r13 - 20 Apr 2012 - 20:17:56 - JohnPerkinsYou are here: TWiki >  CSDocs Web  > AfsHowTo

AFS File System

Introduction

AFS is a distributed file system that enables sharing files across both local area and wide area networks.

AFS is based on a distributed file system originally developed at the Information Technology Center at Carnegie-Mellon University that was called the Andrew File System.

Some useful features of AFS:

  • In conjuction with Kerberos, AFS provides a global authentication system (all passwords are verified with a site-wide database).
  • Access Control Lists (ACLs) provide more flexibility in setting file access permissions than traditional Unix file systems.
  • Users can access AFS files at remote sites, if given appropriate permissions.

See Also:

AFS Commands Quick Reference

This table lists the most common AFS commands used by users. All commands have two help functions: <command> help and <command option> -help.

File Service Commands Description
fs listquota <path>, fs lq <path> list the AFS quota for the volume containing file or directory path. If no path is specified, the current directory is used.
fs listacl <path>, fs la <path> List the Acess Control List for the directory path (or the directory containing path). If no path is specified, the current directory is used.
fs setacl <path> user acl, fs sa <path> <user> <acl> Set the Acess Control List for the user user on the directory path.
fs copyacl <srcpath> <destpath> Copy the Acess Control Lists from the directory srcpath to the directory destpath. Note that this does not delete the existing Access Control Lists from destpath.
afs_rseta <path> <user> <acl> Recursively set the Acess Control List for the user user on the directory path and all subdirectories of path.
fs whereis <path> Print the name of the AFS Fileserver for the volume containing file or directory path If no path is specified, the current directory is used.

AFS Group Commands Descritpion
pts creategroup <username:group> Create a group named username:group. username must be your username.
pts adduser <user> <username:group> Add user user to group username:group. Usually username is your username.
pts removeuser <user> <username:group> Remove user user from group username:group. Usually username is your username.
pts membership <user> List the groups user is a member of
pts membership <username:group> List the members of group username:group
pts listowned <username> List the groups owned by username

Authentication Commands Descriptiondown
tokens Print information about the AFS Authentication Token of the current process authentication group (PAG).
kalog Renew/Create Kerberos Ticket and AFS Token

Miscellaneous Commands Description
up <srcdir> <destdir> Recursively copy srcdir to destdir, preserving AFS Access Control Lists.

File-related Commands

Quotas

The AFS file system has per-volume disk space quotas. To examine your quota and the current usage, use:

On UNIX systems

fs listquota <path>
fs lq <path>

Where <path> is the pathname of a file or directory in the volume

Disk quota and amount used are reported in 1K Byte Blocks. The percentage used of the volume quota and the file server disk partition holding that volume are also reported.

On Windows systems

  • Right-click on a directory, and use the AFS | Volume/Partition | Properties menu; or
  • In a command window, use the fs listtacl command:
    fs listquota <path>
    fs lq <path>

Where <path> is the pathname of a file or directory in the volume

Disk quota and amount used are reported in 1K Byte Blocks. The percentage used of the volume quota and the file server disk partition holding that volume are also reported.

lff - Large File Finder

lff Introduction

lff is a program which can be used to find large files and directories in a directory tree. It searches all files, including hidden files (dotfiles) and subdirectories of a directory tree. It can also omit directories within the tree from the search.

It has the capability to output the format in Kilobytes or Megabytes, and is very configurable with command line options

lff option Description
-f, --fileminsize SOMENUMBER sets the minimum file size that you are searching for. It defaults to 1 megabyte. You are able to specify the size in eit her bytes, kilobytes, or megabytes. To specify bytes, just use a number. To specify kilobytes, append a k or a K after the number. To specify megabytes, append either a m or a M after the number
-d, --dirminsize SOMENUMBER sets the minimum directory size that you are sea rching for. It defaults to 5 megabytes. You can specify kilobytes or megabytes the same as setting the --fileminsize.
-h, -?, --help shows a short helpful informational message on usage and immediately exits.
-k[K], --kilobytes (case insensitive in the single character implementation) formats the output to kilobytes instead of bytes.
-m[M], --megabytes (case insensitive in the single character implementation) formats the output to megabytes instead of bytes.
-F, --Fileonly (Case Sensitive) limits the output to only display large files instead of large directories and files.
-D, --Dironly (Case Sensitive) limits the output to only display large directories instead of large files and directories.
-o, --omitdirs sets directories to omit. They should be in the directory tree that you are checking, but the program does not make sure of this and it will not cause any problems if the omitted directories are elsewhere. It will only cause minor slowdown.
-v, --version displays the current version of the program and immediately exits.

lff Examples

The most common usage of lff will probably be to check a home directory to find large files and directories (such as the mozilla cache) when an AFS quota has been filled. The easiest way to do this is:

/s/std/bin/lff ~

In order to format output to kilobytes, the following will work:

/s/std/bin/lff ~ -k

A more complex usage would be the following:

/s/std/bin/lff ~ -k -f 2m -d 6m -o ~/public

That example would scan your home directory, output the file sizes in kilobytes, search for files 2 megabytes or larger, directories 6 megabytes or larger, and omit the public directory.

It is possible to scan and/or omit multiple directories. To scan /tmp and /usr while omitting /usr/X11R6 and /usr/bin the following command will work

/s/std/bin/lff /tmp /usr -o /usr/X11R6 -o /usr/bin

Recursively Copying Files And AFS ACLs on UNIX systems

Use the up command:

up <srcdir destdir>

srcdir is the source directory, destdir is the destination directory.

Note:if destdir does not exist, it will be created. if destdir does exist, it will be the new directory. For example:

  • up olddir newdir: makes a copy of olddir, named newdir
  • mkdir newdir; up olddir newdir: makes a copy of olddir, named newdir, not newdir/olddir

Access Control And AFS Groups

The AFS Filesystem provides Access Control Lists (ACLs) and user-managed AFS user groups for controlling file access.

Access Control Lists (ACLs)

Each directory in AFS has an ACL (Access Control List). Although unix files have owner and group IDs associated with them and read/write/execute bits for the owner, group members and non-members, these bits are often ignored for files on AFS filesystems. (You will need to enable execute bits to execute programs, though, and some programs will explicitly test for certain unix file permission bits.)

The ACL of a directory applies to all files in that directory. For example, If the ACL allows read access to a user, then all readable files (according to the Unix owner permission bits) in the directory will be readable by that user. The same applies to write and execute permissions (note: in order to execute a file (run the program), you must also be able to read the file). It is impossible to have two files in a given directory with different ACLs.

Access can be specified for individual users or AFS groups.

Access Control Commands

On UNIX systems

Use the fs listacl command:

fs listacl <path>
fs la <path>

path is the pathname of the directory

On Windows systems

  • Right-click on a directory, and use the AFS | Access Control Lists menu; or
  • In a command window, use the fs listtacl command as shown above for UNIX systems.

Setting/Modifying Access Control Lists

On UNIX systems

Use the fs settacl command:

fs setacl <path user permission>
fs sa <path user permission>

  • path is the pathname of the directory
  • user is the username of an individual user, or an AFS user group
  • permission is an AFS Access Control List permission (right) to be granted

For example:

  • Give the user bbadger read and lookup access to all the readable files in the directory project2:
fs setacl project2 bbadger read
fs setacl project2 bbadger rl

  • Give the group username:mygroup rlidwk (read, lookup, insert, delete, write, and lock) access permissions to the directory src (username is your user name).
fs setacl src <username>:mygroup write
fs setacl src <username>:mygroup rlidwk

  • Remove all access permissions for the group system:anyuser
fs setacl private system:anyuser none

On Windows systems

  • Right-click on a directory, and use the AFS | Access Control Lists menu; or
  • In a command window, use the fs setacl command as shown above for UNIX systems.

See Also:

  • Above AFS Commands Quick Reference

Access Permissions (Rights)

The following permissions (rights) can be specified in AFS ACLs:

Permission Attribute Description
r read allows a user to look at readable files in the directory
l lookup a user with this right may list a directory, look at an ACL or access subdirectories.
w write allows a user to modify writable files in the directory
d delete allows a user to remove files from a directory
i insert allows a user to add files to a directory
k lock allows a user to put advisory file locks on a file in the directory
a administer allows a user to change the ACLs on the directory. If a user has administer access to a directory, that user may change the ACLs of that directory and any directories within that directory. For that reason, we do not suggest granting this access to anyone for your personal directories.

In addition, the following aggregate permissions can be user:

Aggregate Permission Description
read read (r) and lookup (l) permissions
write read (r), lookup (l), insert (i), write (w), delete (d) and lock (k) permissions
all grant all permissions (rliwdka), including administate
none remove all permissions for the specified user or group

AFS Groups

User-Managed AFS Groups

AFS allows users to create and manage their own groups of users. AFS groups can be named in ACLs (Access Control Lists), which is convenient, because you do not need to change every ACL when someone joins or leaves a logical group of users.

AFS groups that are owned by users are named username:groupname

System-Defined AFS Groups

The AFS system defines the following system groups:

  • system:anyuser: any user, regardless of authentication status
  • system:authuser: any user (or process) that has authenticated to the AFS system
  • system:administrators: the system administration group

AFS Group Commands

Listing AFS Groups

Use the following pts commands (run from a command prompt window on Windows workstations):

Command Description
pts membership <user> list the groups <user> is a member of
pts membership <username:group> list the members of group <username:group>
pts listowned <username> List the groups owned by <username>

For example:

  • pts membership bbadger: lists the groups that bbadger is a member of
  • pts membership bbadger:workgroup: lists the members of bbadger's group bbadger:workgroup

Creating/Modifying AFS Groups

Use the following pts commands (run from a command prompt window on Windows workstations):

Command Description
pts creategroup <username:group> create group <username:group>. <username> must be your username.
pts adduser <user> <username:group> Add user <user> to group <username:group>. Usually <username> is your username.
pts removeuser <user> <username:group> Remove user <user> from group <username:group>. Usually <username> is your username.

For example:

  • pts creategroup bbadger:workgroup: The user bbadger creates a group named bbadger:workgroup
  • pts adduser bucky bbadger:workgroup: add user bucky to bbadger's group bbadger:workgroup
  • pts removeuser bucky bbadger:workgroup: remove user bucky from bbadger's group bbadger:workgroup

See Also:

  • Above AFS Commands Quick Reference

AFS Authentication

In order to use the AFS file system, you must be authenticated to AFS. AFS uses Kerberos for authentication.

Tokens

AFS used an authentication token. Tokens are issued by the login process, and are only valid for a certain period of time.

On UNIX systems

Use the tokens command:

  • tokens: Prints the AFS user ID and tokens expiration time

On Windows 7 systems

  • tokens: Prints the AFS user ID and tokens expiration time (can be run in a command prompt window)

Reauthentication

To reauthenticate (renew or extend an AFS token):

On UNIX systems

Use the kalog command:

  • kalog: You will be prompted for your Kerberos password.

On Windows 7 systems

  • Click on the AFS icon (yellow padlock) or Network Identity Manager icon (empty box or box with a sillouette inside) to open the Network Identity Manager
  • Select your kerberos ticket (if present), then right-click and select Renew credentials
  • If you do not have a kerberos ticket displayed under Network Identity Manager, you will need to go to CredentialObtain new credentials and reauthenticate. Use LOGIN@CS.WISC.EDU as your username where LOGIN is your login name.

How To Be Administrator And Have Your Tokens Too (Windows XP only)

If you need to log in to a Windows Workstation as the local administrator, but also need to have AFS access in order to install software, it can be done. You'll need to use the kalog command from a command prompt to get AFS tokens and Kerberos tickets.

Once you have tokens and tickets, you'll need to map drives to the different locations in AFS. Use the subst command to accomplish this. The syntax of this command is:

subst <drive_letter path>

For example, to map the S: drive to /s you would use the following command at a command prompt:

subst S: T:\@cell\s

The drive letter T:\ is always mapped to the AFS root (aka /afs) when the system starts. This drive is normally hidden to avoid confusion and in case we need to change the mapping at a later time.

Before you logout, you will need to run unlog and kdestroy - this will destroy your AFS tokens and Kerberos tickets and eliminate any chance that someone could steal your tickets or tokens.

AFS Project Management

The AFS Project Management page provides further information about AFS project management.

AFS on Remote Computers

AFS clients are available for various platforms including Windows, Macintosh and Linux systems.

How to install and configure AFS client for Windows computers

Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r13 < r12 < r11 < r10 < r9 | More topic actions
 
CSL Home
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback