Shared folders: Difference between revisions
No edit summary |
|||
(4 intermediate revisions by the same user not shown) | |||
Line 37: | Line 37: | ||
If you want to e.g. allow somebody (as identified by their user id) full read access on your homefolder, run this : | If you want to e.g. allow somebody (as identified by their user id) full read access on your homefolder, run this : | ||
<pre> | <pre> | ||
setfacl --recursive --modify u:haars001:r-x $HOME | |||
</pre> | </pre> | ||
Line 44: | Line 44: | ||
Users access the Anunna cluster with their WUR-wide (Active Directory) or Anunna only account. This means that all the membership information of the AD is also available on Anunna. To check of which groups your user is a member of, use the following command: | Users access the Anunna cluster with their WUR-wide (Active Directory) or Anunna only account. This means that all the membership information of the AD is also available on Anunna. To check of which groups your user is a member of, use the following command: | ||
< | <pre>groups <username></pre> | ||
This can result in a rather long list, reflecting permissions in the system. Within these groups you must then identify the one that is closer to match the team or group with which you wish to collaborate. | This can result in a rather long list, reflecting permissions in the system. Within these groups you must then identify the one that is closer to match the team or group with which you wish to collaborate. | ||
Line 50: | Line 50: | ||
For instance, if I wish to work together with colleagues at ISRIC, I can search within my groups an appropriate match: | For instance, if I wish to work together with colleagues at ISRIC, I can search within my groups an appropriate match: | ||
< | <pre>groups duque004 | grep isric</pre> | ||
In my case the group des-isric-users looked appropriate. Then next step is to confirm if the other users in my team are also members of the group. | In my case the group des-isric-users looked appropriate. Then next step is to confirm if the other users in my team are also members of the group. | ||
Line 78: | Line 78: | ||
1. Pass the ownership of the group to the team. In the example below it is applied recursively to all sub-folder and files that may exist: | 1. Pass the ownership of the group to the team. In the example below it is applied recursively to all sub-folder and files that may exist: | ||
< | <pre>chgrp -R my-team-group myTeamWorkspace</pre> | ||
2. Concede read/write permissions to the group. This allows other members of the group to read and write in the shared folder. If you wish other team members to only read from the folder then remove the <code>w</code> character from the <code>+rw</code> bit: | 2. Concede read/write permissions to the group. This allows other members of the group to read and write in the shared folder. If you wish other team members to only read from the folder then remove the <code>w</code> character from the <code>+rw</code> bit: | ||
< | <pre>chmod -R g+rw myTeamWorkspace</pre> | ||
3. Set default ownership within the group. This guarantees that any new files or folders created within the shared folder are owned by default owned by your team group: | 3. Set default ownership within the group. This guarantees that any new files or folders created within the shared folder are owned by default owned by your team group: | ||
< | <pre>chmod -R g+s myTeamWorkspace</pre> | ||
In case the contents of the shared are sensitive or private, and should be accessed by your team, you can block access from any other users with the following command: | In case the contents of the shared are sensitive or private, and should be accessed by your team, you can block access from any other users with the following command: | ||
< | <pre>chmod -R o-rw myTeamWorkspace</pre> | ||
== Further reading == | == Further reading == |
Latest revision as of 13:28, 16 September 2024
If you work in a group or team, it is sometimes useful to work within a shared space. Users can thus share inputs to their models and make their outputs also easily available to each other. This article explains how to do so within the Lustre file system and home or archive folder (NFS).
There are two main methods available to you: Access Control List (ACL) access (that you can administer yourself), group access with AD rights or group access within Anunna (which are centrally administered).
Below we will split out the options for each method.
You may create a folder that can be accessed by yourself and someone else in the following manner:
cd /lustre/shared mkdir shared_folder chmod 700 shared_folder setfacl -R -m u:my_id:rwx shared_folder setfacl -R -d -m u:my_id:rwx shared_folder
Then, for each person who you want to have access to this:
setfacl -R -m u:my_friend:rwx shared_folder setfacl -R -d -m u:my_friend:rwx shared_folder
Adding users later can be done using the same method, but it might be hard. You may have trouble updating ACLs on files that aren't yours, and you cannot change ownership of files to yourself. Each user with files in the folder will need to update their ACLs appropriately themselves, or you can contact your sysadmins to assist.
If you want to share e.g. you home folder with another user, follow these steps:
Set access rights on folder
If you want to e.g. allow somebody (as identified by their user id) full read access on your homefolder, run this :
setfacl --recursive --modify u:haars001:r-x $HOME
Users access the Anunna cluster with their WUR-wide (Active Directory) or Anunna only account. This means that all the membership information of the AD is also available on Anunna. To check of which groups your user is a member of, use the following command:
groups <username>
This can result in a rather long list, reflecting permissions in the system. Within these groups you must then identify the one that is closer to match the team or group with which you wish to collaborate.
For instance, if I wish to work together with colleagues at ISRIC, I can search within my groups an appropriate match:
groups duque004 | grep isric
In my case the group des-isric-users looked appropriate. Then next step is to confirm if the other users in my team are also members of the group.
If a group isn't available (cooperation with people outside WUR), please ask the administrators for help, they can then set up a group for you.
The Lustre file system is accessible in the /lustre
folder and then divided into the /backup
and /nobackup
sections (corresponding to the different usage plans). Inside each of these folders there is a sub-folder named SHARED
in which users are to create their own assets.
You start by creating a folder in this space; it is probably better if it matches the name of your group or team, e.g.:
mkdir /lustre/nobackup/SHARED/myTeamWorkspace
Or in alternative:
cd /lustre/nobackup/SHARED mkdir myTeamWorkspace
Setting permissions
Three basic steps are involved in stepping permissions correctly:
1. Pass the ownership of the group to the team. In the example below it is applied recursively to all sub-folder and files that may exist:
chgrp -R my-team-group myTeamWorkspace
2. Concede read/write permissions to the group. This allows other members of the group to read and write in the shared folder. If you wish other team members to only read from the folder then remove the w
character from the +rw
bit:
chmod -R g+rw myTeamWorkspace
3. Set default ownership within the group. This guarantees that any new files or folders created within the shared folder are owned by default owned by your team group:
chmod -R g+s myTeamWorkspace
In case the contents of the shared are sensitive or private, and should be accessed by your team, you can block access from any other users with the following command:
chmod -R o-rw myTeamWorkspace
Further reading
An Introduction to Linux Permissions