Navigation :

AFS Protection Groups

AFS Protection Group Concepts

AFS implements the concept of user-administered groups. Any user may create a group; only system administrators may create groups at the “top level” (i.e., without a username: prefix). User-created groups are always owned by the user who created them; system groups may be owned by anyone. The usual practice in CSAIL is for top-level groups to be owned by groups, rather than users; normally, the owner of a group will either be the group itself (meaning that everyone in the group can manage the group membership and permissions) or it will be another group created specifically for the purpose of managing the first. (By convention, the group that manages FOO is called FOO-admin and is itself self-administered.) See the pts command for more information about examining and managing AFS protection groups.

There are a few other special groups that are defined by AFS:

system:administrators is the group of system administrators, naturally enough. Even if this group does not appear on the access-control list for a directory, members of this group have plenary authority over all files and directories on the system.
system:anyuser is the group of all users, whether or not they are authenticated (i.e., everyone in the universe).
system:authuser is the group of all local authenticated users. You might use this group to restrict access to some resource that is not private but must not be made totally public for legal or administrative reasons. (An example might be software for which CSAIL has a site license.)
system:authuser@FOREIGN.CELL.NAME is the group of all authenticated users in the cell named FOREIGN.CELL.NAME (folded to lower case). This requires cross-realm Kerberos authentication, which is currently only set up between CSAIL and Athena.

Protection Groups and `pts`

AFS uses protection groups, which are a bit like Unix groups, only much more powerful and flexible.

Using pts creategroup to create a new group

Use the pts creategroup command to create a new group of users, specifying your username and the name of the group you want to create. The command format is:

pts creategroup your_user_name:groupname

For instance, if I want to create a group of people who will get permissions to see a private folder in my home directory, I would type this command:

youruser@login:~$ pts creategroup youruser:your_afs_group
group youruser:your_afs_group has id -17016

When creating a group, you always put your username before the colon. You can name your group anything you want.

Adding and removing people from groups

Users are added and removed from groups using pts adduser and pts removeuser respectively.

youruser@login:~$ pts adduser -user user1 user2 user3 user4 -group youruser:your_afs_group

To inspect the group membership, use pts membership:

youruser@login:~$ pts membership youruser:your_afs_group
Members of youruser:your_afs_group (id: -17016) are:
  user1
  user4
  user2
  user3

If I don’t want people in my group anymore, I can remove them like this:

youruser@login:~$ pts removeuser -user user1 -group youruser:your_afs_group
youruser@login:~$ pts membership youruser:your_afs_group
Members of youruser:your_afs_group (id: -17016) are:
  user4
  user2
  user3

Cached permissions and group membership changes

When the AFS client makes an access-control check, the results of this check are cached on a per-session basis for some time. If the ACL of a file is changed, AFS’s built-in cache consistency mechanism will make sure that any cached access-control decisions for that file are discarded. However, if the ACL references a protection group, and the group membership changes, this cache flush does not happen. This means that group membership changes may not take effect immediately, even though they are visible in the pts command and are visible in new login sessions.

For CSAILUbuntu, you can clear this old state is to log out and back in again. You can also use the fs flushv command to clear all cached AFS client state for a particular volume.
For Windows, destroy your credentials (using leash) and ask for new ones.

Deleting groups

If you’re done with a group, use pts delete:

youruser@login:~$ pts delete youruser:your_afs_group

Read the pts manpage for a complete list of what you can do with AFS protection groups.

Using fs setacl to set an ACL on a directory

Once you have a group, you will use it to give people in that group certain permissions on a directory.

youruser@login:~$ fs setacl secret_files youruser:your_afs_group read
youruser@login:~$ fs listacl secret_files
Access list for secret_files is
Normal rights:
  youruser:your_afs_group rl
  youruser:youruser rlidwka
  system:anyuser l
  youruser rlidwka

Recommended Course Directory Permissions

Information about how to set up course directories can be found [right here].