welcome: please sign in

Diff for "MemberManual/GettingStarted"

Differences between revisions 1 and 2
Revision 1 as of 2007-10-25 00:04:29
Size: 1328
Editor: MichaelOlson
Comment: Copy initial contents here
Revision 2 as of 2007-10-25 03:35:12
Size: 3359
Editor: MichaelOlson
Comment: Document AFS and Kerberos
Deletions are marked like this. Additions are marked like this.
Line 7: Line 7:
 * How to indicate that you would like to join HCoop.
 * We use AFS.
   * It's a bit different than standard UNIX file permissions. Allows for granular control of access, and ability to access your files from any machine that has an AFS/Kerberos client.
== AFS: A distribued filesystem ==

HCoop now uses [http://www.openafs.org/ AFS], a distributed filesystem, to implement much of our infrastucture. Home directories and email are stored in AFS. AFS allows for granular control of access, and ability to access your files from any machine that has an AFS/Kerberos client.

Permission on AFS are a bit different than standard UNIX file permissions. Basically, the group of a file, and the standard read/write/execute permissions do not matter at all. In place of these, there is an access control list (called an ACL) for each directory, which is a listing of a role or person, and the permissions that they have. An AFS ACL uses seven types of permissions: '''r''' (read), '''l''' (lookup), '''i''' (insert), '''d''' (delete), '''w''' (write), '''k''' (lock), and '''a''' (administer). "Read" and "write" are the same as their UNIX equivalents, and "lookup" is similar to the "execute" permission in UNIX -- it permits the files contained in the directory to be accessed. For further information on AFS permissions, [http://www.openafs.org/pages/doc/UserGuide/auusg007.htm#HDRWQ46 the relevant section of the AFS User Guide] may be consulted.

When a new directory is created inside $HOME, its ACL defaults to allow listing by any authenticated party on HCoop. Individual files do not have ACLs; instead, files inherit the ACL of the directory they are in.

If you wish to view the ACLs on a specific directory, such as any you have just applied an ACL, use:

{{{fs listacl <DIRECTORY>}}}

Please continue on to the [:/AfsExamples:AFS examples] page for some annotated examples on how to set AFS permissions.

== Kerberos: An authentication mechanism ==

SSH access to our system, as well as authentication to most of our webservers, is managed by Kerberos. You get a token automatically whenever you log in. Tokens can expire in less than a day. If the token expires, you may renew it by running

{{{
kinit
}}}

and typing your password.

Kerberos and AFS work together. So if your token expires, so will your access to AFS. To get AFS access back after renewing your token with {{{kinit}}}, be sure to type

{{{
aklog
}}}

== Domtool: Our own tool for managing domain-specific DNS/email/web ==

This is the chapter of the MemberManual that describes things that new and current members must know about HCoop's setup. It is considered required reading before contacting HCoop administrators or filing support requests.

TableOfContents

AFS: A distribued filesystem

HCoop now uses [http://www.openafs.org/ AFS], a distributed filesystem, to implement much of our infrastucture. Home directories and email are stored in AFS. AFS allows for granular control of access, and ability to access your files from any machine that has an AFS/Kerberos client.

Permission on AFS are a bit different than standard UNIX file permissions. Basically, the group of a file, and the standard read/write/execute permissions do not matter at all. In place of these, there is an access control list (called an ACL) for each directory, which is a listing of a role or person, and the permissions that they have. An AFS ACL uses seven types of permissions: r (read), l (lookup), i (insert), d (delete), w (write), k (lock), and a (administer). "Read" and "write" are the same as their UNIX equivalents, and "lookup" is similar to the "execute" permission in UNIX -- it permits the files contained in the directory to be accessed. For further information on AFS permissions, [http://www.openafs.org/pages/doc/UserGuide/auusg007.htm#HDRWQ46 the relevant section of the AFS User Guide] may be consulted.

When a new directory is created inside $HOME, its ACL defaults to allow listing by any authenticated party on HCoop. Individual files do not have ACLs; instead, files inherit the ACL of the directory they are in.

If you wish to view the ACLs on a specific directory, such as any you have just applied an ACL, use:

fs listacl <DIRECTORY>

Please continue on to the [:/AfsExamples:AFS examples] page for some annotated examples on how to set AFS permissions.

Kerberos: An authentication mechanism

SSH access to our system, as well as authentication to most of our webservers, is managed by Kerberos. You get a token automatically whenever you log in. Tokens can expire in less than a day. If the token expires, you may renew it by running

kinit

and typing your password.

Kerberos and AFS work together. So if your token expires, so will your access to AFS. To get AFS access back after renewing your token with kinit, be sure to type

aklog

Domtool: Our own tool for managing domain-specific DNS/email/web

  • We use DomTool.

    • It is a fairly unique approach to sharing access to a machine. It facilitates DNS, email, and web serving, provided that you have a domain.
  • Reporting problems.
    • Report issues with Bugzilla.
    • Request domains with the portal.
  • Logging in.
    • Explain that normal ssh will work fine.
    • Explain that access to files can expire, and how to renew access with kinit and aklog. Explain "ticket".
    • How to install AFS/Kerberos clients on your home computer, for easier access. How to make tickets last longer. How to make tickets automatically renew.
  • Security goals.
    • Control public access to your files. Your publicly readable files are accessible outside HCoop via AFS (maybe ... need to look into more)
    • Mention denyhosts.

MemberManual/GettingStarted (last edited 2013-01-13 17:55:10 by ClintonEbadi)