Understanding Access Control in AFS

Details

In AFS, access control is applied at the directory level. The same permissions apply to all the files that directory contains. The Access Control List (ACL) is a list of users and/or groups, with the permissions that apply to each. The ACL for any directory may be displayed with the fs listacl command line tool on all AFS clients, and may also be displayed by the Explorer shell AFS plugin on Windows (right-click menu).

Example fs listacl output:

Access list for . is
Normal rights:
  dartmouthip l
  system:administrators rlidwka
  system:authuser l
  ownername rlidwka

Where:

dartmouthip

special group for all computers on the Dartmouth network

system:administrators

special group for AFS administrators

system:authuser

special group for anyone with Dartmouth AFS credentials

ownername

an individual user with the credentials of the owner of the volume

These permissions do not automatically apply to subdirectories. However, any newly created subdirectory will inherit the permissions of its parent directory.

Seven Access Types You Can Grant

Lookup (l)

Ability to look at the directory's ACL and to list the contents of the directory (what files and directories are in it). It does not give read access to the files.

Read (r)

Read access on a directory allows reading of all the files in a directory.

Write (w)

Write access on a directory grants permission to modify existing files and subdirectories within a directory, and to change permissions on the files in that directory.

Insert (i)

Insert access on a directory implies permission to create files or subdirectories in the directory.

Delete (d)

Delete access on a directory gives the ability to remove files or empty subdirectories from the directory.

Administer (a)

With administer access on a directory, it is possible to change the ACL of the directory.

Lock (k)

A user with lock access on a directory can put advisory locks on files within the directory.

When setting access controls read is a shortcut for rl and write is a shortcut for rlwidk (everything but administer). Normally only the owner of a volume has administer access. These permissions may be granted to individual users, or to groups. Collaborating researchers will usually be using groups. Permissions are set using the fs setacl command.

For more detailed information about Access Control in AFS:

• Consult The fs setacl command from the OpenAFS web site.