Sharing Data on HPC
Introduction
To share files on the cluster with other users, we recommend using NFSv4 Access Control Lists (ACL) for a user to share access to their data with others. NFSv4 ACL mechanism allows for fine-grained control access to any files by any users or groups of users.
We discourage users from setting 777 permissions with chmod, because this can lead to data loss (by a malicious user or unintentionally, by accident).
Torch supports NFSv4 ACLs rather than the POSIX ACLs supported by Greene! NFSv4 ACLs allow for more fine grained control when compared to POSIX ACLs.
Anatomy of an Access Control Entry
An Access Control List is composed of Access Control Entries, each of which has the following structure:
[type]:[flags]:[principal]:[permissions]
| Property | Description |
|---|---|
| type | Kind of ACE entry, we recommend only using A (access). Deny type entries make the ACE more complex to reason about when compared to using only access type entries for the same configuration. |
| flags | Inheritance flags which apply to directories and control how ACEs are inherited: - f: files inherit ACEs, but inheritance flags are not set on the files- d: directories inherit both the ACE and the inheritance flags- i: only inherit the inheritance flags, ACEs do not apply to this directory- n: directories only inherit ACEs, not the inheritance flags- g: only used when the principal is a group |
| principal | The user (identified by NetID) or group to apply the ACE to, with the following special principals:- OWNER- GROUP- EVERYONE |
| permissions | The level of access to grant. Aliases for most common uses include: the full set of permission entry types are listed below for reference, with the most commonly used options being: - R: Read, alias for rntcy- W: Write, alias for watTNcCy- X: Execute, alias for watTNcCy The full list of available options can be found here. |
Creating and Applying ACLs
The following commands are available:
nfs4_setfaclto set ACEsnfs4_editfaclto edit ACEsnfs4_getfaclto view ACLs with the usage described in the following examples.
Give someone access to read a particular file
Append the ACL for that file by adding an ACE via
nfs4_setfacl -a "A::NetID:R" filename
where the -a flag signifies "append". Since inheritance flags are only applicable to directories and the principal is not a group, no flags are needed.
Show current access properties
Create an empty file and view the default ACEs it:
~> touch temp
~> nfs4_getfacl temp
# file: temp
A::OWNER@:rwatTnNcy
A:g:GROUP@:rtncy
A::EVERYONE@:rtncy
View changes after granting a collaborator read permissions:
~> nfs4_setfacl -a "A::collaborator-netid:R" temp
~> nfs4_getfacl temp
# file: temp
A::collaborator-netid@hpc.nyu.edu:rtncy
A::OWNER@:rwatTnNcy
A:g:GROUP@:rtncy
A::EVERYONE@:rtncy
where collaborator-netid refers to the NetID of your collaborator.