Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use ACL to define access rights to /srv/data and /srv/scratch #196

Open
pierrepo opened this issue Jan 5, 2022 · 5 comments
Open

Use ACL to define access rights to /srv/data and /srv/scratch #196

pierrepo opened this issue Jan 5, 2022 · 5 comments

Comments

@pierrepo
Copy link
Contributor

pierrepo commented Jan 5, 2022

We need ACL to define access rights to some common directories:

  • Group teachers can read and write any files and sub-directories in /srv/data.
  • Group students can read all files and sub-directories in /srv/data.
  • Everybody can read and write any files and sub-directories in /srv/scratch.
@jtpio
Copy link
Member

jtpio commented Mar 30, 2022

While Plasma is used in the educational space, it is for now still generic and does not imply any teachers / students hierarchy.

So I'm wondering whether these ACLs should go in Plasma by default.

/srv/data is already exposed to the user containers. Maybe everything should be done from that folder instead of creating a new /srv/scratch? This will let other administrators have better control.

Maybe the docs should instead mention how to define such ACLs. Or refer to external materials to learn more about configuring them with e.g setfacl.

@pierrepo
Copy link
Contributor Author

Well, I guess that we might accept this teachers / students hierarchy since it's quite common in educational settings.
But for a first step, we could indeed update the documentation and provide commands to define ACL mentioned above.
And yes, let's focus on /sr/data:

  • /srv/data is rwx for the group teachers
  • /srv/data is r-x for the group students
  • /srv/data/scratch is rwx for groups teachers and students

Do you think this is possible?

@pierrepo
Copy link
Contributor Author

pierrepo commented Apr 4, 2022

@jtpio I guess something like this could define rights for /srv/data (not considering /srv/data/scratch here):

chgrp -R teachers /srv/data
chmod -R g+s /srv/data
setfacl -d -m g:teachers:rwx /srv/data
setfacl -d -m g:students:r-x /srv/data

Will it work through the volume mounted in the Docker container?

@jtpio
Copy link
Member

jtpio commented Apr 5, 2022

I think the main difficulty would be to make these groups also available in the Docker images, ideally with the same IDs.

@pierrepo
Copy link
Contributor Author

Absolutely.
For a first step, the idea would be to defined /srv/data as a common folder writable for all users of the teachers group. Users will access to this folder to add or modify files through SSH. This will ensure proper Unix rights apply.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jtpio @pierrepo