Access Management using GoCommands¶
GoCommands provides features to manage access of users and groups to data in the Data Store. The chmod
and chmodinherit
commands allow users to manage access permissions for data objects (files) and collections (directories). The ls -A
command displays the current access levels assigned to users for a given file or directory.
List Access Permissions of Users for a Data Object or Collection¶
gocmd ls -A <data-object-or-collection>
The -A
flag in ls
command displays access permissions in the result.
This command will show the data objects and collections along with their access control lists (ACLs). For example:
/iplant/home/myUser/mydata:
ACL - g:rodsadmin#iplant:own myUser#iplant:own
Inheritance - Disabled
file1.bin
ACL - g:rodsadmin#iplant:own myUser#iplant:own
file2.bin
ACL - g:rodsadmin#iplant:own myUser#iplant:own
C- /iplant/home/myUser/mydata/subdir1
- The
g:
prefix in the ACL username indicates that the user is a group. - The ACL is displayed in the
username#zone:access_level
format. - Most common access levels are:
read_object
: Allows read access to the data object or collection.modify_object
: Allows modification (write) of the data object or collection.own
: Grants ownership of the data object or collection.
Example Usage¶
- List current access levels for a data object or collection:
gocmd ls -A /iplant/home/myUser/mydata
Change a User's or Group's Access Permission for a Data Object or Collection¶
gocmd chmod <access-level> <user-or-group(#zone)> <data-object-or-collection>
Access Levels¶
Access Level | Description |
---|---|
null |
Removes all permissions |
read |
Allows reading the object or collection |
write |
Allows reading and modifying the object or collection |
own |
Grants full control, including the ability to change permissions |
Example Usage¶
-
Grant a user read permission to a data object:
gocmd chmod read anotherUser /iplant/home/myUser/file.txt
-
Grant a user from a different zone read permission to a data object:
gocmd chmod read anotherUser#anotherZone /iplant/home/myUser/file.txt
-
Grant a user read permission to a collection and its contents:
gocmd chmod -r read anotherUser /iplant/home/myUser/dir
-
Grant a user write permission to a collection and its contents:
gocmd chmod -r write anotherUser /iplant/home/myUser/dir
-
Grant a user owner permission to a collection and its contents:
gocmd chmod -r owner anotherUser /iplant/home/myUser/dir
-
Remove access permission from a user to a collection and its contents:
gocmd chmod -r none anotherUser /iplant/home/myUser/dir
Enable or Disable Access Permission Inheritance for a Collection¶
When inheritance is enabled for a collection, any new data objects or subcollections created within it will automatically inherit the same access permissions as the parent collection.
gocmd chmodinherit <inheritance_option> <collection_path>
Inheritance Options¶
Flag | Description |
---|---|
inherit |
Enable access inheritance. Data objects and sub-collections inherit permissions from the parent collection |
noinherit |
Disable access inheritance. Data objects and sub-collections do not inherit permissions from the parent collection |
Example Usage¶
-
Enable inheritance for a collection:
gocmd chmodinherit inherit /iplant/home/myUser/dir
-
Disable inheritance for a collection:
gocmd chmodinherit noinherit /iplant/home/myUser/dir
-
Enable inheritance recursively for a collection and its subcollections:
gocmd chmodinherit -r inherit /iplant/home/myUser/dir
-
Disable inheritance recursively for a collection and its subcollections:
gocmd chmodinherit -r noinherit /iplant/home/myUser/dir