It is important to know that the network file system in use at the ICTP is the Andrew File System, AFS in short. It handles access permissions in a different, more flexible way than the standard UNIX system.

AFS versus NFS

The Andrew File System, AFS in short, is a secure and efficient network file system that will partly replace the standard UNIX Network File System (NFS).

• In AFS all network traffic is encrypted and both sides communicating with each other have to authenticate themselves. Therefore we can safely make the file system accessible from outside.
• There is more flexibility in giving access rights to other people. That is, access can be given to individual users.
• The speed is increased thanks to a local Cache Manager.

AFS authentication

When you log in to an ICTP computer, you obtain a so-called token that serves as a kind of key to give you access to whatever files you are supposed to have access to. The process of obtaining and storing the token is handled by the system. What you as user need to know is that the token's life time is limited. At the ICTP it is currently set to one month. In theory, if you have the habit to never log out from your workstation you might face the unpleasant surprise of losing access to your home directory all of a sudden.

You can check the expiration time of your current token using the command tokens. The output looks something like

[user@blueroom-1 ~]$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 112) tokens for afs@ictp.trieste.it [Expires Nov 23 07:50]
   --End of list--

If your token has expired then you can get a newer one using the klog command. The token obtained in this way will last only for one day, so you should only use it to save your work, log out and log in again. Tokens obtained by logging in last for one month.

Access permissions

In standard UNIX, there are three types of access permissions - read, write and execute - for every file and directory. If a directory is marked as executable, it means that its list of contents maybe viewed. These rights are given or denied to three categories of people: the owner, members of the group, others.

In AFS, UNIX-like access rights exist, but are meaningful only for the owner of a file. The access rights for group and others are ignored: instead, specific AFS access rights are specified through access lists (see later). These AFS access rights are defined only for directories and apply to all files therein. When you create a subdirectory, it inherits the permissions from the parent. From that moment on, they are managed independently. This means that you can modify the access rights of the parent or the subdirectory without affecting the other. It is also important to know that when you move a directory to a different place, the access rights will be the same as before, and might thus be radically different from the new parent directory.

The principal access permissions are:

• lookup means that the list of files is viewable. In a standard UNIX file system, this would be represented by the executable flag of a directory.
• read like in standard UNIX, the possibility to read the files.
• write like in standard UNIX, too.
• insert is the possibility to create new files and subdirectories.
• delete allows to remove files and subdirectories.
• administer allows to modify the access permissions for this directory.

Access Control Lists

The access permissions are stored in so-called access control lists (ACLs). There is one ACL for each directory, because the access rights are defined directory-wise in AFS, not on a file-by-file basis. It is also important to keep in mind that the standard UNIX access permissions for group members and other users are ignored inside the AFS tree, even though they can be modified with the chmod command and displayed with ls -l.

The basic command to check the current permissions is fs listacl or shorter fs la. The output could be something like the following:

Access list for /afs/ictp/home/t/terry is
Normal rights:
  system:backup rlidwka
  system:sv l
  terry rlidwka

This means that the ICTP backup system (predefined as system:backup) can read, list, insert, delete, write, and lock files and modify the access permissions, the web and the mail servers (part of the group named system:sv) have lookup permission and terry can do practically everything. No wonder, it's his home directory.

Don't remove the access permissions for the backup, mail and web servers! They are vital for the correct functioning of the system.

Other pre-defined users are:

  system:authuser   any authenticated (ICTP) user
  system:anyuser    any AFS user in the world

Now, if you want to modify the ACL, use the command fs setacl or fs sa for short. It is used like this:

  fs sa directory user rights

For example:

  fs sa notes pat rl

grants user pat the permissions read and lookup for the subdirectory notes.

When you want to remove the access rights later, use a command like

fs sa notes pat none

A summary of the usage of the fs can be obtained by entering fs help or more specifically fs help subcommand.

Defining user groups

If you want to set up the same access rights for several people then it is best to set them up as a group.

Every user can define up to 20 groups of individual users. These groups can then be used in the access control lists.

The group name must have the form username:name where the username is the one of the creator of the group and name can be arbitrarily chosen.

For example, user terry might want to create a group consisting of the co-authors of a paper he's working on. The command to create the group would be:

  pts creategroup -name terry:coauthors

Next, he would add the users terry, pat and mike to the group (which is empty at the beginning):

  pts adduser -user terry pat mike -group terry:coauthors

Now he can create a directory and grant access rights to all group members:

  mkdir paper
  fs setacl paper terry:coauthors lrwi

This allows all the coauthors to see the contents of the directory, read and write files and create new ones.

You can also remove a user from the group via

  pts removeuser -user username -group groupname

and see the list of members:

  pts membership groupname

You can get more information about the pts command by entering pts help or, more specifically, pts help subcommand.

See also the corresponding chapter in the on-line manual.