Sharing File Access

Situations often arise for controlling shared access to files in an area for which you are the owner. The default at the HPCC is for files to be readable, writeable, or executable only by the owner. Unix file permissions can be set to by the owner to make any file or directory area readable, writeable, and/or executable more broadly. The owner of any directory area or file can also control this access in a fine-grained way directly using the Access Control List (ACL) features of the file system. The HPCC recommends that ACLs be used rather than unix file permissions, since ACLs allow explicit control of which files or areas are accessible for specific userIDs.

** Note in these commands you must replace "userid" with the actual eRaider user ID for the group member you are adding, and “/path/to/your/area/“ with the actual directory path! **

For example, if you want to grant full read/write/execute access to this area to an account with eRaider ID "userid", you would use the command below. You can also control individual folders and/or use a subset of the (r,w,x) options to set different permissions for each account that needs access.

To manage the access control list (ACL)f or a file or directory area, you may follow the steps below to add or remove a particular HPCC user in your group. To see the details, use the commands “man setfacl” or “man getfacl” but here is a summary.

To set or modify an ACL for a given eRaider userID for your directory area, use the setfacl command with a "-m" flag.

setfacl -R -m u:userid:rwx /path/to/your/area/

The above command adds access for the eraider account(userid) with the “rwx” (read-write-execute) permissions to the specified area. You may choose a different combination of these three kinds of permissions based on your needs, such as “rx” or “r”. You may also specify particular files by providing the file path instead of the area. Changing ACL settings for a large directory tree may take some time, so be patient if a lot of files are affected by the change.

To remove or exclude an ACL for a given eRaider userID for your directory area, also use the setfacl command with a "-x" flag.

setfacl -R -x u:userid  /path/to/your/area/

This command removes the account “userid" from the access list for the specified area. This only removes the user's access; any folders created before this step by the user are still kept, and you can still access as the owner to all data under the specified area. You may also specify particular files by providing the file path instead of the area. Again, changing the ACL settings for a large number of files may take some time to complete.

Please note that in order for someone to access files in a subdirectory of your home, work, scratch, or research areas, they will need to have at least read and execute access to the directory that contains that subdirectory as well as the subdirectory itself, which includes the top level of the area. So for example if you want to give read/write access to someone else using the commands above for your /lustre/work/myeraider/subdir/ subdirectory, you would need to issue the commands

setfacl -m u:userid:rx /lustre/work/myeraider/

as well as the command

setfacl -R -m u:userid:rwx /lustre/work/myeraider/subdir/

(Note this does not by itself provide access to the files in your /lustre/work/myeraider area themselves, but does enable the account specified by "userid" to traverse the directory to the subdirectory you specified, which would be invisible to them if not otherwise allowed.)

To check ACL settings, you may use the getfacl command at any time to see which accounts are included in the access list, and with what kind of access permissions

getfacl -p /path/to/your/area/

Use the getfacl command above to show a list of users who have the access to your storage. Please remember, you as the file owner are the only person who can modify the access list to add or remove a user or change their access permissions.

For more information, you can do a quick web search on the “setfacl” and “getfacl” commands if needed, as there are many tutorials on this topic on the web.