AFS Access to/from external users

AFS is a global file system, so anyone running AFS could access paths like /afs/inf.ed.ac.uk/group/foo/bar, if they have the necessary ACL access. Similarly we can access /afs/ic.ac.uk/ group or user area if we had access via ACLs.

Unfortunately we don't get to do this just for free. There needs to be a trust relationship setup between the two sites so they can be happy that uun@INF.ED.AC.UK is who they say they are. Simon also said in the chat room that "system administrators need to have configured a cross-cell pts group".

However, this does seem to be fairly standard operating practice for people running kerberos and AFS, so sites are probably geared up to handle requests for cross trust relationships.

If there is no cross trust link, then the best you can do is setup areas as being "system:anyuser rl" (or whatever) to let anyone in the world read/access shared files.

If there is a need for users to collaborate with site A, then you should contact the Infrastructure Unit to see about setting up the required cross trust links. Once that trust has been estabilished, then you can set ACLS like "user1@IC.AC.UK rl" to explicitly allow user1@IC to access those files.

Addition

Once we have established trust with another domain, it does not affect the membership of system:authuser, that is always the local realm. It is, however, possible to refer to all users from a trusted domain by doing something like system:authuser@friend.inf.ed.ac.uk

Chat room traffic

The above was gleaned from a conversion in the COs chatroom, which is cut and pasted (and reordered and trimmed a little for clarity) for reference:

(11:09:11) neilb: sxw: sorry for being lazy, but it's just quicker to ask you. If someone running an AFS cell somewhere else in the world wants to let me access their files. Can they just set an ACL like "neilbb@inf.ed.ac.uk rl" or is there some sort of trust thing that needs to be setup between us and them before that would work.
(11:11:11) Simon Wilkinson: They need a cross-realm trust link with our Kerberos realm.
(11:11:36) Simon Wilkinson: And their system administrators need to have configured a cross-cell pts group
(11:11:35) neilb: So it's not just plug and play.
(11:12:01) Simon Wilkinson: No, you need the trust relationships to have been set up first. Otherwise, they have no way of knowing that you really are 'neilb@inf.ed.ac.uk'
(11:17:06) neilb: So cross collaboration using AFS with colleagues in mit.edu and imperial.ac.uk, or whatever, doesn't just happen. Do we want to get into the habit of establishing these trust relationships, or is using ifriend and AFS the only option.
(11:17:14) Simon Wilkinson: My policy has always been that I'm happy to exchange cross-realm keys where there's a reasonable case that doing so is of benefit to the school. Most other Kerberos sites have a similar policy, so it can be relatively easy to set these things up where there's a demonstrated need.
(11:20:30) Simon Wilkinson: We currently have cross realm links with MCC.AC.GB, SU.SE, CMF.NRL.NAVY.MIL, DEMENTIA.ORG and IASTATE.EDU

(14:41:14) gordonr: sxw: re cross-realm links, does that mean that people from the domains you list, are effectively "authuser"s ? 
(14:42:19) Simon Wilkinson: Nope.
(14:42:44) Simon Wilkinson: Sorry, gordonr: nope. system:authuser is only users in the 'local' realm.
(14:43:28) Simon Wilkinson: Other realms have their own authuser groups.
(14:43:57) Simon Wilkinson: For example. system:authuser@friend.inf.ed.ac.uk

-- NeilBrown - 06 Nov 2009

Topic revision: r2 - 09 Nov 2009 - 17:11:31 - NeilBrown
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies