Page Content
AFS rights management with a terminal
AFS directories can be configured for shared usage of multiple users. tubIT allows all users to access their data in a secured way. For this purpose we host a SSH server which grants access to the AFS homes.
This includes access to all areas for which you have rights. You will need a SSH client for this service. UNIX/Linux system have a ssh client by default. For Windows systems PuTTY is recommended.
Address: sshgate.tu-berlin.de
Authentication: Kerberosticket, username and password
General Notes
Groups are structured like this: <group owner >:<group name>
Groups created by tubIT are always structured: units:<area name>
The group with the owner units shows the responsible person for an AFS area. This group cannot be edited.
The groups system:backup and system:administrators also belong to tubIT and cannot be edited.
In order to grant coworkers access to subfolders with correspondent rights, it is necessary to create new groups with these rights. The person creating a group is automatically the owner of a group. The owner is declared with his tubIT user name.
If you create subfolders, the rights will be inherited from the parent folder.
Commands
The following commands will help you administrating the rights:
Create a group: pts creategroup <tubIT name owner>:<group name>
Add a user to a group: pts adduser <tubIT name user> <tubIT name owner>:<group name>
Show group members: pts membership <tubIT name owner>:<group name>
Remove group member: pts removeuser <tubIT name user> <tubIT name owner>:<group name>
Show rights for a certain folder: fs listacl -path <folder path>
Show rights of current folder: fs listacl
Set rights for a group for a folder including subfolders: find <folder with subfolders> -type d -exec fs sa "{}" -acl <tubIT name owner>:<group name> <rights> \;
Remove rights from a group for a folder including subfolders: find <folder with subfolders> -type d -exec fs sa "{}" -acl <tubIT name owner>:<group name> none \;
Set rights for current folder: fs setacl -dir . -acl <tubIT name owner>:<group name> <rights>
Remove rights for current folder: fs setacl -dir . -acl <tubIT name owner>:<group name> none
Set rights for a certain folder: fs setacl -dir <folder path> -acl <tubIT name owner>:<group name><rights>
Remove rights for a certain folder: fs setacl -dir <folder path> -acl <tubIT name owner>:<group name>none
These commands can only be executed by owners of the administrator right (a). If a group has the administrator right, all members are entitled to run the commands. Group commands can always be run by the group owner.
Rights:
- r = read
- l = list folder contents
- i = insert
- d = delete
- w = write
- k = lock file
- a = administration