welcome: please sign in

Diff for "MemberManual/GettingStarted/AfsExamples"

Differences between revisions 5 and 17 (spanning 12 versions)
Revision 5 as of 2007-11-12 01:17:37
Size: 1737
Comment: make a note about fsr
Revision 17 as of 2008-07-07 04:27:51
Size: 3030
Editor: localhost
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:
Line 5: Line 4:
[[TableOfContents]] <<TableOfContents>>
Line 7: Line 6:
== Making a directory private == = Introduction =
In these examples, '''<USERNAME>''' is your HCoop username.
Line 9: Line 9:
= Making a directory private =
Line 15: Line 16:
And then use ~/private/ for your personal data store.
Line 16: Line 18:
Note that the {{{-clear}}} option causes any previously set ACLs to be removed. The {{{<USERNAME> all}}} part sets full access to the directory's contents to the specified user. Therefore, if you have a directory in your home directory that you wish to make only accessible to you (such as {{{~/.ssh}}} or {{{~/documents}}}), use: Note that the {{{-clear}}} option causes any previously set ACLs to be removed. The '''<USERNAME> all''' part sets full access to the directory's contents to the specified user. Therefore, if you have a directory (indicated by '''<DIRECTORY>''') in your home directory that you wish to make only accessible to you (such as {{{~/.ssh}}} or {{{~/documents}}}), use:
Line 18: Line 20:
{{{fs setacl -clear ~/<DIRECTORY> <USERNAME> all}}}. {{{
fs setacl -clear ~/<DIRECTORY> <USERNAME> all
}}}
You may also recursively set ACLs throughout a tree by using '''fsr'''. It takes the same commands as '''fs'''.
Line 20: Line 25:
There is also a way to recursively set ACLs throughout a tree by using `fsr`. It takes the same commands as `fs`.

== Serving a website with added privacy ==

If you use domtool to set up your domain, there is a way to allow {{{system:anyuser}}} only to list the contents of public_html without breaking your website(s). By default ACLs '''R''' and '''L''' are given. Change that in this way:
= Serving a website with added privacy =
If you use domtool to set up your domain, there is a way to allow {{{system:anyuser}}} only to list the contents of public_html without breaking your website(s). By default ACLs '''R''' and '''L''' are given. Change that in this way:
Line 29: Line 31:

Now, add all permissions for the ''USER.daemon'' principle:
Now, add all permissions for the ''USERNAME.daemon'' principal:
Line 35: Line 36:
Be aware that this only works if you use your own domain -- if you use {{{http://hcoop.net/~USERNAME}}}/ to serve your files, then you '''must''' be sure that {{{system:anyuser}}} can read {{{~/public_html}}} and its subdirectories (have permission "rl" and not just "l").
Line 36: Line 38:
Be aware that this only works if you use your own domain -- if you use {{{http://deleuze.hcoop.net/~USERNAME}}} to serve your files, then you '''must''' be sure that {{{system:anyuser}}} can read {{{~/public_html}}} and its subdirectories. = Setting the rights permissions on your ~/.domtool directory =
First, check to see what the permissions are like on the {{{~/.domtool}}} directory:
Line 38: Line 41:
== Setting the rights permissions on your ~/.domtool directory == {{{
fs listacl ~/.domtool
}}}
If you see the line '''system:anyuser rl''', then you are good to go, because any user can read your DomTool settings.

Otherwise, if you see the line '''domtool rl''', then you are also OK. If you don't see these ACL lines, then you will want to run the following command to give the Domtool user read permissions on your {{{~/.domtool}}} directory.
Line 42: Line 50:
fs setacl ~/.domtool domtool.deleuze read
Line 44: Line 51:
= Checking to see whether your tokens have expired =
If you are encountering weird problems, then it is possible that your Kerberos tokens have expired. One simple way of checking this is to run:

{{{
aklog
}}}
If it returns without displaying any messages to the screen, you still have valid tokens. If it displays an error, when you will need to authenticate to both Kerberos and AFS again by doing:

{{{
kinit
aklog
}}}

= Recursive Assignment =

The `fs` command doesn't support recursive assignment. Instead, use `fsr` for that effect. For instance, `fsr sa DIR user all` grants all rights to `user` in every subdirectory (at any depth) of `DIR`.

This page contains some examples on how to solve common problems with AFS.

Introduction

In these examples, <USERNAME> is your HCoop username.

Making a directory private

If you wish to make a directory within your $HOME completely private so that only you can list, read, and write, do this:

mkdir ~/private
fs setacl -clear ~/private <USERNAME> all

And then use ~/private/ for your personal data store.

Note that the -clear option causes any previously set ACLs to be removed. The <USERNAME> all part sets full access to the directory's contents to the specified user. Therefore, if you have a directory (indicated by <DIRECTORY>) in your home directory that you wish to make only accessible to you (such as ~/.ssh or ~/documents), use:

fs setacl -clear ~/<DIRECTORY> <USERNAME> all

You may also recursively set ACLs throughout a tree by using fsr. It takes the same commands as fs.

Serving a website with added privacy

If you use domtool to set up your domain, there is a way to allow system:anyuser only to list the contents of public_html without breaking your website(s). By default ACLs R and L are given. Change that in this way:

fs setacl ~/public_html system:anyuser l

Now, add all permissions for the USERNAME.daemon principal:

fs setacl ~/public_html <USERNAME>.daemon all

Be aware that this only works if you use your own domain -- if you use http://hcoop.net/~USERNAME/ to serve your files, then you must be sure that system:anyuser can read ~/public_html and its subdirectories (have permission "rl" and not just "l").

Setting the rights permissions on your ~/.domtool directory

First, check to see what the permissions are like on the ~/.domtool directory:

fs listacl ~/.domtool

If you see the line system:anyuser rl, then you are good to go, because any user can read your DomTool settings.

Otherwise, if you see the line domtool rl, then you are also OK. If you don't see these ACL lines, then you will want to run the following command to give the Domtool user read permissions on your ~/.domtool directory.

fs setacl ~/.domtool domtool read

Checking to see whether your tokens have expired

If you are encountering weird problems, then it is possible that your Kerberos tokens have expired. One simple way of checking this is to run:

aklog

If it returns without displaying any messages to the screen, you still have valid tokens. If it displays an error, when you will need to authenticate to both Kerberos and AFS again by doing:

kinit
aklog

Recursive Assignment

The fs command doesn't support recursive assignment. Instead, use fsr for that effect. For instance, fsr sa DIR user all grants all rights to user in every subdirectory (at any depth) of DIR.

MemberManual/GettingStarted/AfsExamples (last edited 2013-01-13 17:56:00 by ClintonEbadi)