Question about group permissions in iRods
442 views
Skip to first unread message
kmar...@gmail.com
Apr 3, 2012, 1:25:34 PM4/3/12
to iROD-Chat
Hello,
I have a question about creating group permissions in irods. We wanted
to a have a separate place from the home directories to store files
for groups. Right now we have /vhub/home with all the home
directories. I created /vhub/groups with the irods admin account.
Then I created another directory /vhub/groups/testgroupdir also with
the irods admin account.
I then creaded a group
$ iadmin mkgroup testgroup
and added users to that group
$ iadmin atg testgroup foo
$ iadmin atg testgroup bar
finally I added r/w for that group to the /vhub/groups/testgroupdir
collection
$ ichmod read testgroup /vhub/groups/testgroupdir
$ ichmod write testgroup /vhub/groups/testgroupdir
after I did all of this, I was able to login as a user of the
testgroup and put files into /vhub/groups/testgroupdir with the iput
command. However I was not able to move files into that collection
with imv (CAT_NO_ACCESS_PERMISSION). I was trying to figure out how
to get it to work and I looked in the public directory (/vhub/home/
public) and saw that everyone in the public group owned the files in
the public directory. So I did
$ ichmod own testgroup /vhub/groups/testgroupdir
This seemed to solve the imv problem, but then a directory was created
automatically in the home directory for testgroup (which I did not
want to happen).
Is there any way that I can set up group permissions on a collection
so that people in a certain group and create files and move files into
that collection without having to own the directory?
Thanks for the help everyone.
I have a question about creating group permissions in irods. We wanted
to a have a separate place from the home directories to store files
for groups. Right now we have /vhub/home with all the home
directories. I created /vhub/groups with the irods admin account.
Then I created another directory /vhub/groups/testgroupdir also with
the irods admin account.
I then creaded a group
$ iadmin mkgroup testgroup
and added users to that group
$ iadmin atg testgroup foo
$ iadmin atg testgroup bar
finally I added r/w for that group to the /vhub/groups/testgroupdir
collection
$ ichmod read testgroup /vhub/groups/testgroupdir
$ ichmod write testgroup /vhub/groups/testgroupdir
after I did all of this, I was able to login as a user of the
testgroup and put files into /vhub/groups/testgroupdir with the iput
command. However I was not able to move files into that collection
with imv (CAT_NO_ACCESS_PERMISSION). I was trying to figure out how
to get it to work and I looked in the public directory (/vhub/home/
public) and saw that everyone in the public group owned the files in
the public directory. So I did
$ ichmod own testgroup /vhub/groups/testgroupdir
This seemed to solve the imv problem, but then a directory was created
automatically in the home directory for testgroup (which I did not
want to happen).
Is there any way that I can set up group permissions on a collection
so that people in a certain group and create files and move files into
that collection without having to own the directory?
Thanks for the help everyone.
she...@diceresearch.org
Apr 3, 2012, 3:41:27 PM4/3/12
to irod...@googlegroups.com
By default iRODS rule, when an iRODS user or group created
a /yourZone/home/yourUser or /yourZone/home/yourGrp
collection created.
In your case, you don't want to have /vhub/home/testgroup
you can remove this, using iRODS admin account by doing:
./ichmod -M own rods /vhub/home/testgroup
./irm -r /vhub/home/testgroup
so the /vhu/home/testgroup removed and 'testgroup' still exists
./iadmin lg (should still showing 'testgroup' )
--
"iRODS: the Integrated Rule-Oriented Data-management System; A community driven, open source, data grid software solution" https://www.irods.org
iROD-Chat: http://groups.google.com/group/iROD-Chat
schr...@diceresearch.org
Apr 3, 2012, 4:23:18 PM4/3/12
to irod...@googlegroups.com
Hello,
There are a few levels of access defined in the ICAT tables, but the ones exposed via ichmod are own, write, read (and null). Each level includes the ones below, so a user with write access also has read, and if they have own that includes read and write. In your procedure, since you set write access after read, both read and write were allowed but you only needed to set write.
The code allows a move (rename) only if the user has 'own' rights. So that's why your 'ichmod own' was required. If the owner of a data-object grants 'write' access to it, that user or group can rewrite the contents of that file. But to rename it out of that collection into another they need 'own' permission.
- Wayne -
Reply all
Reply to author
Forward
0 new messages