AFS TUTORIAL
Welcome to AFS. If you're a new AFS user, this guide will
help you to run some important AFS commands. You should add
/usr/afsws/bin and /usr/afsws/etc /afs/rhic/usr/local/bin into your PATH, also
/usr/afsws/man into your MANPATH. If you source star_login.csh
then these paths will be automatically included.
1.1 Klog command:
cd to /afs, you will see rhic directory. If your machine doesn't
have /afs directory, then it isn't an AFS client. If you're a
RHIC user, then you will have an AFS account and an AFS password.
Right after you login, run klog command to get your token:
# klog
1.2 Tokens command:
To check if you get your token, issue tokens command:
# tokens
1.3 Kpasswd command:
To change your AFS password, issue kpasswd command:
# kpasswd
1.4 Fs command:
This is the most often used command for AFS user. To get help,
you can run 'man fs' or 'fs help'. (Don't confuse with fs
which is for AIXwindows font server.)
To list a directory's (ACLs):
# fs la < directory >
To set directories' ACLs:
# fs sa -dir < directories > -acl < ACL entry >
Each < ACL entry > has two parts: a user or groups name and the
access control rights, epatated by a space (for example, star rlidw).
Type a combination of the seven letters representing the rights, or
one of the four shorthand words.
Access Control Rights:
r: read l: lookup i: insert d: delete w: write k: lock
Shorthand Notation:
write = rlidwk read = rl all = rlidwka none = removes entry
1.5 Pts command:
List members of a group:
# pts mem < group>
List groups a user belongs to:
# pts mem < user>
1.6 Unlog command:
To destroy your token, issue unlog command:
# unlog < cell name >
If you don't unlog, your token is still alive even when you logout.
For more information:
An AFS group is a defined list of individual users that you can place on the
access control lists (ACLs) so that you can grant the same access rights to a number of people at once.
When you create a group, you automatically become its owner. A group's owner
is the only one allowed to administer the group. Administering a group includes
adding members to it, removing members from it, renaming it, changing its owner,
or deleting it entirely.
2.1 Group Names:
Most group names have two parts, separated by a colon, as follows:
owner-name:group-name, for example, brahmlib:brahmsoft is created by brahmlib.
The owner-name is the name of the owner of the group; the group-name is the
actual name of the group. You may also encounter groups that do not have an
owner prefix; these are special groups created by system administrators. For
example, brahms, star and phenix are special groups.
AFS defines three system groups that you can put on your ACLs.
- system:anyuser - This group includes everybody.
- system:authuser - This group includes anyone who is currently authenticated
in your cell.
- sytem:administrators - Only few people in this group who administer your cell.
2.2 Creating groups and adding members:
(must be done on a rhic machine from brahmlib acct)
Use the pts creategroup command to create a group:
# pts creategroup -name < group name>
Use the pts adduser command to add user(s) to a group:
# pts adduser -user < user name> -group < group name>
Example:
# pts creategroup -name brahmlib:brahmsoft
# pts adduser -user videbaek mcbreen hagel bearden -group brahmlib:brahmsoft
2.3 Removing Users from a group and deleting a group
Use the pts removeuser command to remove a user from a group
# pts removeuser -user < user name> -group <group name>
Example:
#pts removeuser -user chasman -group brahmlib:brahmsoft
Use the pts delete command to delete a group entirely:
# pts delete < group name>
Example:
#pts delete mcbreen:test_group
Note: After deleting group, you should run fs cleanacl command to remove
deleted group(s) from ACLs.
Example:
After Mcbreen removed the group test_group the group still appears on directory
/afs/rhic/brahms/BRAHMS_CVS. To remove the group from the ACL of this directory:
# fs cleanacl /afs/rhic/brahms/BRAHMS_CVS
2.4 Listing members of group
Use the pts mem command to display group's members.
# pts mem <group name>
Example:
# pts mem brahms
# pts mem brahmlib:brahmsoft
2.5 Changing a group's owner or name
Use the pts chown command to change the owner of a command.
# pts chown -name <group name> -owner <new owner>
Use the pts rename command to change the group's name:
# pts rename <old name> <new name>
Every directory has its own access control list (ACL) that is used to define
which users or groups can access the directory and its files.
Defining access at the directory level has several consequences:
Files inherit the access rights associated with their parent directory. If you
move a file to a new directory, the file gets the access rights of its new
directory.
When you create a subdirectory, it inherits the current access rights of its
parents directory. You can then set the subdirectory's ACL to be different from
its parents.
There are 7 standard access rights available on ACLs:
- The LOOKUP (l) right allows the possessor to issue ls
- The INSERT (i) right allows the possessor to create new files or directories.
- The DELETE (d) right allows the possessor to remove files or direcotries.
- The ADMIN (a) right allows the possessor to change the ACL for the directories
- The READ (r) right allows the possessor to read the contents of the files.
- The WRITE (w) right allows the possessor to modify the contents of the files.
- The LOCK (k) right allows the possessor to run programs that need to place
advisory locks on files in the directory (don't worry about this right)
3.1 Listing an ACL
The fs listacl command is used to view a directory's ACL.
# fs la < dir path >
Example:
# fs la /afs/rhic/brahms
# fs la
# fs la *
3.2 Setting/Changing an ACL
You are allowed to change any ACL for which you have the ADMIN right.
Use the fs sa command to set/change the ACL.
# fs sa -dir < dir > -acl < users/groups > [rliwadk]
Example:
# fs sa -dir /afs/rhic/brahms -acl brahms all phenix rl system:anyuser none
Here, star group has all 7 rights, but phenix group only has read and lookup,
and sytem:anyuser doesn't have any rights at all.
Back to Brief User's Guide
For more information:
Flemming Videbaek (videbaek@sgs0.hirg.bnl.gov)