Use ACL to define access rights to /srv/data and /srv/scratch

[pierrepo]

We need ACL to define access rights to some common directories:

• Group teachers can read and write any files and sub-directories in /srv/data.
• Group students can read all files and sub-directories in /srv/data.
• Everybody can read and write any files and sub-directories in /srv/scratch.

[jtpio]

While Plasma is used in the educational space, it is for now still generic and does not imply any teachers / students hierarchy.

So I'm wondering whether these ACLs should go in Plasma by default.

/srv/data is already exposed to the user containers. Maybe everything should be done from that folder instead of creating a new /srv/scratch? This will let other administrators have better control.

Maybe the docs should instead mention how to define such ACLs. Or refer to external materials to learn more about configuring them with e.g setfacl.

[pierrepo]

Well, I guess that we might accept this teachers / students hierarchy since it's quite common in educational settings.
But for a first step, we could indeed update the documentation and provide commands to define ACL mentioned above.
And yes, let's focus on /sr/data:

• /srv/data is rwx for the group teachers
• /srv/data is r-x for the group students
• /srv/data/scratch is rwx for groups teachers and students

Do you think this is possible?

[pierrepo]

@jtpio I guess something like this could define rights for /srv/data (not considering /srv/data/scratch here):

chgrp -R teachers /srv/data
chmod -R g+s /srv/data
setfacl -d -m g:teachers:rwx /srv/data
setfacl -d -m g:students:r-x /srv/data

Will it work through the volume mounted in the Docker container?

[jtpio]

I think the main difficulty would be to make these groups also available in the Docker images, ideally with the same IDs.

[pierrepo]

Absolutely.
For a first step, the idea would be to defined /srv/data as a common folder writable for all users of the teachers group. Users will access to this folder to add or modify files through SSH. This will ensure proper Unix rights apply.