AFS Group Structure and Ownership Hierarchy
This page is a reference for how GLAST AFS spaces (directories) are protected via "groups" and how those groups are managed.
 | Just to confuse you... As of this writing (7/18/2008), there are two overlapping schemes for organizing the permissions on GLAST-owned AFS directory spaces. The "new" scheme is slowly superseding the "old" scheme - and this transition can cause a bit of confusion. The old scheme includes "g-glast:" groups, while the new scheme includes "g-glast-new:" groups. At some point the old scheme will simply disappear. |
AFS protections
AFS protects its directories using ACLs (Access Control Lists). An ACL is a list of users and/or groups and/or machines, each of which is granted certain privileges. Those privileges include:
| privilege bit | meaning |
|---|---|
| r | READ the contents of files in the directory |
| w | WRITE (modify) the contents of files in the directory |
| l | LOOKUP status information about the files in the directory |
| d | DELETE files from the directory |
| i | INSERT new files into the directory |
| k | LOCK; set read or write locks on the files in the directory |
| a | ADMINISTER; change the rights on the access control list |
A typical ACL looks like this:
$ fs la /afs/slac.stanford.edu/g/glast/isoc/flightOps/ Access list for flightOps/ is Normal rights: isocops:hosts rl g-glast-new:authprocesses rl g-glast-new:flightops rlidwk g-glast-new:owner-flightops rlidwka g-glast-new rlidwka g-glast rl system:slac rl system:administrators rlidwka system:authuser rl
In this case, everything beginning with "g-glast" is an AFS "group"; members of these groups can be displayed, e.g.,
$ pts mem g-glast-new:flightops Members of g-glast-new:flightops (id: -6881) are: claus panetta philiph blee tether decot
Object of the AFS organization
- Totally GLAST-managed (currently SCCS is involved with group mgmt)
- Protection of infrastructure from unauthorized non-experts
- Improved accountability for file changes
- Hiding of sensitive result data from non-LAT collaborators
- Systematic scheme for creating autonomous AFS <domains> within GLAST
- Delegation of AFS resource mgmt to <domain> manager(s)
- Hierarchical mgmt structure with a single AFS group at top
- Prevention of top-level admins from accidentally fouling system
- Management of login access to GLAST service accounts ('k5 login scheme')
Group Ownership Hierarchy
1st lvl
2nd lvl
3rd lvl
4th lvl fields (members)
====================================================================================
owner-g-glast SOM-- (richard-m,<richard-m backup>)
g-glast SOM-- (richard-m,<a few others>)
g-glast:owner-<domain> SOMar (<domain> admin(s))
g-glast:domain SOM-- (<domain> member(s))
Or, in some cases a slightly simpler version is appropriate (with no "owner-" group)
1st lvl 2nd lvl 3rd lvl fields (members) ==================================================================================== owner-g-glast SOM-- (richard-m,<richard-m backup>) g-glast SOM-- (richard-m,<a few others>) g-glast:<domain> SOMar (<domain> member(s))
An owning group can modify the membership of owned groups, a key of this organizational scheme. The domain admins can modify members of their own groups, providing them a degree of autonomy.
And what are those mysterious fields?
 | AFS group fieldsStatus (S,s,-) can issue cmd: pts examine
Owned (O,o,-) can issue cmd: pts listowner
Membership (M,m,-) can issue cmd: pts members
Add (A,a,-) can issue cmd: pts adduser
Remove (R,r,-) can issue cmd: pts removeuser
^ ^ ^
| | Group Owner only
| Group Member
Anyone
|
 |
Note that due to pre-existing AFS organizational scheme, "g-glast" was already in use, therefore "g-glast-new" is being used until the day when the old g-glast can be removed and g-glast-new renamed. |
Group Purpose
- Group owner-g-glast will NOT appear in any directory ACLs; its sole
purpose in life is to control membership of the g-glast and g-glast-new groups.
- Group g-glast will appear in the ACLs of all GLAST directories
with all ("rlidwka") privs. There are two purposes for this group:
- managing directories and new volumes (setting ACLs)
- managing group domains (creating/populating new AFS groups)
This group may be SOM-- or SOMar, but I recommend SOM-- for security
purposes.
- Groups g-glast:owner-<domain> will appear in the ACLs of
directories assigned to <domain> with all privs except "admin",
i.e. "rlidwk". This group is a mechanism to delegate management for
<domain> disk and AFS group resources. This group may be SOM-- or
SOMar according to <domain> policy.
- Groups g-glast:<domain> will appear in the ACLs of directories
assigned to <domain> at the descretion of g-glast:owner-<domain>;
privs are limited to "rlidwk" but may be more restrictive at the
descretion of g-glast:owner-<domain>. The purpose of this group is to
utilize the disk resources of <domain>. This group may be SOM-- or
SOMar according to <domain> policy.
Current GLAST AFS groups owned by g-glast-new
| owning group | owned group(s) | top-level AFS directory | Note |
|---|---|---|---|
| g-glast-new:owner-flightops | g-glast-new:flightops | /afs/slac/g/glast/isoc/flightOps/ | |
| g-glast-new:xrootd | /afs/slac/g/glast/ground/PipelineConfig/xrootd | xrootd software | |
| g-glast-new:owner-online | g-glast-new:online | /afs/slac/g/glast/online | |
| g-glast-new:admin | g-glast-new:community | /afs/slac/g/glast | LAT members, etc. |
| g-glast-new:owner-releases | g-glast-new:releases | /afs/slac/g/glast/ground/releases | AFS release area (pipeline) |
| g-glast-new:owner-releases | g-glast-new:anafiles-diffuse | /afs/slac/g/glast/ground/releases/anaFiles/diffuse .../residual .../isotropic |
Diffuse and background models |
| g-glast-new:owner-moot | g-glast-new:moot | /afs/slac/g/glast/moot | mooters |
| g-glast-new:owner-acct | g-glast-new:acct-glast g-glast-new:acct-glastmc g-glast-new:acct-glastraw g-glast-new:acct-glastxrw |
service account login authorization | |
