[daip] Re: aipsuser group (fwd)
Eric Greisen
egreisen at cv3.cv.nrao.edu
Mon Nov 25 17:24:05 EST 2002
>
> Now that's an interesting question.
>
> Because we are installing AIPS in AFS rather than a traditional UNIX
> filesystem, UNIX groups will *not* be relevant for access control.
> Instead, we should grant write access to the required directories
> through directory ACLs. We can do this after the fact, as long as
> we know which directories are involved. Indeed we'll create a
> group for this purpose, but it will be an AFS group, not a UNIX one.
>
> Another issue is that I normally create multiple replicas of the AFS
> volumes that contain software packages. This is both for performance and
> for robustness against server failures. Whenever this is done, the
> replicas most users will be working from are read-only. If we must
> grant write access to some directories, we'll have to create separate,
> non-replicated AFS volumes for them.
>
> In any case, if we need to grant write access to only some files in a
> directory, we'll have to replace them with symlinks to a separate,
> writeable directory; this is because AFS access controls only work at
> the directory level. We could make these symlinks point into an NFS
> directory instead, in which case traditional UNIX filesystem semantics
> apply (sort of; NFS isn't without its quirks).
>
> Could you please find out:
> (1) which system files need to be writeable (and if possible why);
The area called $DA00 on each machine needs to be writable by
the users. We put these directories as link files - say for my
machine primate - as
$AIPS_ROOT/DA00/PRIMATE/
which is actually a link to a real file directory mounted on primate
called, e.g. /home/primate/AIPS/PRIMATE/ containing the files used by
the aips user.
The aips user data areas of course must be completely writable
by the individual users. I cannot think of a need to write other
areas and we block that here with no difficulty.
Note that aips ZDAOPN.C which does all disk file opens attempts
a RW open and if that fails for access reasons then does a R only
open. If the file is then written, it will fail. This will then show
what is written.
The general areas called $FITS and $RUNFIL and $OFMFIL are empty when
aips is shipped and users should have write access to their copies of
those so they may read/write files there is they so choose (that is
optional).
> (2) whether any of the AIPS scripts assume UNIX filesystem semantics
> and explicitly check file GIDs in ways that AFS would break.
The install.pl does check and chmod file privileges. After that
I do not know of any - perhaps the MNJ (code in $UPDUNIX).
Eric Greisen
> I'm copying this note to Lorant Sjouwerman (hoping he reads his
> mailbox here @astro.su.se; I don't have his other address). Maybe
> he can shed some light on this issue.
>
> As a matter of policy, I don't want users to be able to interfere
> with other users' work. Collaborate, yes; but denial-of-service
> vulnerabilities must be plugged. If we can achieve that goal, then we
> might as well grant write privilege to all our users: it will
> simplify administration. So just use group astro for now.
>
> Sergio
>
>
>
More information about the Daip
mailing list