Skip to content

(2024-01-13) Lab Notebook: Sharing directories with other HPCC users

Warning

This is as a Lab Notebook which describes how to solve a specific problem at a specific time. Please keep this in mind as you read and use the content. Please pay close attention to the date, version information and other details.

Overview

MSU HPCC's GPFS filesystem supports NFS V4 access control lists (ACLs). By modifying ACLs of your directories and files, you will be able to fine control access by other users. This tutorial provides a step-by-step instruction for setting up file sharing through modifying ACLs. We assume that you've put all your files in a single directory and are ready to share that directory with another HPCC user.

To deal with ACLs, you will use three commands: 1) mmgetacl for obtaining existing ACLs; 2) mmputacl for changing ACLs; and 3) mmdelacl for deleting ACLs. Compared with the basic chmod utility, being able to modify ACLs gives users more fine-grained control over file access.

Viewing existing ACLs

To view ACL of a directory or a file, we use the command mmgetacl:

1
2
$ mmgetacl <my dir>
$ mmgetacl <my file>

The output should be mostly self-explanatory; for a complete description of the format of ACL entries, refer to IBM NFS V4 ACL Syntax or IU's supercomputer user's guide.

Example of sharing a directory

Let's say under myuser's home directory, there is a subdirectory named acl_demo. It contains two files and two directories (each dir has one file inside), as shown below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
$ ll acl_demo/
total 17K
drwxrwx--- 2 myuser mygroup 8.0K Jan  9 12:38 dir1/
drwxrwx--- 2 myuser mygroup 8.0K Jan  9 12:38 dir2/
-rwxrwx--- 1 myuser mygroup  151 Jan  9 22:33 file1
-rwxrwx--- 1 myuser mygroup  194 Jan  9 12:37 file2

$ tree acl_demo/
acl_demo/
├── dir1
│   └── ffile1
├── dir2
│   └── ffile2
├── file1
└── file2

2 directories, 4 files

Our goal is to share the entire acl_demo directory with our collaborator collab on the HPCC. Specifically, we will grant read-only access to collab.

First, we need to get the original ACLs for the acl_demo directory and one of the files (say, file1) inside it, using mmgetacl that we've used earlier. The original ACL of a directory/file when created is determined by umask set by myuser. We will save their ACLs to two files in ~/tmp, since we want to differentiate directories from files when manipulating their ACLs. Make sure you have created a subdirectory ~/tmp in your home directory beforehand.

1
2
3
4
5
cd # go to home dir (~/) 
mmgetacl acl_demo > ~/tmp/acl-dir.txt # ACL of dirs
mmgetacl acl_demo/file1 > ~/tmp/acl-file.txt # ACL of files

more ~/tmp/acl-*.txt | cat # take a look at the two ACL files generated

Then, we will change the ACLs (for directories and files) using the mmputacl command. Its usage is simple:

1
mmputacl -i <ACL entries> <file/dir name>

The above shows that mmputacl takes an input file (-i) containing user-defined ACL entries. It's important to note that, in this example, we will need to use mmputacl to change ACLs for both directories and files. This also means that we need to prepare two different input files for mmputacl.

To give collab read and execute (execute permission is needed to navigate to the directory) permission of a directory, we only need to add an entry to that directory's existing ACL. The same applies to changing a file. Below we display two files that each contain the additional entry for granting rx (read and execute) access to user collab:

1
2
3
4
5
6
7
8
9
$ cat tmp/dir.acl
user:collab:r-xc:allow:FileInherit:DirInherit
 (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (-)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED

$ cat tmp/file.acl
user:collab:r-xc:allow
 (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (-)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED

Above, selected permissions are marked with an X; permissions that are not selected are marked with a -. ACLs for directories have two additional flags (FileInherit and DirInherit) as compared to those for files. These two files (i.e., dir.acl and file.acl) are saved in ~/tmp as before. In practice, you can copy the above content down to your own files and make changes as needed, such as user name and/or permission choices.

Our next step is to combine the new entry (which corresponds to the modified permission) with existing ACL. To do so, in the code below we append our newly added entry to the current ACL, for both directories and files. In other words, the two previously generated files, acl-dir.txt and acl-file.txt have been updated now (take a look at the two files to make sure everything is in order).

1
2
cat ~/tmp/dir.acl >> ~/tmp/acl-dir.txt
cat ~/tmp/file.acl >> ~/tmp/acl-file.txt

With all the preparation completed, we are now ready to call mmputacl. In order to make sure all the files and directories inside will be accessible to collab, we need to apply ACL changes at all levels, or, recursively. The following commands accomplish this.

1
2
3
4
5
cd # go to home dir (~/) 
mmputacl acl_demo -i ~/tmp/acl-dir.txt
cd acl_demo
find . -type d -exec mmputacl \{} -i ~/tmp/acl-dir.txt \;
find . -type f -exec mmputacl \{} -i ~/tmp/acl-file.txt \;

Here is a breakdown of the above code:

  1. The first line applies the change to the very top level directory acl_demo. This allows collab to traverse into this directory.
  2. The second line brings us inside the acl_demo directory.
  3. The third line recursively changes ACLs for subdirectories (dir1 and dir2), based on permissions defined in acl-dir.txt. Furthermore, if there are subdirectories within dir1 and/or dir2, their ACLs will be changed in the same manner.
  4. The fourth line recursively changes ACLs for files (file1, file2, dir1/ffile1, and dir2/ffile2), based on permissions defined in acl-file.txt.

Optional: deleting ACLs

If we want to disable access from the collaborator after file sharing is complete, we can use mmdelacl to delete extended ACLs we've added to acl_demo. Then the ACLs will be reset to their original entries. To perform deletion, we can use the following commands:

1
2
3
4
5
cd # go to home dir (~/) 
mmdelacl acl_demo
cd acl_demo
find . -type d -exec mmdelacl \{} \;
find . -type f -exec mmdelacl \{} \;

After deletion, we can run mmgetacl on those files and directories again, to confirm.