OpenAFS
File and Directory Permissions
User home directories are stored in the OpenAFS distributed filesystem. OpenAFS access control lists (ACLs) are applied at the directory level, not at the file level. This is an important concept to understand.
A new directory will inherit the parent's directory's ACL.
Use the fs suite of commands to manage directory ACLs.
- Run fs help for a listing of subcommands.
List a directory ACL
- Run fs listacl directoryname or fs la directoryname
prompt> fs listacl directoryname Access list for directoryname is Normal rights: system:anyuser rl yourusername rlidwka
There are two entries in this example ACL, one for system:anyuser, which we will come to in minute, and one for the user of yourusername. The second half of each entry details the user rights.
r | READ | read any file in the directory |
l | LOOKUP | allows 'ls' command |
i | INSERT | add new files and subdirectories to the directory |
d | DELETE | remove files and subdirectories from the directory |
w | WRITE | modify the contents of files in the directory |
k | LOCK | run programs that need to 'flock' files in the directory |
a | ADMINISTRATE | may change the acl for the directory |
Changing a directory ACL
- Run fs setacl directoryname or fs sa directoryname
prompt> fs setacl directoryname myfriend write prompt> fs listacl Access list for directoryname is Normal rights: system:anyuser rl myfriend rlidwk yourusername rlidwka
'write' is shorthand for 'rlidwk'
'read' is shorthand for 'rl'
OpenAFS groups
A directory ACL entry can also be a user group. A group entry will show the owner of the group followed by a colon and the name of the group.
There are three global acl groups:
- system:anyuser
- global user group
- anyone on any OpenAFS/AFS client in the world
- system:authuser
- users with valid token to the local cell
- system:administrators
- OpenAFS equivalent to the UNIX root account
Use the pts suite of commands to create, list and manage groups.
- Run pts help for a list of subcommands
OpenAFS Quotas
There are disk quotas associated with OpenAFS volumes.
To check a directory's quota
- Run fs listquota directoryname or fs lq directoryname
prompt> fs listquota ~yourusername Volume Name Quota Used % Used Partition user.yourusername 50000 1452 2% 86%
In this example, your home directory volume quota is set to 50000 Kbytes (~50Meg). Only 1452 Kbytes or 2% of 50Megs have been used. The disk partition on which your volume (and lots of other volumes) reside is 86% filled. If you go over your quota, or if the partition on which your volume resides fills up, you will be unable to store files in your volume.
More information on OpenAFS
You can learn more on the OpenAFS web site.
The appearance of hyperlinks does not constitute endorsement by the Department of Defense, U.S. Navy, or U.S. Naval Research Laboratory of non-U.S. Government sites or the information, products, or services contained therein. Although the U.S Naval Research Laboratory may or may not use these sites as additional distribution channels for Department of Defense information, it does not exercise editorial control over all of the information that you may find at these locations. Such links are provided consistent with the stated purpose of this website.