Warning: jsMath requires JavaScript to process the mathematics on this page.
If your browser supports JavaScript, be sure it is enabled.

AFS

About AFS

The Andrew File System (AFS) is a wide area filesystem. There are currently two open-source implementations, OpenAFS and Arla.

Why use AFS?

Compared to NFS and SMB (Windows File Sharing), AFS is:

Internet-Wide: Windows File Sharing is almost always blocked by organizational firewalls, making it unusable across the public Internet. AFS does not have this problem; furthermore all files appear under in a single namespace (/afs/college.edu/…) without the need to “mount” directories as with NFS.
Fast: unlike NFS or SMB, AFS clients routinely cache hundreds of megabytes of server data. No polling is required — the server will call back to clients to let them know when parts of their caches have become invalid. In practice this means that AFS is quite usable over high-latency connections.
Secure: unlike NFS, encryption of over-the-wire communication is easily enabled with a single command.
Authenticated: Users are authenticated using standard Kerberos, meaning that existing accounts (principals) can often be used without having to set up additional usernames and passwords.
Access Control Lists: Unlike UNIX (and NFS), AFS lets any user create and manage groups (which can even be nested) and grant various permissions (read, list, insert, delete, write, lock, delete, and administrate permissions) to users and groups.

Installing OpenAFS and Authenticating

Follow the directions appropriate for your operating system:

Mac OS X
Windows
Linux: Debian, Fedora Red Hat Enterprise Linux.

Commands

All the AFS commands a user needs are contained within the fs binary; to see a list of commands, type:

fs help

The most important two commands are la (“list ACL”) and sa (“set ACL”). In AFS, access control lists (ACLs) are on a per-directory basis rather than a per-file basis: permissions for a directory apply to all the files in it. When a new directory is created, it is given a copy of its parent directory's ACL.

To display the ACL on a directory (such as /afs/research.cs.berkeley.edu/), type

$ fs la /afs/research.cs.berkeley.edu/
Access list for /afs/research.cs.berkeley.edu/ is
Normal rights:
megacz@eecs.berkeley.edu rlidwka
system:anyuser rl

Each line of the output shows the user or group; system:anyuser is a special group that all users belong to. The access rights are each represented by a single letter:

read from files in the directory
write to files in the directory
list the contents of a directory (required to reach subdirectories)
insert new files and subdirectories into the directory
delete files and subdirectories from the directory
lock files in the directory
administer (change the ACL on) the directory

To set an ACL, use the fs sa command:

$ fs sa /afs/research.cs.berkeley.edu/dropbox/ system:anyuser li

$ fs la /afs/research.cs.berkeley.edu/dropbox/
Access list for /afs/research.cs.berkeley.edu/dropbox/ is
Normal rights:
system:administrators rlidwka
system:anyuser li

There are also abbreviations for applying commonly used permission sets: read, write, all, and none.

Encryption

Once you have installed OpenAFS, you should turn on over-the-wire encryption by typing this command (as root on Mac OS and Linux, or Administrator on Windows):

fs setcrypt on