How to configure the access rights to your data

This page details the procedures to follow for configuring access rights to your data.

We request that you ensure the application of one of the three following configurations according to your data-sharing needs. Automated controls are in place to suppress access rights which are too permissive for other.

  • Configuration A : You do not need to make your data accessible to other users.
  • Configuration B : You need to make the data accessible to users who are part of your Unix group.
  • Configuration C : You need to make the data accessible to users who are not part of your Unix group.

Before applying one of these three configurations, please verify that you are complying with the general recommendation described in the section below.

General recommendation

You should strictly limit access rights to your various disk spaces on the IDRIS servers (HOME, WORKDIR, ARCHIVE).

Usually, only the owner of the directories should have access to them. Therefore, if not already done, you should set the Unix rights via the chmod command, as follows:

$ chmod 700 $HOME
$ ls -ld $HOME
drwx------ 10 login grp   8192 May 17 18:10 /path/to/your/home

$ chmod 700 $WORKDIR
$ ls -ld $WORKDIR
drwx------ 19 login grp 131072 Nov 16  2015 /path/to/your/workdir

$ chmod 700 $ARCHIVE
$ ls -ld $ARCHIVE
drwx------ 19 login grp 131072 Nov 16  2015 /path/to/your/archive

Comment : This security recommendation is especially important for the HOME directory and ARCHIVE directory (corresponding to the HOME of the archive machine). These directories are particularly sensitive as they can contain the environment files and information linked to identifiers. Consequently, it is strongly advised to not open them to other users.

Configuration A : You do not want to make your data accessible to other users.

The general recommendation is sufficient. On a regular basis, you should verify the access positionned on each one of your disk spaces.

Configuration B : You want to make your data accessible to the users who are part of your Unix group.

To share files with the members of your Unix group, we recommend that you use the shared directory COMMONDIR. This way you will avoid opening access to your HOME and WORKDIR.

If you wish to make your data accessible to the members of your group in read only, you need to create a shared sub-directory in the COMMONDIR with the 750 permissions. In the following example, the shared sub-directory is named Shared_Dir :

$ mkdir -m 750 $COMMONDIR/Shared_Dir
$ ls -ld $COMMONDIR/Shared_Dir
drwxr-x--- 10 login grp   8192 May 17 18:10 /path/to/your/commondir/Shared_Dir

If you wish to make your data accessible to your group in read/write, you need to create a shared sub-directory with the 770 permissions :

$ mkdir -m 770 $COMMONDIR/Shared_Dir
$ ls -ld $COMMONDIR/Shared_Dir
drwxrwx--- 10 login grp   8192 May 17 18:10 /chemin/vers/votre/commondir/Shared_Dir

Configuration C : You want to make your data accessible to users who are not part of your group.

Sharing data between members of different scientific projects (different Unix groups) is sometimes a necessity. In this case, it is simpler to allow data access to all those who need it rather than to duplicate these data which would imply problems of volumetry and coherence. This type of data sharing requires opening access rights on one or more directories but care must be taken to not be too permissive.

Accordingly, we are recommending that you store the data to be shared in a sub-directory of your HOME, WORKDIR or ARCHIVE disk space. On this sub-directory and the entire file tree which it contains, you will set the traditional Unix access rights in function of the desired type of access (read, write or read/write). You will then set the ACL (Access Control List) access rights on the principal directory concerned (HOME, WORKDIR or ARCHIVE) via the IDRIS command ''idracl'' (for information, type idracl on the machine). By proceeding in this way, you can carefully control access to your principal directory and ensure that it is only accessible to the users and groups who need to have access to your shared sub-directory. Finally, remember to restrict the Unix access rights to all the files and directories which you do not want to share but which could be shared because of the positioned ACL rights. Do not forget the hidden directories (especially in the HOME) whose names begin with an . (you can list these with the option -a of the ls command). To ensure access restriction to all the files/directories which are hidden in your HOME, you can use the command chmod go-rwx $HOME/.*[!.] (The filter .*[!.] allows you to exclude the .. directory which is the parent directory of your $HOME).

The following is an example of data sharing via a sub-directory named Shared_Dir located in the WORKDIR. The data are made accessible to all the members of a Unix group (here, grp2) which is different from the owner group (here, grp) :

  1. Creation of the sub-directory Shared_Dir. Note that the access rights on this sub-directory depend initially on the value of your umask.
    $ ls -ld $WORKDIR
    drwx------ 19 login grp 131072 Nov 16  2015 /path/to/your/workdir
    $ mkdir $WORKDIR/Shared_Dir
    $ ls -ld $WORKDIR/Shared_Dir
    drwx------ 19 login grp 131072 Nov 16  2015 /path/to/your/workdir/Shared_Dir
  2. Setting the Unix access rights on the sub-directory Shared_Dir (remember to verify the Unix rights for the entire file tree of the directory).
    1. For the data to be accessible in read/write:
      $ chmod 777 $WORKDIR/Shared_Dir
      $ ls -ld $WORKDIR/Shared_Dir
      drwxrwxrwx 19 login grp 131072 Nov 16  2015  /path/to/your/workdir/Shared_Dir
    2. For the data to be accessible in read only:
      $ chmod 755 $WORKDIR/Shared_Dir
      $ ls -ld $WORKDIR/Shared_Dir
      drwxr-xr-x 19 login grp 131072 Nov 16  2015   /path/to/your/workdir/Shared_Dir
  3. Adding the ACL rights on the WORKDIR to authorise access to members of the Unix group, grp2, via the IDRIS command ''idracl'' (for information, type idracl). Note that when the ACL rights are set, the ls -ld command does not necessarily return the true access rights of the directory (in the example below, the r-w rights are for grp2 and not for the owner's group, grp) and displays a + sign just after the access rights:
    $ idracl -w -a -g grp2 
    $ idracl -w -l
    Liste des logins et groupes autorises a acceder 
     a mon espace /chemin/vers/votre/workdir
    ===============================================
     authorised logins : 
     authorised groups : grp2
    
    $ ls -ld $WORKDIR
    drwxr-x---+ 19 login grp 131072 Nov 16  2015  /path/to/your/workdir
  4. With the ACL rights on the WORKDIR, certain files (such as private_file, in the example) and certain directories (such as Private_Dir, in the example) become accessible to members of the grp2 group. This is not necessarily desired so it is recommended to restrict their Unix access rights:
    $ ls -al $WORKDIR
    drwxr-x---+ 66 login grp 131072 Jul  6 14:45 .
    drwxr-xr-x  27 root  grp 131072 Jun  2 09:06 ..
    ..
    -rw-rw-rw-  19 login grp 131072 Nov 16  2015 /path/to/your/workdir/private_file
    drwxrwxrwx  19 login grp   3072 Nov 16  2015 /path/to/your/workdir/Private_Dir
    drwxrwxrwx  19 login grp 131072 Nov 16  2015 /path/to/your/workdir/Shared_Dir
    
    $ chmod go-rwx  /path/to/your/workdir/Private_Dir
    $ chmod go-rwx  /path/to/your/workdir/private_file
    
    $ ls -al $WORKDIR
    drwxr-x---+ 66 login grp 131072 Jul  6 14:45 .
    drwxr-xr-x  27 root  grp 131072 Jun  2 09:06 ..
    ...
    -rw-------  19 login grp 131072 Nov 16  2015 /path/to/your/workdir/private_file
    drwx------  19 login grp   3072 Nov 16  2015 /path/to/your/workdir/Private_Dir
    drwxrwxrwx  19 login grp 131072 Nov 16  2015 /path/to/your/workdir/Shared_Dir

Comments :

  • The idracl command allows you to add ACL rights for one or several logins and/or Unix groups by making several successive calls. Example with the WORKDIR (option -w) :
    $ idracl -w -a -g grp2 
    $ idracl -w -a -g grp3 
    $ idracl -w -a -u login2 
    $ idracl -w -l
    Liste des logins et groupes autorises a acceder 
     a mon espace /chemin/vers/votre/workdir
    ===============================================
     authorised logins : login2
     authorised groups : grp2 grp3
  • The idracl command also allows you to partially or completely delete the ACL rights. Example with the WORKDIR (option -w) :
    $ idracl -w -l
    Liste des logins et groupes autorises a acceder 
     a mon espace /chemin/vers/votre/workdir
    ===============================================
     authorised logins : login2
     authorised groups : grp2 grp3
    
    $ idracl -w -d -g grp3 
    $ idracl -w -l
    Liste des logins et groupes autorises a acceder 
     a mon espace /chemin/vers/votre/workdir
    ===============================================
     authorised logins: login2
     authorised groups : grp2
    
    $ idracl -w -z 
    $ idracl -w -l
    Liste des logins et groupes autorises a acceder 
     a mon espace /chemin/vers/votre/workdir
    ===============================================
     authorised logins : 
     authorised groups :