Moving Admin Staff from AFS to DataStore (Samba)

This project's aim is to move admin staff off AFS group space. This has a notional deadline of September 2017, when it's expected that admin machines will be upgraded to Windows 10 on which no AFS support is expected.

Technical detail

Webmark

However, Webmark generates output into various areas of the existing AFS space and that will need to now be redirected, first as a test (for example, /afs/inf.ed.ac.uk/group/admin/iss/ito/admin/UG4/webmark-forms/).

There are various aspects

  • identifying all the Webmark generated content
  • separating this from the other manually maintained files, maybe restructuring output directories
  • managing remote filesystem mount on webmark server
    • includes creation of a functional account for webmark (and sharing these credentials with each webmark server).
  • changing Webmark form config to generate into the new space

The group space access details we have used for testing are below. At the moment admin staff don't have access to this space but we can add them later.

Mounts

We are planning to run an sshfs mount on the webmark server using the functional account and done on server reboot, e.g. via cron entry.

mkdir /tmp/tc
sshfs -o intr,large_read,auto_cache,workaround=all -oPort=22222 timc@csce.datastore.ed.ac.uk:/csce /tmp/tc
cd /tmp/tc/datastore/inf/groups/inf/
ls -l
touch x
etc

This also worked:

smbclient \\\\csce.datastore.ed.ac.uk\\csce -W ED -U timc

ACLs

Can be managed thus:

$ smbcacls -U ED/gdutton //csce.datastore.ed.ac.uk/csce /inf/groups/inf/test -a 'ACL:ED\gdutton:ALLOWED/OI|CI/FULL'
Enter ED/gdutton's password: 
$ smbcacls -U ED/gdutton //csce.datastore.ed.ac.uk/csce /inf/groups/inf/test
Enter ED/gdutton's password: 
REVISION:1
CONTROL:SR|DP
OWNER:ED\lmb
GROUP:ED\domain users
ACL:ED\gdutton:ALLOWED/OI|CI/FULL
ACL:Everyone:ALLOWED/OI|CI|I/0x00120080
ACL:ED\lmb:ALLOWED/I/0x001b01ff
ACL:Creator Owner:ALLOWED/CI|IO|I/0x001b01ff
ACL:Creator Owner:ALLOWED/OI|IO|I/0x001b01df
ACL:ED\IS-USD-ServiceDelivery:ALLOWED/OI|CI|I/FULL
ACL:ED\datastore_inf_operators:ALLOWED/OI|CI|I/FULL
ACL:ED\datastore_inf_groups_inf:ALLOWED/OI|CI|I/FULL

...therefore can be managed automatically.

In practice we don't want to allocate ACLs for accounts, but instead for groups - so the missing link is a prometheus conduit which synchronises Informatics groups with AD security groups.

Functional account

We now have a functional account webadmin. It also looks as though we can create ad-hoc groups (via the Visitor and Identity Management system).

References:

-- TimColles - 10 Jan 2017

Edit | Attach | Print version | History: r9 < r8 < r7 < r6 < r5 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r8 - 30 Jun 2017 - 14:02:09 - AlisonDownie
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies