AFS File System
Introduction
AFS is a distributed file system that enables sharing files across both local area and wide area networks.
AFS is based on a distributed file system originally developed at the Information Technology Center at Carnegie-Mellon University that was called the Andrew File System.
Some useful features of AFS:
- In conjuction with Kerberos, AFS provides a global authentication system (all passwords are verified with a site-wide database).
- Access Control Lists (ACLs) provide more flexibility in setting file access permissions than traditional Unix file systems.
- Users can access AFS files at remote sites, if given appropriate permissions.
See Also:
AFS Commands Quick Reference
This table lists the most common AFS commands used by users. All commands have two help functions:
<command> help and
<command option> -help.
| File Service Commands | Description |
|---|
fs listquota <path>, fs lq <path> | list the AFS quota for the volume containing file or directory path. If no path is specified, the current directory is used. |
fs listacl <path>, fs la <path> | List the Acess Control List for the directory path (or the directory containing path). If no path is specified, the current directory is used. |
fs setacl <path> user acl, fs sa <path> <user> <acl> | Set the Acess Control List for the user user on the directory path. |
fs copyacl <srcpath> <destpath> | Copy the Acess Control Lists from the directory srcpath to the directory destpath. Note that this does not delete the existing Access Control Lists from destpath. |
afs_rseta <path> <user> <acl> | Recursively set the Acess Control List for the user user on the directory path and all subdirectories of path. |
fs whereis <path> | Print the name of the AFS Fileserver for the volume containing file or directory path If no path is specified, the current directory is used. |
| AFS Group Commands | Descritpion |
|---|
pts creategroup <username:group> | Create a group named username:group. username must be your username. |
pts adduser <user> <username:group> | Add user user to group username:group. Usually username is your username. |
pts removeuser <user> <username:group> | Remove user user from group username:group. Usually username is your username. |
pts membership <user> | List the groups user is a member of |
pts membership <username:group> | List the members of group username:group |
pts listowned <username> | List the groups owned by username |
| Authentication Commands | Description |
|---|
tokens | Print information about the AFS Authentication Token of the current process authentication group (PAG). |
kalog | Renew/Create Kerberos Ticket and AFS Token |
File-related Commands
Quotas
The AFS file system has per-volume disk space quotas. To examine your quota and the current usage, use:
On UNIX systems
fs listquota <path>
fs lq <path>
Where
<path> is the pathname of a file or directory in the volume
Disk quota and amount used are reported in 1K Byte Blocks. The percentage used of the volume quota and the file server disk partition holding that volume are also reported.
On Windows systems
- Right-click on a directory, and use the
AFS | Volume/Partition | Properties menu; or
- In a command window, use the fs listtacl command:
fs listquota <path>
fs lq <path>
Where
<path> is the pathname of a file or directory in the volume
Disk quota and amount used are reported in 1K Byte Blocks. The percentage used of the volume quota and the file server disk partition holding that volume are also reported.
lff - Large File Finder
lff Introduction
lff is a program which can be used to find large files and directories in a directory tree. It searches all files, including hidden files (dotfiles) and subdirectories of a directory tree. It can also omit directories within the tree from the search.
It has the capability to output the format in Kilobytes or Megabytes, and is very configurable with command line options
| lff option | Description |
|---|
-f, --fileminsize SOMENUMBER | sets the minimum file size that you are searching for. It defaults to 1 megabyte. You are able to specify the size in eit her bytes, kilobytes, or megabytes. To specify bytes, just use a number. To specify kilobytes, append a k or a K after the number. To specify megabytes, append either a m or a M after the number |
-d, --dirminsize SOMENUMBER | sets the minimum directory size that you are sea rching for. It defaults to 5 megabytes. You can specify kilobytes or megabytes the same as setting the --fileminsize. |
-h, -?, --help | shows a short helpful informational message on usage and immediately exits. |
-k[K], --kilobytes | (case insensitive in the single character implementation) formats the output to kilobytes instead of bytes. |
-m[M], --megabytes | (case insensitive in the single character implementation) formats the output to megabytes instead of bytes. |
-F, --Fileonly | (Case Sensitive) limits the output to only display large files instead of large directories and files. |
-D, --Dironly | (Case Sensitive) limits the output to only display large directories instead of large files and directories. |
-o, --omitdirs | sets directories to omit. They should be in the directory tree that you are checking, but the program does not make sure of this and it will not cause any problems if the omitted directories are elsewhere. It will only cause minor slowdown. |
-v, --version | displays the current version of the program and immediately exits. |
lff Examples
The most common usage of
lff will probably be to check a home directory to find large files and directories (such as the mozilla cache) when an AFS quota has been filled. The easiest way to do this is:
/s/std/bin/lff ~
In order to format output to kilobytes, the following will work:
/s/std/bin/lff ~ -k
A more complex usage would be the following:
/s/std/bin/lff ~ -k -f 2m -d 6m -o ~/public
That example would scan your home directory, output the file sizes in kilobytes, search for files 2 megabytes or larger, directories 6 megabytes or larger, and omit the public directory.
It is possible to scan and/or omit multiple directories. To scan /tmp and /usr while omitting /usr/X11R6 and /usr/bin the following command will work
/s/std/bin/lff /tmp /usr -o /usr/X11R6 -o /usr/bin
Recursively Copying Files And AFS ACLs on UNIX systems
Use the up command:
up <srcdir destdir>
srcdir is the source directory,
destdir is the destination directory.
Note:if destdir does not exist, it will be created. if destdir does exist, it will be the new directory. For example:
-
up olddir newdir: makes a copy of olddir, named newdir
-
mkdir newdir; up olddir newdir: makes a copy of olddir, named newdir, not newdir/olddir
Access Control And AFS Groups
The AFS Filesystem provides Access Control Lists (ACLs) and user-managed AFS user groups for controlling file access.
Access Control Lists (ACLs)
Each directory in AFS has an ACL (Access Control List). Although unix files have owner and group IDs associated with them and read/write/execute bits for the owner, group members and non-members, these bits are often ignored for files on AFS filesystems. (You will need to enable execute bits to execute programs, though, and some programs will explicitly test for certain unix file permission bits.)
The ACL of a directory applies to all files in that directory. For example, If the ACL allows read access to a user, then all readable files (according to the Unix owner permission bits) in the directory will be readable by that user. The same applies to write and execute permissions (note: in order to execute a file (run the program), you must also be able to read the file). It is impossible to have two files in a given directory with different ACLs.
Access can be specified for individual users or AFS groups.
Access Control Commands
On UNIX systems
Use the
fs listacl command:
fs listacl <path>
fs la <path>
path is the pathname of the directory
On Windows systems
- Right-click on a directory, and use the
AFS | Access Control Lists menu; or
- In a command window, use the
fs listtacl command as shown above for UNIX systems.
Setting/Modifying Access Control Lists
On UNIX systems
Use the
fs settacl command:
fs setacl <path user permission>
fs sa <path user permission>
-
path is the pathname of the directory
-
user is the username of an individual user, or an AFS user group
-
permission is an AFS Access Control List permission (right) to be granted
For example:
- Give the user
bbadger read and lookup access to all the readable files in the directory project2:
fs setacl project2 bbadger read
fs setacl project2 bbadger rl
- Give the group
username:mygroup rlidwk (read, lookup, insert, delete, write, and lock) access permissions to the directory src (username is your user name).
fs setacl src <username>:mygroup write
fs setacl src <username>:mygroup rlidwk
- Remove all access permissions for the group system:anyuser
fs setacl private system:anyuser none
On Windows systems
- Right-click on a directory, and use the
AFS | Access Control Lists menu; or
- In a command window, use the fs setacl command as shown above for UNIX systems.
See Also:
- Above AFS Commands Quick Reference
Access Permissions (Rights)
The following permissions (rights) can be specified in AFS ACLs:
| Permission | Attribute | Description |
|---|
| r | read | allows a user to look at readable files in the directory |
| l | lookup | a user with this right may list a directory, look at an ACL or access subdirectories. |
| w | write | allows a user to modify writable files in the directory |
| d | delete | allows a user to remove files from a directory |
| i | insert | allows a user to add files to a directory |
| k | lock | allows a user to put advisory file locks on a file in the directory |
| a | administer | allows a user to change the ACLs on the directory. If a user has administer access to a directory, that user may change the ACLs of that directory and any directories within that directory. For that reason, we do not suggest granting this access to anyone for your personal directories. |
In addition, the following aggregate permissions can be user:
| Aggregate | Permission | Description |
|---|
| read | read (r) and lookup (l) permissions |
| write | read (r), lookup (l), insert (i), write (w), delete (d) and lock (k) permissions |
| all | grant all permissions (rliwdka), including administate |
| none | remove all permissions for the specified user or group |
AFS Groups
User-Managed AFS Groups
AFS allows users to create and manage their own groups of users. AFS groups can be named in ACLs (Access Control Lists), which is convenient, because you do not need to change every ACL when someone joins or leaves a logical group of users.
AFS groups that are owned by users are named
username:groupname
System-Defined AFS Groups
The AFS system defines the following system groups:
-
system:anyuser: any user, regardless of authentication status
-
system:authuser: any user (or process) that has authenticated to the AFS system
-
system:administrators: the system administration group
AFS Group Commands
Listing AFS Groups on UNIX systems
Use the following pts commands:
| Command | Description |
|---|
pts membership <user> | list the groups <user> is a member of |
pts membership <username:group> | list the members of group <username:group> |
pts listowned <username> | List the groups owned by <username> |
For example:
-
pts membership bbadger: lists the groups that bbadger is a member of
-
pts membership bbadger:workgroup: lists the members of bbadger's group bbadger:workgroup
Creating/Modifying AFS Groups on UNIX systems
Use the following pts commands:
| Command | Description |
|---|
pts creategroup <username:group> | create group <username:group>. <username> must be your username. |
pts adduser <user> <username:group> | Add user <user> to group <username:group>. Usually <username> is your username. |
pts removeuser <user> <username:group> | Remove user <user> from group <username:group>. Usually <username> is your username. |
For example:
-
pts creategroup bbadger:workgroup: The user bbadger creates a group named bbadger:workgroup
-
pts adduser bucky bbadger:workgroup: add user bucky to bbadger's group bbadger:workgroup
-
pts removeuser bucky bbadger:workgroup: remove user bucky from bbadger's group bbadger:workgroup
See Also:
- Above AFS Commands Quick Reference
AFS Authentication
In order to use the AFS file system, you must be authenticated to AFS. AFS uses Kerberos for authentication.
Tokens
AFS used an authentication token. Tokens are issued by the login process, and are only valid for a certain period of time.
On UNIX systems
Use the tokens command:
-
tokens: Prints the AFS user ID and tokens expiration time
On Windows systems
- Push
CTRL-ALT-DELETE to bring up the Security Panel; or
- In a command window, use the above unix command
tokens.
Reauthentication
To reauthenticate (renew or extend an AFS token):
On UNIX systems
Use the kalog command:
-
kalog: You will be prompted for your Kerberos password.
On Windows systems
- Push
CTRL-ALT-DELETE to bring up the Security Panel and choose the Reauthenticate button; or
- In a command window, use the above unix
kalog command:
How To Be Administrator And Have Your Tokens Too (Windows)
If you need to log in to a Windows Workstation as the local administrator, but also need to have AFS access in order to install software, it can be done. You'll need to use the
kalog command from a command prompt to get AFS tokens and Kerberos tickets.
Once you have tokens and tickets, you'll need to map drives to the different locations in AFS. Use the subst command to accomplish this. The syntax of this command is:
subst <drive_letter path>
For example, to map the
S: drive to
/s you would use the following command at a command prompt:
subst S: T:\@cell\s
The drive letter
T:\ is always mapped to the AFS root (aka
/afs) when the system starts. This drive is normally hidden to avoid confusion and in case we need to change the mapping at a later time.
Before you logout, you will need to run
unlog and
kdestroy - this will destroy your AFS tokens and Kerberos tickets and eliminate any chance that someone could steal your tickets or tokens.
AFS Project Management
The
AFS Project Management page provides further information about AFS project management.
CSDocs Web
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.