AFS: A distributed filesystem

HCoop now uses AFS, a distributed filesystem, to implement much of our infrastucture. Home directories and email are stored in AFS. AFS allows for fine-grained access control and the ability to access your files from any machine that has an AFS/Kerberos client (including your local workstation, thus avoiding the need for SSH-ing in). That said, chmod and chgrp are not used at all. Read more to learn what this means.

Permissions in AFS are a bit different than standard UNIX file permissions. Basically, the group of a file and the standard read/write/execute permissions do not matter at all. In place of these, there is an access control list (called an ACL) for each directory, which is a listing of a role or person and the permissions that it has. An AFS ACL uses seven types of permissions: r (read), l (lookup), i (insert), d (delete), w (write), k (lock), and a (administer). "Read" and "write" are the same as their UNIX equivalents, and "lookup" is similar to the "execute" permission in UNIX -- it permits the files contained in the directory to be accessed. If you want to learn more about AFS permissions, see the relevant section of the AFS User Guide.

When a new directory is created inside $HOME, it receives a clone of the ACL for its parent directory. Every member's home directory starts life initialized with an ACL that allows listing by any authenticated party on HCoop, without granting any other permissions. However, you can change the ACL for your home directory or any of its subdirectories. Just remember that, if you don't take special actions to the contrary, every subdirectory of your home directory will be listable by anyone, and no file will be readable by anyone but you and the HCoop admins.

Individual files do not have ACLs; instead, files inherit the ACLs of the directories they are in. This is worth repeating: despite what you may be used to in UNIX, it's impossible to set per-file permissions in AFS. Instead, set permissions on the directories where files are found. This may require thinking about rearranging your directory structure.

If you wish to view the ACL of a specific directory, use:

fs listacl <DIRECTORY>

Please continue on to the AFS examples page for some annotated examples on how to set AFS permissions.