Search

link to homepage

Institute for Advanced Simulation (IAS)

Navigation and service


HPC Data Rules for GPFS


The following rules apply to all file systems at Jülich Supercomputing Centre (JSC) where data for approved HPC-projects and their registered users are stored.

Group/project-directories and user-directories for the HPC-systems (JUQUEEN, JURECA, DEEP) and the JUROPA3 partitions (e.g. JUAMS, ZEA, JSC) are allocated when a user applies the first time for an account on any system. For all follow up accounts on any other system the already allocated data spaces will be shared. Additionally an account on the Data Access System (JUDAC) is created automatically for purpose of data access/transfer only. Each user gets data space in three different file systems ($HOME, $WORK, $ARCH).
For the different file systems, their use, characteristics, and limitations see: File Systems

1. Structure


In general each user-account is assigned to a unique group/project. If a user works for different groups/projects he/she has to apply for different accounts according to the group/project. All user-directories of a group/project are grouped together under the roof of a group/project-directory. The general path for a user-directory is:


/<file-system>/<group-project-directory>/<user-directory>

2. File system and group/project-directories


The standard access rights of the mount point of a file system and the group/project-directory are 755 (rwxr-xr-x). This allows a user

  • to list and change into all group/project-directories in all file systems,
  • to list the names and metadata information (size, access rights, link count, etc.) of all user-directories within all groups/projects.


No ordinary user can modify existing file system mount point or group/project-directory information. Also no ordinary user can create any directory nor write any data directly under the file system path or under the group/project-directory path. This is provided by the write access only dedicated to the superuser root.

3. User-directories


User-directories belong to the user and the group/project. By default they are not open to anyone else than the user (Unix access right 700, rwx------). It is the user's responsibility to open his/her directory to anyone else for read or even write access. It is strongly recommended not to add write access for other users or groups to the $HOME-directory because this will disable user login by SSH-key due to violation of SSH-rules. But users may add read and execute rights to allow access to subdirectories to be more open to other users or groups.

4. User data


Access rights for user data within the user-directories are set according to the umask of the underlying operating system. In case of RedHat-, CentOS, and SuSE-Linux this value is set to 022 which results in directories with read and execute rights for the group as well as worldwide. Same applies to normal files which will be readable by all group-members and all other users. If a user opens his/her user-directory he/she should keep this in mind and remove access rights for data that should not be made public. To generally grant privacy for new directories and files users are encouraged to set the umask to a value of 077 within his/her login process or batch job initialization ($HOME/.profile).

4. Access rights for other users/groups


To share data with all trusted users within the same group/project the Unix access rights can be used. It is NOT recommended to establish overall access (rwx) for all users by setting worldwide Unix access rights, because this would allow anyone to manipulate the data by adding, changing, and even deleting data when set for a directory.


For a saver method ACLs are provided which grant access to the data by more granularity. This enables a user to restrict access to his/her data to one or more individual persons instead of all group-members or all users. ACLs are implemented differently within file systems. GPFS has its own command interface (mmeditacl, mmdelacl, mmgetacl, mmputacl) whereas Linux uses the POSIX ACL interface commands (setfacl, getfacl) to set and view ACLs.

ACLs are stored as extended data attributes and can be identified by the character (‘+’ or ‘.’) following the nine characters describing the Unix access rights in the ls-command output. For more information see:


Servicemeu

Homepage