Share access to your home directory space or Geode-Project space with other IU research supercomputer users

• Overview
• Configure your environment for NSF V4 ACLs
• View an ACL
• Modify an ACL to grant access to another user
• Get help

---

Overview

If you have home directory space on the Indiana University research supercomputers or project space on a Geode-Project allocation, you can set up shared access to give other IU research supercomputer users access to specific files and subdirectories.

To set up shared access to files and subdirectories in your home directory or Geode-Project space:

1. Direct users to whom you are granting access to email the UITS Research Storage team (store-admin@iu.edu) to request network access for their IU usernames.
2. Access your home directory space or Geode-Project space; use your preferred SSH2 client to connect to your account on one of the following IU research supercomputers:

   System	Hostname
   Big Red 200	bigred200.uits.iu.edu
   Quartz	quartz.uits.iu.edu

   Log in with your IU username and passphrase, and then confirm your identity with Two-Step Login (Duo).

3. Use the instructions below for creating Access Control Lists (ACLs) to grant access to specific files and/or subdirectories.

Configure your environment for NFS V4 ACLs

Home directories and Geode-Project spaces are hosted on Geode, IU's disk-based online storage service. Both services support NFS V4 access control lists (ACLs), which are different from traditional GPFS ACLs based on the POSIX model.

To use NFS V4 ACLs in your home directory or Geode-Project space, you need to add them to your PATH environment variable:

• If you're using the bash shell, on the command line, enter:

  export PATH=$PATH:/usr/lpp/mmfs/bin

  To make this change permanent, add the above command to the end of your ~/.bash_profile file. To make the change take effect during your current session, on the command line, enter:

  source ~/.bash_profile

• If you're using the csh or tcsh shell, on the command line, enter:

  setenv PATH $PATH:/usr/lpp/mmfs/bin

  To make this change permanent, add the above command to the end of your ~/.cshrc file. To make the change take effect during your current session, on the command line, enter:

  source ~/.cshrc

View an ACL

To view the ACL for a subdirectory or file, use the command mmgetacl with the relative path to the subdirectory or file. For example:

• To view the ACL for the subdirectory ~/my_dir, on the command line, enter:

  mmgetacl my_dir

• To view the ACL for my_file in subdirectory ~/my_dir, on the command line, enter:

  mmgetacl my_dir/my_file

NFS V4 ACLs each consist of a list of ACL entries. For example:

#NFSv4 ACL
#owner:username
#group:groupname
user:username:rwxc:allow:FileInherit:DirInherit
 (X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (X)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

special:owner@:rwxc:allow:FileInherit:DirInherit
 (X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (X)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAME

In the example above, the first three lines are comments that indicate the NFSv4 ACL protocol, the file owner's username (username), and the file owner's group (groupname). Following the comments are two ACL entries.

The first line of each ACL entry:

• Specifies the user or group

  Users and groups are identified by type and name (for example: user:darvader or group:dstar). Special names containing the keyword special and ending with the "at" sign (@) also are supported:

  • special:owner@: Refers to the owner of the file or directory
  • special:group@: Refers to the owning group
  • special:everyone@: Refers to all users
• Summarizes the access level granted to that user or group (in rxwc format)
• Indicates whether to allow or deny the permissions selected in the entry's list of available access permissions

  Selected permissions are marked with an X; permissions that are not selected are marked with a - (minus sign).

• Indicates inheritance with the following flags:
  • DirInherit: Include the ACL entry in the initial ACL for subdirectories created in this directory (as well as the current directory).
  • FileInherit: Include the ACL entry in the initial ACL for files created in this directory.
  • Inherited: The current ACL entry is derived from inherit entries in an ACL of the parent directory.
  • InheritOnly: The current ACL entry does not apply to the directory but should be included in the initial ACL for objects created in this directory.
  • NoPropagateInherit: Include the ACL entry in the initial ACL for subdirectories created in this directory but do not propagate it to subdirectories created below that level.

Modify an ACL to grant access to another user

To grant another user access to a file or subdirectory in your home directory space or Geode-Projectspace, use the command mmeditacl with the relative path to the file or subdirectory.

For example, to grant user altuser1 read and write permissions to the file my_file in subdirectory ~/my_dir, on the command line, enter:

mmeditacl my_dir/my_file

The ACL will open in the text editor set by your EDITOR environment variable. In the text editor, add the following ACL entry for altuser1, and then save your changes and exit:

user:altuser1:rwxc:allow:Inherited
 (X)READ/LIST (X)WRITE/CREATE (-)MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (X)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (X)WRITE_NAMED

To verify that your changes were saved, use the mmgetacl command to view the ACL; it should include the user permissions you just added for altuser1.

Get help

For more about NFS V4 ACLs in GPFS, see IBM's NFS V4 ACL administration.

If you need help using ACLs in your home directory space or Geode-Project space on Geode, email the UITS Research Storage team (store-admin@iu.edu).