Share access to your home directory space or Geode-Project space with other IU research supercomputer users
On this page:
- Overview
- Configure your environment for NSF V4 ACLs
- View an ACL
- Modify an ACL to grant access to another user
- Get help
Overview
If you have home directory space on the Indiana University research supercomputers or project space on a Geode-Project allocation, you can set up shared access to give other IU research supercomputer users access to specific files and subdirectories.
- You can share access to your home directory or Geode-Project space data only with other IU research supercomputer users.
- If you are sharing access to data that contain PHI, you must share with individual accounts only. Do not give a group account access to a space in which data containing PHI are stored.
To set up shared access to files and subdirectories in your home directory or Geode-Project space:
- Direct users to whom you are granting access to email the UITS Research Storage team (
store-admin@iu.edu
) to request network access for their IU usernames. - Access your home directory space or Geode-Project space; use your preferred SSH2 client to connect to your account on one of the following IU
research supercomputers:
System Hostname Big Red 200 bigred200.uits.iu.edu
Quartz quartz.uits.iu.edu
Log in with your IU username and passphrase, and then confirm your identity with Two-Step Login (Duo).
- Use the instructions below for creating Access Control Lists (ACLs) to grant access to specific files and/or subdirectories.
Configure your environment for NFS V4 ACLs
Home directories and Geode-Project spaces are hosted on Geode, IU's disk-based online storage service. Both services support NFS V4 access control lists (ACLs), which are different from traditional GPFS ACLs based on the POSIX model.
To use NFS V4 ACLs in your home directory or Geode-Project space, you need to add them to your PATH environment variable:
- If you're using the
bash
shell, on the command line, enter:export PATH=$PATH:/usr/lpp/mmfs/bin
To make this change permanent, add the above command to the end of your
~/.bash_profile
file. To make the change take effect during your current session, on the command line, enter:source ~/.bash_profile
- If you're using the
csh
ortcsh
shell, on the command line, enter:setenv PATH $PATH:/usr/lpp/mmfs/bin
To make this change permanent, add the above command to the end of your
~/.cshrc
file. To make the change take effect during your current session, on the command line, enter:source ~/.cshrc
View an ACL
To view the ACL for a subdirectory or file, use the command mmgetacl
with the relative path to the subdirectory or file. For example:
- To view the ACL for the subdirectory
~/my_dir
, on the command line, enter:mmgetacl my_dir
- To view the ACL for
my_file
in subdirectory~/my_dir
, on the command line, enter:mmgetacl my_dir/my_file
NFS V4 ACLs each consist of a list of ACL entries. For example:
#NFSv4 ACL #owner:username #group:groupname user:username:rwxc:allow:FileInherit:DirInherit (X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (X)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED special:owner@:rwxc:allow:FileInherit:DirInherit (X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (X)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAME
In the example above, the first three lines are comments that indicate the NFSv4 ACL protocol, the file owner's username (username
), and the file owner's group (groupname
). Following the comments are two ACL entries.
The first line of each ACL entry:
- Specifies the user or group
Users and groups are identified by type and name (for example:
user:darvader
orgroup:dstar
). Special names containing the keywordspecial
and ending with the "at" sign (@
) also are supported:special:owner@
: Refers to the owner of the file or directoryspecial:group@
: Refers to the owning groupspecial:everyone@
: Refers to all users
- Summarizes the access level granted to that user or group (in
rxwc
format) - Indicates whether to
allow
ordeny
the permissions selected in the entry's list of available access permissionsSelected permissions are marked with an
X
; permissions that are not selected are marked with a-
(minus sign). - Indicates inheritance with the following flags:
DirInherit
: Include the ACL entry in the initial ACL for subdirectories created in this directory (as well as the current directory).FileInherit
: Include the ACL entry in the initial ACL for files created in this directory.Inherited
: The current ACL entry is derived from inherit entries in an ACL of the parent directory.InheritOnly
: The current ACL entry does not apply to the directory but should be included in the initial ACL for objects created in this directory.NoPropagateInherit
: Include the ACL entry in the initial ACL for subdirectories created in this directory but do not propagate it to subdirectories created below that level.
Modify an ACL to grant access to another user
To grant another user access to a file or subdirectory in your home directory space or
Geode-Projectspace, use the command mmeditacl
with the relative path to the file or subdirectory.
For example, to grant user altuser1
read and write permissions to the file my_file
in subdirectory ~/my_dir
, on the command line, enter:
mmeditacl my_dir/my_file
The ACL will open in the text editor set by your EDITOR environment variable. In the text editor, add the following ACL entry for altuser1
, and then save your changes and exit:
user:altuser1:rwxc:allow:Inherited
(X)READ/LIST (X)WRITE/CREATE (-)MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(-)DELETE (X)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (X)WRITE_NAMED
To verify that your changes were saved, use the mmgetacl
command to view the ACL; it should include the user permissions you just added for altuser1
.
Get help
For more about NFS V4 ACLs in GPFS, see IBM's NFS V4 ACL administration.
If you need help using ACLs in your home directory space or
Geode-Project space on
Geode, email the UITS Research Storage team (store-admin@iu.edu
).
This is document agfd in the Knowledge Base.
Last modified on 2023-10-03 09:59:53.