Use ACL to define access rights to /srv/data and /srv/scratch

plasmabio / plasma

Plasma is an e-learning Jupyter-based platform for data analysis

https://docs.plasmabio.org

BSD 3-Clause "New" or "Revised" License

42 stars 12 forks source link

Use ACL to define access rights to /srv/data and /srv/scratch #196

Open pierrepo opened 2 years ago

pierrepo commented 2 years ago

We need ACL to define access rights to some common directories:

Group teachers can read and write any files and sub-directories in /srv/data.
Group students can read all files and sub-directories in /srv/data.
Everybody can read and write any files and sub-directories in /srv/scratch.

jtpio commented 2 years ago

While Plasma is used in the educational space, it is for now still generic and does not imply any teachers / students hierarchy.

So I'm wondering whether these ACLs should go in Plasma by default.

/srv/data is already exposed to the user containers. Maybe everything should be done from that folder instead of creating a new /srv/scratch? This will let other administrators have better control.

Maybe the docs should instead mention how to define such ACLs. Or refer to external materials to learn more about configuring them with e.g setfacl.

pierrepo commented 2 years ago

Well, I guess that we might accept this teachers / students hierarchy since it's quite common in educational settings. But for a first step, we could indeed update the documentation and provide commands to define ACL mentioned above. And yes, let's focus on /sr/data:

/srv/data is rwx for the group teachers
/srv/data is r-x for the group students
/srv/data/scratch is rwx for groups teachers and students

Do you think this is possible?

pierrepo commented 2 years ago

@jtpio I guess something like this could define rights for /srv/data (not considering /srv/data/scratch here):

chgrp -R teachers /srv/data
chmod -R g+s /srv/data
setfacl -d -m g:teachers:rwx /srv/data
setfacl -d -m g:students:r-x /srv/data

Will it work through the volume mounted in the Docker container?

jtpio commented 2 years ago

I think the main difficulty would be to make these groups also available in the Docker images, ideally with the same IDs.

pierrepo commented 2 years ago

Absolutely. For a first step, the idea would be to defined /srv/data as a common folder writable for all users of the teachers group. Users will access to this folder to add or modify files through SSH. This will ensure proper Unix rights apply.