Let us assume you want to open a directory for your co-workers which might also not be in the same project.

The traditional unix way of setting the file permissions with "chmod g+rw" does not work on SuperMUC-NG because everyone is in the user group "hpcuser" which means that you open up your directory for all users on SuperMUC-NG. You can, however, use ACL (Access Control Lists) which give the user a much more fine grained way to control the access priviliges.

This recipe only works for the $WORK file system on SuperMUC-NG!

To query the ACL for a file use the following command:

$ cd $WORK
$ getfacl a_test_file.txt

which outputs:

$ getfacl a_test_file.txt

# file: test_acl.txt
# owner: USERID
# group: hpcusers-d
user::rw-
group::r--
mask::rwx
other::r--

with USERID showing your user id. If you now want to add rwx priviliges to your co-worker with user id OTHERUSER then use the following command:

$ setfacl -m u:OTHERUSER:rwx a_test_file.txt

the query with getfacl will then return:

$ getfacl a_test_file.txt

# file: test_acl.txt
# owner: USERID
# group: hpcusers-d
user::rw-
user:OTHERUSER:rwx
group::r--
mask::rwx
other::r--

It may also also be necessary to give permission (at least x or rx)  to upstream directories of a_test_file.txt. This can be done recurrsively

$ setfacl    -m u:OTHERUSER:rx /hppfs/work/pr12ab
$ setfacl -R -m u:OTHERUSER:rx /hppfs/work/pr12ab/dir_for_otheruser

Now your co-worker should be allowed to access the file a_test_file.txt in your $WORK directory by specifying the complete path (or cd into the appropriate directory)

Here is a short summary of setfacl:

$ man setfacl
 ....

EXAMPLES
       Granting an additional user read access
              setfacl -m u:lisa:r file

       Revoking write access from all groups and all named users (using the effective rights mask)
              setfacl -m m::rx file

       Removing a named group entry from a file's ACL
              setfacl -x g:staff file

       Copying the ACL of one file to another
              getfacl file1 | setfacl --set-file=- file2

       Copying the access ACL into the Default ACL
              getfacl --access dir | setfacl -d -M- dir
  • No labels