Access Control

Now that you have data stored in the Storage Service, how do data owners manage access controls to mediate access to the data?

Interfaces to Storage

When thinking about managing access, consider the available “interfaces” to the storage service.

The SMB Protocol (Samba)

SMB stands for “Server Message Block”. SMB is a network protocol used by Windows-based computers that allows systems within the same network to share files. In the Linux world, the protocol is employed by the Samba package. In the RIS Storage Service, the IBM Spectrum Scale software product uses the Ganesha Samba implementation.

Access to storage volumes is mediated by Wash U Active Directory (AD) groups. If you are a storage customer, you are a member of a group whose name begins with storage-. Usually it is based on your Lab Name or your Principle Investigator’s Wustl Key ID, so storage-joe.user. As a member of this group you should be able to “mount” a SMB volume.

See Getting Connected.

Globus

Globus is an application that serves to move data into the storage service.

See Moving Data With Globus. In summary, a user must be a member of a Wash U AD group like storage-* to see data via Globus. First a user should confirm access via SMB. If that works, the same storage volume should be visible in the Globus application.

See Transferring Data With Globus CLI for using the Globus CLI in order to transfer data.

Via the Compute Service

If your research group also uses the integrated RIS Compute Service, you can access your Storage volumes from your Docker containers by specifying the path via an environment variable.

See Accessing Storage Volumes.

Wash U Active Directory Groups

At this point you are aware of the fact that access to RIS Services are mediated by membership in AD groups. The group names have a prefix for the service and are typically tied to the WUSTL Key ID of the Lab’s principal investigator (PI).

Wash U PI “Joe User” has a Wustl Key ID joe.user. As a Storage and Compute consumer user Prof. User has membership in AD groups storage-joe.user and compute-joe.user.

Prof. User has a storage volume named after his ID joe.user and so there exists a storage Allocation of that name in the storage cluster, made visible via SMB at smb://storage1.ris.wustl.edu/joe.user and via filesystems in the Compute service at /storage1/fs1/joe.user.

For simple cases, this is perhaps “good enough” for most labs. PI Joe User asks that lab members are added to his storage-joe.user group and that’s that. But for cases where the storage volume contains lots of different kinds of data with different access control requirements we provide the use of project sub directories.

If Prof. User chooses, he can request optional Project Sub-directories (see Designing a Storage Layout). These project directories come along with project AD groups. Consider Prof. User requests a project named “First Project”. The following would exist:

  • Allocation Name: joe.user

  • Allocation Group: storage-joe.user

  • Project Name: FirstProject

  • Project Groups: storage-joe.user-firstproject-rw, storage-joe.user-firstproject-ro

The “ro” and “rw” refer to “read-only” and “read-write”.

Prof. User can now request that user Alice be given “read-write” permission while user Bob should be given “read-only” permission.

AD Groups and GPFS/NFSv4 Access Control Lists

The primary means by which RIS deploys ACLs with AD groups is by the use of GPFS/NFSv4 Access Control Lists. RIS Administrative Users have a view of the filesystem ACLs that Compute Users cannot see from inside Docker containers:

> mmgetacl /storage1/fs1/joe.user/Active
#NFSv4 ACL
#owner:root
#group:root
special:owner@:rwxc:allow:DirInherit
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (X)DELETE_CHILD (X)CHOWN        (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

special:owner@:rw-c:allow:FileInherit
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (-)DELETE_CHILD (X)CHOWN        (-)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

group:ris-it-admin:rwx-:allow:DirInherit
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (X)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (-)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

group:ris-it-admin:rw--:allow:FileInherit
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (X)DELETE_CHILD (-)CHOWN        (-)EXEC/SEARCH (-)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

group:storage-joe.user:rwx-:allow:DirInherit
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (X)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (-)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

group:storage-joe.user:rw--:allow:FileInherit
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (X)DELETE_CHILD (-)CHOWN        (-)EXEC/SEARCH (-)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

> ls -ld /storage1/fs1/joe.user/Active
drwx------. 13 root               root                       8192 Jan  9 17:00  /storage1/fs1/joe.user/Active

Here we see that members of the storage-joe.user group have read-write permission on the storage volume, even though the allocation directory is initially owned by root. These permissions are also inherited by any files created inside the allocation.

Now that Prof. Joe User has a First Project subdirectory, with more specific AD groups, we can observe more specific access controls:

> mmgetacl /storage1/fs1/joe.user/Active/First_Project/
#NFSv4 ACL
#owner:root
#group:root
special:owner@:rwxc:allow:DirInherit
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (X)DELETE_CHILD (X)CHOWN        (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

special:owner@:rw-c:allow:FileInherit
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (-)DELETE_CHILD (X)CHOWN        (-)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

group:ris-it-admin:rwx-:allow:DirInherit
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (X)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (-)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

group:ris-it-admin:rw--:allow:FileInherit
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (X)DELETE_CHILD (-)CHOWN        (-)EXEC/SEARCH (-)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

group:storage-joe.user:rwx-:allow:DirInherit
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (X)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (-)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

group:storage-joe.user:rw--:allow:FileInherit
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (X)DELETE_CHILD (-)CHOWN        (-)EXEC/SEARCH (-)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

group:storage-joe.user-first_project-rw:rwx-:allow:DirInherit
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (X)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (-)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

group:storage-joe.user-first_project-rw:rw--:allow:FileInherit
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (X)DELETE_CHILD (-)CHOWN        (-)EXEC/SEARCH (-)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

group:storage-joe.user-first_project-ro:r-x-:allow:DirInherit
 (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (-)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED

group:storage-joe.user-first_project-ro:r---:allow:FileInherit
 (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (-)DELETE_CHILD (-)CHOWN        (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED

> ls -ld /storage1/fs1/joe.user/Active/First_Project
drwx------. 4 root root 8192 Jan  2 16:01 /storage1/fs1/joe.user/Active/First_Project

Here we see that members of storage-joe.user-first_project-rw are given read-write permission while the storage-joe.user-first_project-ro group have read-only permission. These permissions are also inherited by files underneath the same project directory. Note that the creation of a project also necessitates ACL entries on the parent directories above it so that project group members may traverse the filesystem to get to the project directories.

It is important to manage membership in groups, as this is the way you control access to your data.

  • The primary storage-key group should be the most trusted (smallest) group

  • Project specific groups storage-key-project-(ro|rw) group should specific to that data set.

POSIX Permissions

From the point of view of a Compute Service execution node, the POSIX permissions on storage volumes may appear as follows:

ls -l /storage1/fs1/joe.user/
total 32
drwx------. 6 root root         8192 Nov  5 15:33 Active
drwx------. 2 root root         8192 Dec 17  2018 Archive
-rw-r--r--. 1 root root         2325 May  7  2018 README.txt

In this case where there are no POSIX permissions for ordinary users, access is completely governed by the NFSv4 ACLs. When a user creates a new directory from the shell, it looks like this:

[joe.user@compute1-client-1 ~]$ LSF_DOCKER_VOLUMES="/storage1/fs1/joe.user/Active:/data" bsub -Is -q general-interactive -a 'docker(alpine)' sh
Job <6241> is submitted to queue <general-interactive>.
<<Waiting for dispatch ...>>
<<Starting on compute1-exec-32.ris.wustl.edu>>
Using default tag: latest
latest: Pulling from library/alpine
Digest: sha256:c19173c5ada610a5989151111163d28a67368362762534d8a8121ce95cf2bd5a
Status: Image is up to date for alpine:latest
docker.io/library/alpine:latest
/home/joe.user $
/home/joe.user $ cd /data
/data $ mkdir newdir
/data $ touch newdir/newfile

That example shows the filesystem view from inside the container. The filesystem the permissions look like this:

> ls -ld /data/newdir
drwx------. 2 joe.user domain users 8192 Nov  8 11:35 /data/newdir

From outside the container one could examine the ACL as well:

> mmgetacl /storage1/fs1/joe.user/Active/newdir
#NFSv4 ACL
#owner:joe.user
#group:domain users
special:owner@:rwxc:allow:DirInherit:Inherited
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (X)DELETE_CHILD (X)CHOWN        (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

special:owner@:rw-c:allow:FileInherit:InheritOnly:Inherited
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (-)DELETE_CHILD (X)CHOWN        (-)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

group:ris-it-admin:rwx-:allow:DirInherit:Inherited
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (X)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (-)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

group:ris-it-admin:rw--:allow:FileInherit:InheritOnly:Inherited
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (X)DELETE_CHILD (-)CHOWN        (-)EXEC/SEARCH (-)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

group:storage-joe.user:rwx-:allow:DirInherit:Inherited
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (X)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (-)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

group:storage-joe.user:rw--:allow:FileInherit:InheritOnly:Inherited
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (X)DELETE_CHILD (-)CHOWN        (-)EXEC/SEARCH (-)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

The user can use chmod as normal:

/data $ ls -l newdir
total 0
/data $ ls -ld newdir
drwx------. 2 joe.user domain users 8192 Nov  8 17:35 newdir
/data $ chmod 750 newdir/
/data $ touch newdir/newfile
/data $ chmod 644 newdir/newfile
/data ls -la newdir
total 32
drwxr-x---. 2 joe.user domain users 8192 Nov  8 17:44 .
d---------. 7 root     root         8192 Nov  8 17:35 ..
-rw-r--r--. 1 joe.user domain users    0 Nov  8 17:44 newfile

Example

Wash U PI “Joe User” has a Wustl Key ID joe.user. As a Storage and Compute user he has membership in AD groups storage-joe.user and compute-joe.user. Prof. User employs a trusted postdoc named Terry, and lab members Alice and Bob, who are team leads for First Project and Second Project, respectively.

With SMB, using WUSTL Key credentials, the team has access to smb://storage1.ris.wustl.edu/joe.user

From Compute they can supply LSF_DOCKER_VOLUMES=/storage1/fs1/joe.user:/data to Docker jobs and then see his storage volume:

> ls -l /data
total 46054464
d---------   2 root       root         65536 Jan 25  2019 firstproject
d---------   2 root       root         65536 Jan 25  2019 secondproject

In this case, the following AD groups exist:

  • storage-joe.user Contains Prof. Joe User himself, and his most trusted lab member, Terry.

  • storage-joe.user-firstproject-ro Contains anyone who needs read-only access to First Project.

  • storage-joe.user-firstproject-rw Contains Alice.

  • storage-joe.user-secondproject-ro Contains anyone who needs read-only access to Second Project.

  • storage-joe.user-secondproject-rw Contains Bob

Project Quotas: Moving Data

It is highly recommended to avoid use of rsync -a or mv when moving data between directories with set project quotas. Use of these commands do not allow group ownership to update resulting in a discrepancy in expected project quota usage.

Examples

  • Allocation: smith
    • Project: firstproject (Project Quota: 5GB)
      • File: john-file1.txt (File Size: 5GB)

    • Project: secondproject (Project Quota: 5GB)

  • Allocation: jones
    • Project: analysis1 (Project Quota: 10GB)

Copy file to new fileset using rsync -a to preserve attributes.:

> rsync -av smith/firstproject/john-file1.txt jones/analysis1/mary-file1.txt
Result:
  • Allocation: smith (5GB total usage)
    • Project: firstproject (Project Quota usage: 5/5GB)
      • File: john-file1.txt

    • Project: secondproject (Quota usage: 0/5GB)

  • Allocation jones (5GB total usage)
    • Project: analysis1 (Project Quota usage: 0/10GB)
      • File: mary-file1.txt (File Size: 5GB)

Copy file to new project in the same fileset using rsync -a to preserve attributes.:

> rsync -av smith/firstproject/john-file1.txt smith/secondproject/output-file1.txt
Result:
  • Allocation: smith (10GB total usage)
    • Project: firstproject (Project Quota usage: 10/5GB)
      • File: john-file1.txt

    • Project: secondproject (Quota usage: 0/5GB)
      • File: output-file1.txt

  • Allocation jones (0GB total usage)
    • Project: analysis1 (Project Quota usage: 0/10GB)