Indiana University
University Information Technology Services
  
What are archived documents?
Login>>
Login

Login is for authorized groups (e.g., UITS, OVPIT, and TCC) that need access to specialized Knowledge Base documents. Otherwise, simply use the Knowledge Base without logging in.

Close

At IU, how do I share my MDSS data with other users?

In the Massive Data Storage Service (MDSS) at Indiana University, you can share data with other MDSS users by setting permissions in the Access Control Lists (ACLs) stored with directories and files. The ACL specifies the users and groups with access to the directory and their usage rights.

On this page:

Permissions for files

MDSS provides the following set of permissions for files:

  • read (r)
  • write (w)
  • execute (x)
  • control (c)

The read and write permissions allow users to view and modify the file, respectively. The control permission allows users to modify the permissions (ACL) for the file. The execute permission is informational; programs cannot be executed within MDSS. However, this permission is passed on to Samba and HPSSFS interfaces, so they can be interpreted as allowing the file to be executed in some circumstances. The owner of a file will always be granted control permission.

Permissions for directories

MDSS provides the following set of permissions for directories:

  • read (r)
  • write (w)
  • search (x)
  • insert (i)
  • delete (d)
  • control (c)

The search and read permissions allow users to enter and view the contents of a directory, respectively. The write permission allows users to change filenames within the directory. The insert and delete permissions allow users to add and remove files within the directory. The control permission allows users to manage the permissions (ACL) for the directory. The owner of a directory will always be granted control permission.

Directories also have default ACLs, which are applied to new files and directories as they are created within that directory. A change to these defaults will not be applied to existing files or directories. The default permissions do not affect the permissions of the directory itself.

The directory's initial object default applies to new files created in that directory. The initial container default applies to new subdirectories created in that directory. Both defaults are inherited as defaults for new subdirectories created in that directory.

How ACLs work

An ACL consists of a list of permissions granted to various users and groups. In addition, a file or directory has an owner and group associated with it. This owner and group are assigned upon creation, or using the chown and chgrp commands within HSI, FTP, and SFTP.

The permissions granted to a particular user are applied as follows (the first applicable rule is followed):

  1. The owner gets the permissions defined for the owner.

  2. If a user is explicitly mentioned in an ACL entry, that entry applies.

  3. If a user is a member of the owning group or a group explicitly mentioned in an ACL entry, the combination (union) of all permissions granted to all groups to which the user belongs is applied.

  4. Otherwise, the "other" permissions are applied.

Using ACLs on the MDSS

Note: You can share your MDSS data only with other MDSS users. While the underlying system can grant "any_other" and "foreign" permissions, these do not have any special meaning within MDSS. In particular, "any_other" means the same thing as "other".

You can edit ACLs using the MDSSWeb tool or the pftp_client tool. Note that normal Kerberos-enabled FTP clients will not work, as the FTP server uses non-standard FTP responses for the ACL commands. The web interface should be fairly self-explanatory given the general description above.

Within pftp_client, you can use the site acl command to edit ACLs. For any command, if the filename contains quotes, backslashes, or spaces, the entire filename should be quoted by enclosing the name in double quotes ( " ) and escaping any backslashes and quotes within the filename with a backslash ( \ ). The site acl help command is especially useful. Following are some additional useful commands:

site acl show "name" View the ACLs on file or directory name
site acl show -io "name" View the default ACL to be applied to new files in directory name
site acl clear "name" Clear the ACLs on file or directory name, returning to basic user/group/other permissions
site acl update user:username:rx "name" Give or modify access to directories and files
site acl update -ic other_obj:rx . Set the default access for directories created under the current directory
site acl remove user:username "name" Remove an explicit statement of access for directory or file name

The general format of a permission string for the site acl commands is as follows:

user_obj:rwxidc Permissions for the owner of the file or directory
group_obj:rwxidc Permissions for the owning group for the file or directory
other_obj:rwxidc Permissions for "other" users
user:username:rwxidc Permissions granted explicitly to the user username
group:groupname:rwxidc Permissions granted explicitly to the group groupname
mask_obj:rwxidc A special-purpose permission that is maintained internally by the system, and is generally displayed instead of the owning group's permissions in situations where ACLs are not understood. For details, see the POSIX ACL documentation.

As shown in the example above, removing an ACL entry does not require the permission selections (:rwxidc) to be specified.

This is document auxq in domain all.
Last modified on May 13, 2009.

Comments/Questions/Corrections

Use this form to offer suggestions, corrections, and additions to the Knowledge Base. We welcome your input!

If you are affiliated with Indiana University and would like assistance with a specific computing problem, please use the Ask a Consultant form, or contact your campus Support Center.

Contact Information

Note: We will reply to your comment at this address. If your message concerns a problem receiving email, please enter an alternate email address.