session that looks like this
+
+{{{
+user@host:~$ cd awesome_project/
+user@host:~/awesome_project$ fs sa . system:anyuser read
+user@host:~/awesome_project$ fs sa . jarandom write
+user@host:~/awesome_project$ fs sa . sipbtest write
+user@host:~/awesome_project$ fs la
+Access list for . is
+Normal rights:
+ system:expunge ld
+ system:anyuser rl
+ sipbtest rlidwk
+ jarandom rlidwk
+ user rlidwka
+user@host:~/awesome_project$
+}}}
+
+== Creating an AFS Group ==
+The "normal" way to make an AFS group would be with a command similar to {{{pts creategroup <your user name>:<group name>}}} and then add people with {{{pts adduser <user> <full group name>}}}(e.g. If Donald Guy wanted to created a group for people to edit his www directory (including `sipbtest` and `jflorey`, he might use the following chain of commands {{{pts creategroup fawkes:www ; pts adduser sipbtest fawkes:www; pts adduser jflorey fawkes:www; fs sa ~/www fawkes:www write}}}
+
+This method will work, but at MIT, it is much more common to use moira lists as a group. To create a new list, use the web interface at https://wserv.mit.edu:444/fcgi-bin/lc? to create a moira list, NOT A MAILMAN LIST and be sure to check the box for "Should this list be an AFS Group?" (to make an already existing moira list into an AFS group simply {{{blanche -G <list>}}}). After the servers update (which may take anywhere between 1 second and 10 minutes depending on the number of similar requests), the AFS group system:<list name> will exist in the athena.mit.edu cell.
+
+This is useful because one often wants the same certain people who can operate on files in a folder to be a mailing list. Thus, for example, it is possible to send mail to gnu@mit.edu and use system:gnu as an AFS group on ACLs. (it is also possible to make moira lists that are AFS groups, but not mailing lists).
+
+== Controlling Access from the Web ==
+
+If you make a directory listable and readable by system:anyuser then it can be viewed by any user on the web via the urls mentioned [#FromtheWeb above]
+
+Unfortunately, just because you add specific users to an AFS ACL does not mean they can see the folder when the access from the web. IS&T, however, does provide a solution to this. First, make sure that the wanted directory is not readable by system:anyuser. Next {{{fs sa <dir> system:htaccess.mit read }}}. Then create a file named `.htaccess.mit` in that directory. In that file you can do three things,
+
+ * You can require that the user have valid certificates:
+ {{{
+ <limit GET>
+ require valid-user
+ </limit>
+ }}}
+
+ * You can require the reader be (a) specific user(s), for example:
+ {{{
+ <limit GET>
+ require user fawkes jflorey siptest jarandom
+ </limit>
+ }}}
+ * You can require that the reader be a member of one of certain moira groups (notice these are '''moira''' groups, there is no "system:". For example:
+ {{{
+ <limit GET>
+ require group sipb-staff sipb-prospectives
+ </limit>
+ }}}
+
= Troubleshooting =
=== I'm trying to access my files, {{{fs la}}} says I should have permissions here, but it still says {{{: Permission denied}}} ===
-There are two likely possibilities. First, its likely that your tokens may have expired. To get new tokens, make sure you have valid kerberos tickets and then run {{{aklog}}}. Another possibility is that you have tokens but not for the correct cell. {{{tokens}}} will tell you what tokens you already have. In all likelihood, if you are reading this, you want {{{aklog athena sipb}}}
+There are two likely possibilities. First, its likely that your tokens may have expired. To get new tokens, make sure you have valid kerberos tickets and then run {{{aklog}}}. Another possibility is that you have tokens but not for the correct cell. {{{tokens}}} will tell you what tokens you already have. In all likelihood, if you are reading this, you probably want {{{aklog athena sipb}}}
= Advanced Tasks =
sipb-www / wiki.git / commitdiff
