mirror of
https://git.openafs.org/openafs.git
synced 2025-01-22 00:41:08 +00:00
d7da1acc31
pull in all documentation from IBM
493 lines
28 KiB
HTML
493 lines
28 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 4//EN">
|
|
<HTML><HEAD>
|
|
<TITLE>User Guide</TITLE>
|
|
<!-- Begin Header Records ========================================== -->
|
|
<!-- /tmp/idwt3629/auusg000.scr converted by idb2h R4.2 (359) ID -->
|
|
<!-- Workbench Version (AIX) on 2 Oct 2000 at 14:38:44 -->
|
|
<META HTTP-EQUIV="updated" CONTENT="Mon, 02 Oct 2000 14:38:42">
|
|
<META HTTP-EQUIV="review" CONTENT="Tue, 02 Oct 2001 14:38:42">
|
|
<META HTTP-EQUIV="expires" CONTENT="Wed, 02 Oct 2002 14:38:42">
|
|
</HEAD><BODY>
|
|
<!-- (C) IBM Corporation 2000. All Rights Reserved -->
|
|
<BODY bgcolor="ffffff">
|
|
<!-- End Header Records ============================================ -->
|
|
<A NAME="Top_Of_Page"></A>
|
|
<H1>User Guide</H1>
|
|
<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auusg002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auusg003.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Bot_Of_Page"><IMG SRC="../bot.gif" BORDER="0" ALT="[Bottom of Topic]"></A> <A HREF="auusg005.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auusg013.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P>
|
|
<HR><H1><A NAME="HDRWQ2" HREF="auusg002.htm#ToC_7">An Introduction to AFS</A></H1>
|
|
<P>This chapter introduces basic AFS concepts and terms.
|
|
It assumes that you are already familiar with standard UNIX commands, file
|
|
protection, and pathname conventions.
|
|
<HR><H2><A NAME="HDRWQ3" HREF="auusg002.htm#ToC_8">AFS Concepts</A></H2>
|
|
<P>AFS makes it easy for people to work together on the same
|
|
files, no matter where the files are located. AFS users do not have to
|
|
know which machine is storing a file, and administrators can move files from
|
|
machine to machine without interrupting user access. Users always
|
|
identify a file by the same pathname and AFS finds the correct file
|
|
automatically, just as happens in the local file system on a single
|
|
machine. While AFS makes file sharing easy, it does not compromise the
|
|
security of the shared files. It provides a sophisticated protection
|
|
scheme.
|
|
<A NAME="IDX747"></A>
|
|
<A NAME="IDX748"></A>
|
|
<P><H3><A NAME="Header_9" HREF="auusg002.htm#ToC_9">Client/Server Computing</A></H3>
|
|
<P>AFS uses a <I>client/server computing</I> model. In
|
|
client/server computing, there are two types of machines. <I>Server
|
|
machines</I> store data and perform services for client machines.
|
|
<I>Client machines</I> perform computations for users and access data and
|
|
services provided by server machines. Some machines act as both clients
|
|
and servers. In most cases, you work on a client machine, accessing
|
|
files stored on a file server machine.
|
|
<A NAME="IDX749"></A>
|
|
<A NAME="IDX750"></A>
|
|
<A NAME="IDX751"></A>
|
|
<A NAME="IDX752"></A>
|
|
<A NAME="IDX753"></A>
|
|
<A NAME="IDX754"></A>
|
|
<P><H3><A NAME="Header_10" HREF="auusg002.htm#ToC_10">Distributed File Systems</A></H3>
|
|
<P>AFS is a <I>distributed file system</I> which joins together the
|
|
file systems of multiple file server machines, making it as easy to access
|
|
files stored on a remote file server machine as files stored on the local
|
|
disk. A distributed file system has two main advantages over a
|
|
conventional centralized file system:
|
|
<A NAME="IDX755"></A>
|
|
<UL>
|
|
<P><LI>Increased availability: A copy of a popular file, such as the binary
|
|
for an application program, can be stored on many file server machines.
|
|
An outage on a single machine or even multiple machines does not necessarily
|
|
make the file unavailable. Instead, user requests for the program are
|
|
routed to accessible machines. With a centralized file system, the loss
|
|
of the central file storage machine effectively shuts down the entire
|
|
system.
|
|
<P><LI>Increased efficiency: In a distributed file system, the work load is
|
|
distributed over many smaller file server machines that tend to be more fully
|
|
utilized than the larger (and usually more expensive) file storage machine of
|
|
a centralized file system.
|
|
</UL>
|
|
<P>AFS hides its distributed nature, so working with AFS files looks and feels
|
|
like working with files stored on your local machine, except that you can
|
|
access many more files. And because AFS relies on the power of
|
|
users' client machines for computation, increasing the number of AFS
|
|
users does not slow AFS performance appreciably, making it a very efficient
|
|
computing environment.
|
|
<P><H3><A NAME="HDRWQ4" HREF="auusg002.htm#ToC_11">AFS Filespace and Local Filespace</A></H3>
|
|
<A NAME="IDX756"></A>
|
|
<P>AFS acts as an extension of your machine's local UNIX file
|
|
system. Your system administrator creates a directory on the local disk
|
|
of each AFS client machine to act as a gateway to AFS. By convention,
|
|
this directory is called <B>/afs</B>, and it functions as the root of the
|
|
<I>AFS filespace</I>.
|
|
<A NAME="IDX757"></A>
|
|
<A NAME="IDX758"></A>
|
|
<A NAME="IDX759"></A>
|
|
<P>Just like the UNIX file system, AFS uses a hierarchical file structure (a
|
|
tree). Under the <B>/afs</B> root directory are subdirectories
|
|
created by your system administrator, including your home directory.
|
|
Other directories that are at the same level of the local file system as
|
|
<B>/afs</B>, such as <B>/usr</B>, <B>/etc</B>, or <B>/bin</B>,
|
|
can either be located on your local disk or be links to AFS
|
|
directories. Files relevant only to the local machine are usually
|
|
stored on the local machine. All other files can be stored in AFS,
|
|
enabling many users to share them and freeing the local machine's disk
|
|
space for other uses.
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">You can use AFS commands only on files in the AFS filespace or the local
|
|
directories that are links to the AFS filespace.
|
|
</TD></TR></TABLE>
|
|
<P><H3><A NAME="HDRWQ5" HREF="auusg002.htm#ToC_12">Cells and Sites</A></H3>
|
|
<P>The <I>cell</I> is the administrative domain in
|
|
AFS. Each cell's administrators determine how client machines are
|
|
configured and how much storage space is available to each user. The
|
|
organization corresponding to a cell can be a company, a university
|
|
department, or any defined group of users. From a hardware perspective,
|
|
a cell is a grouping of client machines and server machines defined to belong
|
|
to the same cell.
|
|
<A NAME="IDX760"></A>
|
|
An AFS <I>site</I> is a grouping of one or more related cells. For
|
|
example, the cells at the ABC Corporation form a single site.
|
|
<A NAME="IDX761"></A>
|
|
<P>By convention, the subdirectories of the <B>/afs</B> directory are
|
|
cellular filespaces, each of which contains subdirectories and files that
|
|
belong to a single cell. For example, directories and files relevant to
|
|
the ABC Corporation cell are stored in the subdirectory
|
|
<B>/afs/abc.com</B>.
|
|
<P>While each cell organizes and maintains its own filespace, it can also
|
|
connect with the filespace of other AFS cells. The result is a huge
|
|
filespace that enables file sharing within and across cells.
|
|
<A NAME="IDX762"></A>
|
|
<P>The cell to which your client machine belongs is called your <I>local
|
|
cell</I>. All other cells in the AFS filespace are termed
|
|
<I>foreign cells</I>.
|
|
<A NAME="IDX763"></A>
|
|
<A NAME="IDX764"></A>
|
|
<A NAME="IDX765"></A>
|
|
<P><H3><A NAME="HDRWQ6" HREF="auusg002.htm#ToC_13">Volumes and Mount Points</A></H3>
|
|
<P>The storage disks in a computer are divided into sections
|
|
called <I>partitions</I>. AFS further divides partitions into units
|
|
called <I>volumes</I>, each of which houses a subtree of related files and
|
|
directories. The volume provides a convenient container for storing
|
|
related files and directories. Your system administrators can move
|
|
volumes from one file server machine to another without your noticing, because
|
|
AFS automatically tracks a volume's location.
|
|
<A NAME="IDX766"></A>
|
|
<A NAME="IDX767"></A>
|
|
<P>You access the contents of a volume by accessing its <I>mount point</I>
|
|
in the AFS filespace. A mount point is a special file system element
|
|
that looks and acts like a regular UNIX directory, but tells AFS the
|
|
volume's name. When you change to a different directory (by using
|
|
the <B>cd</B> command, for example) you sometimes <I>cross</I> a mount
|
|
point and start accessing the contents of a different volume than
|
|
before. You normally do not notice the crossing, however, because AFS
|
|
automatically interprets mount points and retrieves the contents of the new
|
|
directory from the appropriate volume. You do not need to track which
|
|
volume, partition, or file server machine is housing a directory's
|
|
contents. If you are interested, though, you can learn a volume's
|
|
location; for instructions, see <A HREF="auusg006.htm#HDRWQ40">Locating Files and Directories</A>.
|
|
<A NAME="IDX768"></A>
|
|
<A NAME="IDX769"></A>
|
|
<P>If your system administrator has followed the conventional practice, your
|
|
home directory corresponds to one volume, which keeps its contents together on
|
|
one partition of a file server machine. User volumes are typically
|
|
named <B>user.</B><VAR>username</VAR>. For example, the volume
|
|
for a user named <B>smith</B> in the cell <B>abc.com</B> is
|
|
called <B>user.smith</B> and is mounted at the directory
|
|
<B>/afs/abc.com/usr/smith</B>.
|
|
<A NAME="IDX770"></A>
|
|
<P>Because AFS volumes are stored on different file server machines, when a
|
|
machine becomes unavailable only the volumes on that machine are
|
|
inaccessible. Volumes stored on other machines are still
|
|
accessible. However, if a volume's mount point resides in a volume
|
|
that is stored on an unavailable machine, the former volume is also
|
|
inaccessible. For that reason, volumes containing frequently used
|
|
directories (for example, <B>/afs</B> and
|
|
<B>/afs/</B><VAR>cellname</VAR>) are often copied and distributed to many
|
|
file server machines.
|
|
<P><H3><A NAME="HDRWQ7" HREF="auusg002.htm#ToC_14">Volume Quotas</A></H3>
|
|
<A NAME="IDX771"></A>
|
|
<P>Each volume has a size limit, or <I>quota</I>, assigned by the system
|
|
administrator. A volume's quota determines the maximum amount of
|
|
disk space the volume can consume. If you attempt to exceed a
|
|
volume's quota, you receive an error message. For instructions on
|
|
checking volume quota, see <A HREF="auusg006.htm#HDRWQ39">Displaying Volume Quota</A>.
|
|
<P>Volumes have completely independent quotas. For example, say that
|
|
the current working directory is <B>/afs/abc.com/usr/smith</B>,
|
|
which is the mount point for the <B>user.smith</B> volume with 1000
|
|
free blocks. You try to copy a 500 block file from the current working
|
|
directory to the <B>/afs/abc.com/usr/pat</B> directory, the mount
|
|
point for the volume <B>user.pat</B>. However, you get an
|
|
error message saying there is not enough space. You check the volume
|
|
quota for <B>user.pat</B>, and find that the volume only has 50
|
|
free blocks.
|
|
<HR><H2><A NAME="HDRWQ8" HREF="auusg002.htm#ToC_15">Using Files in AFS</A></H2>
|
|
<P><H3><A NAME="HDRWQ9" HREF="auusg002.htm#ToC_16">The Cache Manager</A></H3>
|
|
<P>You can access the AFS filespace only when working on an AFS
|
|
client machine. The <I>Cache Manager</I> on that machine is your
|
|
agent in accessing information stored in the AFS filespace. When you
|
|
access a file, the Cache Manager on your client machine requests the file from
|
|
the appropriate file server machine and stores (<I>caches</I>) a copy of
|
|
it on your client machine's local disk. Application programs on
|
|
your client machine use the local, cached copy of the file. This
|
|
improves performance because it is much faster to use a local file than to
|
|
send requests for file data across the network to the file server
|
|
machine.
|
|
<A NAME="IDX772"></A>
|
|
<A NAME="IDX773"></A>
|
|
<A NAME="IDX774"></A>
|
|
<A NAME="IDX775"></A>
|
|
<P>Because application programs use the cached copy of a file, any changes you
|
|
make are not necessarily stored permanently to the central version stored on
|
|
the file server machine until the file closes. At that point, the Cache
|
|
Manager writes your changes back to the file server machine, where they
|
|
replace the corresponding parts of the existing file. Some application
|
|
programs close a file in this way each time you issue their <B>save</B>
|
|
command (and then immediately reopen the file so that you can continue
|
|
working). With other programs, issuing the <B>save</B> command
|
|
writes the changes only to the local cached copy. If you use the latter
|
|
type of text editor, you need to close the file periodically to make sure your
|
|
changes are stored permanently.
|
|
<P>If a file server machine becomes inaccessible, you can continue working
|
|
with the local, cached copy of a file fetched from that machine, but you
|
|
cannot save your changes permanently until the server machine is again
|
|
accessible.
|
|
<P><H3><A NAME="HDRWQ10" HREF="auusg002.htm#ToC_17">Updating Copies of Cached Files</A></H3>
|
|
<A NAME="IDX776"></A>
|
|
<A NAME="IDX777"></A>
|
|
<P>When the central version of a file changes on the file server machine, the
|
|
AFS <I>File Server</I> process running on that machine advises all other
|
|
Cache Managers with copies of that file that their version is no longer
|
|
valid. AFS has a special mechanism for performing these notifications
|
|
efficiently. When the File Server sends the Cache Manager a copy of a
|
|
modifiable file, it also sends a <I>callback</I>. A callback
|
|
functions as a promise from the File Server to contact the Cache Manager if
|
|
the centrally stored copy of the file is changed while it is being
|
|
used. If that happens, the File Server <I>breaks</I> the
|
|
callback. If you run a program that requests data from the changed
|
|
file, the Cache Manager notices the broken callback and gets an updated copy
|
|
of the file from the File Server. Callbacks ensure that you are working
|
|
with the most recent copy of a file.
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">The callback mechanism does not guarantee that you immediately see the
|
|
changes someone else makes to a file you are using. Your Cache Manager
|
|
does not notice the broken callback until your application program asks it for
|
|
more data from the file.
|
|
</TD></TR></TABLE>
|
|
<P><H3><A NAME="Header_18" HREF="auusg002.htm#ToC_18">Multiple Users Modifying Files</A></H3>
|
|
<A NAME="IDX778"></A>
|
|
<A NAME="IDX779"></A>
|
|
<P>Like a standard UNIX file system, AFS preserves only the changes to a file
|
|
that are saved last, regardless of who made the changes. When
|
|
collaborating with someone on the same files, you must coordinate your work to
|
|
avoid overwriting each other's changes. You can use AFS access
|
|
control lists (ACLs) to limit the ability of other users to access or change
|
|
your files, and so prevent them from accidentally overwriting your
|
|
files. See <A HREF="auusg007.htm#HDRWQ44">Protecting Your Directories and Files</A>.
|
|
<HR><H2><A NAME="HDRWQ11" HREF="auusg002.htm#ToC_19">AFS Security</A></H2>
|
|
<A NAME="IDX780"></A>
|
|
<A NAME="IDX781"></A>
|
|
<P>AFS makes it easy for many users to access the same files, but also uses
|
|
several mechanisms to ensure that only authorized users access the AFS
|
|
filespace. The mechanisms include the following:
|
|
<UL>
|
|
<P><LI>Passwords and mutual authentication ensure that only authorized users
|
|
access AFS filespace
|
|
<P><LI>Access control lists enable users to restrict or permit access to their
|
|
own directories
|
|
</UL>
|
|
<P><H3><A NAME="HDRWQ12" HREF="auusg002.htm#ToC_20">Passwords and Mutual Authentication</A></H3>
|
|
<A NAME="IDX782"></A>
|
|
<A NAME="IDX783"></A>
|
|
<A NAME="IDX784"></A>
|
|
<P>AFS uses two related mechanisms to ensure that only authorized users access
|
|
the filespace: passwords and mutual authentication. Both
|
|
mechanisms require that a user prove his or her identity.
|
|
<P>When you first identify yourself to AFS, you must provide the password
|
|
associated with your username, to prove that you are who you say you
|
|
are. When you provide the correct password, you become
|
|
<I>authenticated</I> and your Cache Manager receives a
|
|
<I>token</I>. A token is a package of information that is scrambled
|
|
by an AFS authentication program using your AFS password as a key. Your
|
|
Cache Manager can unscramble the token because it knows your password and
|
|
AFS's method of scrambling.
|
|
<A NAME="IDX785"></A>
|
|
<A NAME="IDX786"></A>
|
|
<P>The token acts as proof to AFS server programs that you are authenticated
|
|
as a valid AFS user. It serves as the basis for the second means
|
|
through which AFS creates security, called <I>mutual
|
|
authentication</I>. Under mutual authentication, both parties
|
|
communicating across the network prove their identities to one another.
|
|
AFS requires mutual authentication whenever a server and client (most often, a
|
|
Cache Manager) communicate with each other.
|
|
<P>The mutual authentication protocol that AFS uses is designed to make it
|
|
very difficult for people to authenticate fraudulently. When your Cache
|
|
Manager contacts a File Server on your behalf, it sends the token you obtained
|
|
when you authenticated. The token is encrypted with a key that only an
|
|
AFS File Server can know. If the File Server can decrypt your token, it
|
|
can communicate with your Cache Manager. In turn, the Cache Manager
|
|
accepts the File Server as genuine because the File Server can decrypt and use
|
|
the information in the token.
|
|
<A NAME="IDX787"></A>
|
|
<P><H3><A NAME="Header_21" HREF="auusg002.htm#ToC_21">Access Control Lists</A></H3>
|
|
<A NAME="IDX788"></A>
|
|
<P>AFS uses <I>access control lists</I> (<I>ACLs</I>) to determine who
|
|
can access the information in the AFS filespace. Each AFS directory has
|
|
an ACL to specify what actions different users can perform on that directory
|
|
and its files. An ACL can contain up to about 20 entries for users,
|
|
groups, or both; each entry lists a user or group and the permissions it
|
|
possesses.
|
|
<P>The owner of a directory and system administrators can always administer an
|
|
ACL. Users automatically own their home directories and
|
|
subdirectories. Other non-owner users can define a directory's ACL
|
|
only if specifically granted that permission on the ACL. For more
|
|
information on ACLs, see <A HREF="auusg007.htm#HDRWQ44">Protecting Your Directories and Files</A>
|
|
.
|
|
<P>A group is composed of one or more users and client machines. If a
|
|
user belongs to a group that appears on an ACL, the user gets all of the
|
|
permissions granted to that group, just as if the user were listed directly on
|
|
the ACL. Similarly, if a user is logged into a client machine that
|
|
belongs to a group, the user has all of the permissions granted to that
|
|
group. For instructions on defining and using groups, see <A HREF="auusg008.htm#HDRWQ60">Using Groups</A>.
|
|
<P>All users who can access your cell's filespace, authenticated or not,
|
|
are automatically assigned to a group called
|
|
<B>system:anyuser</B>. For a discussion of placing the
|
|
<B>system:anyuser</B> group on ACLs, see <A HREF="auusg007.htm#HDRWQ51">Extending Access to Users from Foreign Cells</A>.
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">You can use the UNIX mode bits to control access on specific files within an
|
|
AFS directory; however, the effect of these mode bits is different under
|
|
AFS than in the standard UNIX file system. See <A HREF="#HDRWQ16">File and Directory Protection</A>.
|
|
</TD></TR></TABLE>
|
|
<HR><H2><A NAME="HDRWQ13" HREF="auusg002.htm#ToC_22">Differences Between UNIX and AFS</A></H2>
|
|
<P>AFS is designed to be similar to the UNIX file system.
|
|
For instance, many of the basic UNIX file manipulation commands (<B>cp</B>
|
|
for copy, <B>rm</B> for remove, and so on) are the same in AFS as they are
|
|
as in UNIX. All of your application programs work as they did
|
|
before. The following sections describe some of the differences between
|
|
a standard UNIX file system and AFS.
|
|
<P><H3><A NAME="HDRWQ14" HREF="auusg002.htm#ToC_23">File Sharing</A></H3>
|
|
<A NAME="IDX789"></A>
|
|
<A NAME="IDX790"></A>
|
|
<A NAME="IDX791"></A>
|
|
<P>AFS enables users to share remote files as easily as local files. To
|
|
access a file on a remote machine in AFS, you simply specify the file's
|
|
pathname. In contrast, to access a file in a remote machine's UNIX
|
|
file system, you must log into the remote machine or create a mount point on
|
|
the local machine that points to a directory in the remote machine's UNIX
|
|
file system.
|
|
<P>AFS users can see and share all the files under the <B>/afs</B> root
|
|
directory, given the appropriate privileges. An AFS user who has the
|
|
necessary privileges can access a file in any AFS cell, simply by specifying
|
|
the file's pathname. File sharing in AFS is not restricted by
|
|
geographical distances or operating system differences.
|
|
<P><H3><A NAME="HDRWQ15" HREF="auusg002.htm#ToC_24">Login and Authentication</A></H3>
|
|
<A NAME="IDX792"></A>
|
|
<P>To become an authenticated AFS user, you need to provide a password to
|
|
AFS.
|
|
<UL>
|
|
<P><LI>On machines that use an AFS-modified login utility, logging in is a
|
|
one-step process; your initial login automatically authenticates you with
|
|
AFS.
|
|
<P><LI>On machines that do not use an AFS-modified login utility, you must
|
|
perform two steps.
|
|
<OL TYPE=1>
|
|
<P><LI>Log in to your local machine.
|
|
<P><LI>Issue the <B>klog</B> command with the <B>-setpag</B> argument to
|
|
authenticate with AFS and get your token.
|
|
</OL>
|
|
</UL>
|
|
<P>Your system administrator can tell you whether your machine uses an
|
|
AFS-modified login utility or not. Then see the login instructions in <A HREF="auusg005.htm#HDRWQ21">Logging in and Authenticating with AFS</A>.
|
|
<P>AFS authentication passwords are stored in special AFS database, rather
|
|
than in the local password file (<B>/etc/passwd</B> or equivalent).
|
|
If your machine uses an AFS-modified login utility, you can change your
|
|
password with a single command. If your machine does not use an
|
|
AFS-modified login utility, you must issue separate commands to change your
|
|
AFS and local passwords. See <A HREF="auusg005.htm#HDRWQ36">Changing Your Password</A>.
|
|
<A NAME="IDX793"></A>
|
|
<A NAME="IDX794"></A>
|
|
<A NAME="IDX795"></A>
|
|
<P><H3><A NAME="HDRWQ16" HREF="auusg002.htm#ToC_25">File and Directory Protection</A></H3>
|
|
<A NAME="IDX796"></A>
|
|
<A NAME="IDX797"></A>
|
|
<P>AFS does not rely on the mode bit protections of a standard UNIX system
|
|
(though its protection system does interact with these mode bits).
|
|
Instead, AFS uses an access control list (ACL) to control access to each
|
|
directory and its contents. The following list summarizes the
|
|
differences between the two methods:
|
|
<UL>
|
|
<P><LI>UNIX mode bits specify three types of access permissions:
|
|
<B>r</B> (<B>read</B>), <B>w</B> (<B>write</B>), and
|
|
<B>x</B> (<B>execute</B>). An AFS ACL uses seven types of
|
|
permissions: <B>r</B> (<B>read</B>), <B>l</B>
|
|
(<B>lookup</B>), <B>i</B> (<B>insert</B>), <B>d</B>
|
|
(<B>delete</B>), <B>w</B> (<B>write</B>), <B>k</B>
|
|
(<B>lock</B>), and <B>a</B> (<B>administer</B>). For more
|
|
information, see <A HREF="auusg007.htm#HDRWQ46">The AFS ACL Permissions</A> and <A HREF="auusg007.htm#HDRWQ59">How AFS Uses the UNIX Mode Bits</A>.
|
|
<P><LI>The three sets of mode bits on each UNIX file or directory enable you to
|
|
grant permissions to three users or groups of users: the file or
|
|
directory's owner, the group that owns the file or directory, and all
|
|
other users. An ACL can accommodate up to about 20 entries, each of
|
|
which extends certain permissions to a user or group. Unlike standard
|
|
UNIX, a user can belong to an unlimited number of groups, and groups can be
|
|
defined by both users and system administrators. See <A HREF="auusg008.htm#HDRWQ60">Using Groups</A>.
|
|
<P><LI>UNIX mode bits are set individually on each file and directory. An
|
|
ACL applies to all of the files in a directory. While at first glance
|
|
the AFS method possibly seems less precise, in actuality (given a proper
|
|
directory structure) there are no major disadvantages to directory-level
|
|
protections and they are easier to establish and maintain.
|
|
</UL>
|
|
<P><H3><A NAME="HDRWQ17" HREF="auusg002.htm#ToC_26">Machine Outages</A></H3>
|
|
<P>The kinds of failures you experience when a standard UNIX
|
|
file system goes down are different than when one or more individual AFS file
|
|
server machines become unavailable. When a standard UNIX file system is
|
|
inaccessible, the system simply locks up and you can lose changes to any files
|
|
with which you were working.
|
|
<P>When an AFS file server machine becomes inaccessible, you cannot access the
|
|
files on that machine. If a copy of the file is available from another
|
|
file server machine, however, you do not necessarily even notice the server
|
|
outage. This is because AFS gives your cell's system
|
|
administrators the ability to store copies of popular programs on multiple
|
|
file servers. The Cache Manager chooses between the copies
|
|
automatically; when one copy becomes unavailable, the Cache Manager
|
|
simply chooses another.
|
|
<P>If there are no other copies of a file that is stored on an inaccessible
|
|
server machine, you can usually continue to use the copy stored in your client
|
|
machine's local AFS cache. However, you cannot save changes to
|
|
files stored on an inaccessible file server machine until it is accessible
|
|
again.
|
|
<P><H3><A NAME="HDRWQ18" HREF="auusg002.htm#ToC_27">Remote Commands</A></H3>
|
|
<P>
|
|
<A NAME="IDX798"></A>
|
|
<A NAME="IDX799"></A>
|
|
<A NAME="IDX800"></A>
|
|
<A NAME="IDX801"></A>
|
|
<A NAME="IDX802"></A>
|
|
<A NAME="IDX803"></A>
|
|
<A NAME="IDX804"></A>
|
|
<A NAME="IDX805"></A>
|
|
The UNIX <I>remote commands</I> enable you to run programs on a remote
|
|
machine without establishing a connection to it by using a program such as
|
|
<B>telnet</B>. Many of the remote commands (such as <B>ftp</B>,
|
|
<B>rcp</B>, and <B>rsh</B>) remain available in AFS, depending on how
|
|
your administrators have configured them. If the remote machine has a
|
|
Cache Manager, your token is used there also and you are authenticated while
|
|
the remote command runs. If the remote machine does not run a Cache
|
|
Manager, you receive the following message:
|
|
<PRE> Warning: unable to authenticate.
|
|
</PRE>
|
|
<P>In this case, you are logged into the remote machine's UNIX file
|
|
system, but you are not authenticated to AFS. You can access the local
|
|
files on the remote machine and the AFS directories that grant access to the
|
|
<B>system:anyuser</B> group, but you cannot access protected AFS
|
|
directories.
|
|
<P><H3><A NAME="Header_28" HREF="auusg002.htm#ToC_28">Differences in the Semantics of Standard UNIX Commands</A></H3>
|
|
<P>This section summarizes differences in the functionality of some
|
|
commonly issued UNIX commands.
|
|
<DL>
|
|
<P><DT><B>chmod
|
|
<A NAME="IDX806"></A>
|
|
<A NAME="IDX807"></A>
|
|
</B><DD>Only members of the <B>system:administrators</B> group can use
|
|
this command to turn on the setuid, setgid or sticky mode bits on AFS
|
|
files. (For more information about this group, see <A HREF="auusg007.htm#HDRWQ50">Using the System Groups on ACLs</A>.)
|
|
<P><DT><B>chown
|
|
<A NAME="IDX808"></A>
|
|
<A NAME="IDX809"></A>
|
|
</B><DD>Only members of the <B>system:administrators</B> group can issue
|
|
this command on AFS files.
|
|
<P><DT><B>chgrp
|
|
<A NAME="IDX810"></A>
|
|
<A NAME="IDX811"></A>
|
|
</B><DD>Only members of the <B>system:administrators</B> group can issue
|
|
this command on AFS files and directories.
|
|
<P><DT><B>groups
|
|
<A NAME="IDX812"></A>
|
|
<A NAME="IDX813"></A>
|
|
</B><DD>If the user's AFS tokens are identified by a process authentication
|
|
group (PAG), the output of this command includes two large numbers. For
|
|
a description of PAGs, see <A HREF="auusg005.htm#HDRWQ24">Authenticating with AFS</A>.
|
|
<P><DT><B>inetd
|
|
<A NAME="IDX814"></A>
|
|
<A NAME="IDX815"></A>
|
|
</B><DD>The AFS version of this daemon authenticates remote issuers of the
|
|
AFS-modified <B>rcp</B> and <B>rsh</B> commands with AFS.
|
|
<P><DT><B>login utilities
|
|
<A NAME="IDX816"></A>
|
|
</B><DD>AFS-modified login utilities both log you into the local UNIX file system
|
|
and authenticate you with AFS.
|
|
<P><DT><B>ln
|
|
<A NAME="IDX817"></A>
|
|
<A NAME="IDX818"></A>
|
|
</B><DD>You cannot use this command to create a hard link between files that
|
|
reside in different AFS directories. You must add the <B>-s</B>
|
|
option to create a symbolic link instead.
|
|
</DL>
|
|
<HR><H2><A NAME="HDRWQ19" HREF="auusg002.htm#ToC_29">Using AFS with NFS</A></H2>
|
|
<P>Some cells use the Networking File System (NFS) in addition
|
|
to AFS. If you work on an NFS client machine, your system administrator
|
|
can configure it to access the AFS filespace through a program called the
|
|
<I>NFS/AFS Translator</I><SUP>TM</SUP>. See <A HREF="auusg010.htm#HDRWQ80">Appendix A, Using the NFS/AFS Translator</A>.
|
|
<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auusg002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auusg003.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Top_Of_Page"><IMG SRC="../top.gif" BORDER="0" ALT="[Top of Topic]"></A> <A HREF="auusg005.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auusg013.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P>
|
|
<!-- Begin Footer Records ========================================== -->
|
|
<P><HR><B>
|
|
<br>© <A HREF="http://www.ibm.com/">IBM Corporation 2000.</A> All Rights Reserved
|
|
</B>
|
|
<!-- End Footer Records ============================================ -->
|
|
<A NAME="Bot_Of_Page"></A>
|
|
</BODY></HTML>
|