search

UCL-MIRSG / xnat-aws

Deploy XNAT on AWS
MIT License
2 stars 0 forks source link

Set file permissions for XNAT files to allow access from AppStream #89

Open milanmlft opened 11 months ago

milanmlft commented 11 months ago

The Image Builder currently used to create the AppStream image has the following setup script in /opt/appstream/SessionScripts/efs-mount.sh to mount the EFS volume in the AppStream instance:

#!/bin/bash

# Mount the XNAT EFS volume for shared file access
sudo mkdir /efs
sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport fs-05848400c835f8dc7.efs.eu-west-2.amazonaws.com:/ /efs

# Set `drwxr-xr-x` permissions for all directories
find /efs/data/xnat -type d -exec chmod 755 {} \;

## Set `-rw-r--r--` permissions for all files
find /efs/data/xnat -type f -exec chmod 644 {} \;

# Sym-link XNAT data folder
ln -s /efs/data/xnat ~/MyFiles/XNAT

After mounting the EFS volume, it updates the permissions of the data/xnat files to allow access to any user, which is necessary to enable access to the files from users' AppStream sessions.

However, the problem is that when XNAT creates new files, either when uploading data or generating results from analyses, those files are owned by tomcat and have restricted access permissions. So this still causes problems when trying to access the files from an AppStream instance. See also https://github.com/HealthBioscienceIDEAS/terraform-aws-IDEAS-appstream/issues/3#issuecomment-1700806532.

We might be able to solve this problem by having newly created files inherit permissions from their parent folder, as suggested by https://github.com/HealthBioscienceIDEAS/terraform-aws-IDEAS-appstream/issues/3#issuecomment-1702495052.

davecash75 commented 1 month ago

HI @milanmlft I think a couple of additional steps also need to happen. Do you remember if the same for you?

  1. Make the efs-mount.sh executable
  2. Add it to the config.json in /opt/appstream/SessionScripts Thanks! Dave
milanmlft commented 1 month ago

Ah yes, I found this in my notes:

# /opt/appstream/SessionScripts/config.json
{
  "SessionStart": {
    "Executables": [
       {
         "Context": "system",
         "Filename": "/opt/appstream/SessionScripts/efs-mount.sh",
         "Arguments": "",
         "S3LogEnabled": true
      }
    ],
    "WaitingTime": 30
  }
}
davecash75 commented 1 month ago

Have you guys ever taken a look at EFS Access points? These look like they may have the potential to provide more control over permissions settings.

milanmlft commented 1 month ago

Have you guys ever taken a look at EFS Access points? These look like they may have the potential to provide more control over permissions settings.

Not that I can remember but indeed looks promising!

davecash75 commented 1 month ago

More info on access points (more EC2 focused than AppStream):