AFS TUTORIAL

1. Brief User's guide

Welcome to AFS. If you're a new AFS user, this guide will help you to run some important AFS commands. You should add /usr/afsws/bin and /usr/afsws/etc /afs/rhic/usr/local/bin into your PATH, also /usr/afsws/man into your MANPATH. If you source star_login.csh then these paths will be automatically included.

1.4 Fs command:

This is the most often used command for AFS user. To get help, you can run 'man fs' or 'fs help'. (Don't confuse with fs which is for AIXwindows font server.) To list a directory's (ACLs):
# fs la < directory >
To set directories' ACLs:
# fs sa -dir < directories > -acl < ACL entry >
Each < ACL entry > has two parts: a user or groups name and the access control rights, epatated by a space (for example, star rlidw). Type a combination of the seven letters representing the rights, or one of the four shorthand words.
Access Control Rights:
r: read l: lookup i: insert d: delete w: write k: lock
Shorthand Notation:
write = rlidwk read = rl all = rlidwka none = removes entry

1.5 Pts command:

List members of a group:
# pts mem < group>
List groups a user belongs to:
# pts mem < user>

1.6 Unlog command:

To destroy your token, issue unlog command:
# unlog < cell name >
If you don't unlog, your token is still alive even when you logout.

For more information:

The FAQ
RHIC AFS homepage

2. Groups

An AFS group is a defined list of individual users that you can place on the access control lists (ACLs) so that you can grant the same access rights to a number of people at once. When you create a group, you automatically become its owner. A group's owner is the only one allowed to administer the group. Administering a group includes adding members to it, removing members from it, renaming it, changing its owner, or deleting it entirely.

2.1 Group Names:

Most group names have two parts, separated by a colon, as follows: owner-name:group-name, for example, brahmlib:brahmsoft is created by brahmlib. The owner-name is the name of the owner of the group; the group-name is the actual name of the group. You may also encounter groups that do not have an owner prefix; these are special groups created by system administrators. For example, brahms, star and phenix are special groups. AFS defines three system groups that you can put on your ACLs.

system:anyuser - This group includes everybody.
system:authuser - This group includes anyone who is currently authenticated in your cell.
sytem:administrators - Only few people in this group who administer your cell.

2.2 Creating groups and adding members:

(must be done on a rhic machine from brahmlib acct)

Use the pts creategroup command to create a group:
# pts creategroup -name < group name>
Use the pts adduser command to add user(s) to a group:
# pts adduser -user < user name> -group < group name>
Example:
# pts creategroup -name brahmlib:brahmsoft
# pts adduser -user videbaek mcbreen hagel bearden -group brahmlib:brahmsoft

2.3 Removing Users from a group and deleting a group

Use the pts removeuser command to remove a user from a group
# pts removeuser -user < user name> -group <group name>
Example:
#pts removeuser -user chasman -group brahmlib:brahmsoft
Use the pts delete command to delete a group entirely:
# pts delete < group name>
Example:
#pts delete mcbreen:test_group
Note: After deleting group, you should run fs cleanacl command to remove deleted group(s) from ACLs.
Example:
After Mcbreen removed the group test_group the group still appears on directory /afs/rhic/brahms/BRAHMS_CVS. To remove the group from the ACL of this directory:
# fs cleanacl /afs/rhic/brahms/BRAHMS_CVS

2.4 Listing members of group

Use the pts mem command to display group's members.
# pts mem <group name>
Example:
# pts mem brahms
# pts mem brahmlib:brahmsoft

2.5 Changing a group's owner or name

Use the pts chown command to change the owner of a command.
# pts chown -name <group name> -owner <new owner>
Use the pts rename command to change the group's name:
# pts rename <old name> <new name>

3. Access Control Lists (ACL)

Every directory has its own access control list (ACL) that is used to define which users or groups can access the directory and its files. Defining access at the directory level has several consequences: Files inherit the access rights associated with their parent directory. If you move a file to a new directory, the file gets the access rights of its new directory. When you create a subdirectory, it inherits the current access rights of its parents directory. You can then set the subdirectory's ACL to be different from its parents. There are 7 standard access rights available on ACLs:

The LOOKUP (l) right allows the possessor to issue ls
The INSERT (i) right allows the possessor to create new files or directories.
The DELETE (d) right allows the possessor to remove files or direcotries.
The ADMIN (a) right allows the possessor to change the ACL for the directories
The READ (r) right allows the possessor to read the contents of the files.
The WRITE (w) right allows the possessor to modify the contents of the files.
The LOCK (k) right allows the possessor to run programs that need to place advisory locks on files in the directory (don't worry about this right)

3.1 Listing an ACL

The fs listacl command is used to view a directory's ACL.
# fs la < dir path >
Example:
# fs la /afs/rhic/brahms
# fs la
# fs la *

3.2 Setting/Changing an ACL

You are allowed to change any ACL for which you have the ADMIN right. Use the fs sa command to set/change the ACL.
# fs sa -dir < dir > -acl < users/groups > [rliwadk]
Example:
# fs sa -dir /afs/rhic/brahms -acl brahms all phenix rl system:anyuser none
Here, star group has all 7 rights, but phenix group only has read and lookup, and sytem:anyuser doesn't have any rights at all.

Back to Brief User's Guide