AFS Group Space Update

This document should probable replace the existing AFSGroupSpace, and that one be renamed to something like AFSCreatingGroupVolume, or perhaps merge the two docs, but for now we'll just live with it!

In the past requests for AFS group space have been dealt with in a rather adhoc manner. As we are now moving existing NFS group space into AFS, we needed to revisit this so ...

Where to mount?

From now on we are trying to mirror the existing /group/... structure in the /afs/inf.ed.ac.uk/group/ area. eg if there is an existing group area (or the natural place to create a new group) would be /group/project/foo/, then the location to mount their AFS volume would be /afs/inf.ed.ac.uk/group/project/foo/.

The reason for doing this is that at some point in the future we may be able to change the existing /group -> /amd/group symlink to be /group -> /afs/inf.ed.ac.uk/group and still preserve the /group/ paths.

Note if you are moving /group/bar/foo to AFS and /afs/inf.ed.ac.uk/group/bar/ doesn't exist, then you need to create a new volume called 'gdir.bar' and mount it as /afs/inf.ed.ac.uk/group/bar/ and then mount group.foo in there. Most of the existing /group/* sub dirs have already been created in the AFS space.

What about existing paths?

As we are moving peoples' areas that they are used to accessing as /group/project/foo/, then to make the move to AFS more seamless, the 'rfe amdmap/group' file has been tweaked to allow the second field to be an AFS path rather than just a partition name. eg

[project]
foo    ptn123   foo
can now become
[project]
foo   /afs/inf.ed.ac.uk/group/project/foo

or

[project]
foo   /afs/inf.ed.ac.uk/group/project   foo

The former is the preferred version.

Web pages

If the group area moving to AFS has web space served by groups.inf.ed.ac.uk (currently stoater.inf) then providing you preserve the old NFS path by using the 'rfe amdmap/group' change above, then you only need to set appropriate ACLs on the content served by the web server for it to remain working.

The gist of it is that the "user" system:afswebservers needs to have "rl" access to the files, so this would mean giving that user rl access to all the parent directories as well as any sub directories of the web content. For more details see http://www.inf.ed.ac.uk/systems/web/afsweb.html.

Group ACLs

There is now a /usr/sbin/syncgroups2afs script that syncs Unix group membership into an equivalent AFS inf:* PTS group. It has a man page and can take a list of groups if you don't want to sync the whole lot.

A cron job (currently on alexandria) will run this once a day at 10am to automatically pickup changes in the Unix group world into AFS. This will probably be revised depending on how it is working out.

This means if there is a Unix group "foo" managed via roles and caps, there will be and equivalent "inf:foo" group that group members can use on their AFS group space.

Users can still create new AFS PTS entries and manage the membership themselves, for example we'd probably create "afs-foo:foo" for them and let them manage that themselves.

-- NeilBrown - 17 Jun 2009

Topic revision: r2 - 18 Jun 2009 - 15:52:09 - NeilBrown
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies