Guide: Multi-user Unix Permissions and Data Access Control
Tips on how to manage permissions and data access control.
This guide explains how to set up accounts when there are multiple unix users interacting with the same CryoSPARC instance. For standard instructions about how to set up unix accounts for CryoSPARC installation see the Installation Pre-requisites.
The permissions system built into Linux (and all Unix-like operating systems) can be used to make it easier for multiple users to interact with CryoSPARC's data, or to establish a degree of separation between data belonging to different research teams. This page offers some tips on how this can be done.
Changing file permissions has security implications. If you aren't familiar with how Unix permissions work, it is advisable to consult with your system administrator, consult your operating system's documentation, or do some online research into Unix permissions before running the commands in this guide.
CryoSPARC should be installed under its own operating system account. Typically, individual researchers will have their own accounts for accessing the computer(s) that CryoSPARC is installed on. By default on most Linux distributions, user accounts cannot modify files created by other user accounts, so the accounts belonging to individual researchers can only read files created or owned by CryoSPARC. This can be a barrier when trying to, for example, copy exported job files into another project for import. The standard permission system built into Linux can be used to work around this problem. Below is an example of how.
For the purpose of this example, we'll assume we are working with a fresh CryoSPARC installation. We will create a cryosparc user account (all CryoSPARC processes will run as this user), and we'll create two user accounts for people who will be using CryoSPARC.
[email protected]:~# useradd cryosparc
[email protected]:~# useradd alice
[email protected]:~# useradd tom
We'll add Alice and Tom's accounts to the "cryosparc" group:
[email protected]:~# usermod -aG cryosparc alice
[email protected]:~# usermod -aG cryosparc tom
Since in this example we're assuming this is a brand new CryoSPARC installation, we'll set up the directory that we will be storing our project files in. We'll then change the ownership of that directory so that it's under the control of the cryosparc account and group, and lastly we'll change the permissions on that directory. Specifically, we want
g+ws, which will make anyone in the cryosparc group able to write to that directory (that's the w), and will make it so that any time new file is created in that directory, the file is owned by the cryosparc group (that's the s). [email protected]:~# mkdir -p /data/cryosp_projs
[email protected]:~# chown cryosparc:cryosparc /data/cryosp_projs
[email protected]:~# chmod g+ws /data/cryosp_projs/
A demonstration of the result:
# the cryosparc user creates a bunch of files
[email protected]:~# su cryosparc
[email protected]:/root$ touch /data/cryosp_projs/file1
[email protected]:/root$ touch /data/cryosp_projs/file2
[email protected]:/root$ touch /data/cryosp_projs/file3
[email protected]:/root$ ls -l /data/cryosp_projs/
total 0
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file1
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file2
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file3
[email protected]:/root$ exit
# alice logs in, and also creates a file in that directory
[email protected]:~# su alice
[email protected]:/root$ touch /data/cryosp_projs/file4
[email protected]:/root$ ls -l /data/cryosp_projs/
total 0
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file1
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file2
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file3
-rw-rw-r-- 1 alice cryosparc 0 Jun 18 17:06 file4
[email protected]:/root$ exit
# notice how the file alice made is owned by the cryosparc group.
#
# now tom can log in and is able to modify the files created by...
# ... both alice and cyosparc
[email protected]:~# su tom
[email protected]:/root$ rm /data/cryosp_projs/file2
[email protected]:/root$ rm /data/cryosp_projs/file4
[email protected]:/root$ ls -l /data/cryosp_projs/
total 0
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file1
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file3
[email protected]:/root$ touch /data/cryosp_projs/file
[email protected]:/root$ ls /data/cryosp_projs/ -l
total 0
-rw-rw-r-- 1 tom cryosparc 0 Jun 18 17:07 file
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file1
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file3
On some systems, the default
umask variable may disable group write permissions. This would cause new files created by a user to not have group write permission unless manually changed with chmod. You can determine what the current umask is by running umask at a command prompt. If the second-to-last digit is not zero, you may run into issues. Putting umask 0002 in the ~/.bashrc file for the cryosparc account and each individual user account will correct this issue if it occurs.Another area where unix permissions can help is in separating CryoSPARC users into teams that cannot interact with each other's data. Be sure to read the above section before this one, as a few important ideas are not repeated here.
While this guide can be used as a basis for limiting access to data and projects at the level of unix user accounts, the cryosparc user can still access the data from all teams. This is necessary for CryoSPARC to function correctly. As a result, users could still access another group's work by using the CryoSPARC user interface and navigating to a project directory owned by another group. One group could, for example, import raw data owned by another group. This will be addressed in a future CryoSPARC release.
This guide will proceed by example, similar to the previous.
We assume we're starting with a blank slate. Suppose we have four researchers in two separate research groups: Alice and Tom are in the 'lab1' group, Dmitri and Sonja are in the 'lab2' group.
[email protected]:~# useradd tom
[email protected]:~# useradd alice
[email protected]:~# useradd dmitri
[email protected]:~# useradd sonja
[email protected]:~# groupadd lab1
[email protected]:~# groupadd lab2
[email protected]:~# usermod -aG lab1 tom
[email protected]:~# usermod -aG lab1 alice
[email protected]:~# usermod -aG lab2 dmitri
[email protected]:~# usermod -aG lab2 sonja
# add the cryosparc user account to both lab1 and lab2
[email protected]:~# useradd cryosparc
[email protected]:~# usermod -aG lab1 cryosparc
[email protected]:~# usermod -aG lab2 cryosparc
Create the directory that will be used to store CryoSPARC projects, and establish the same permissions as in the previous guide.
To briefly recap, we're going to use "chmod g+sw", where the "s" means that files created within the folder will be associated with the folder's group. Right now, that isn't terribly useful as we haven't added any users to the cryosparc group. But that "s" setting - the "setgid" bit, will be set on any created subdirectories as well, which will become important shortly.
[email protected]:~# mkdir -p /data/cryosp_projs
[email protected]:~# chmod g+ws /data/cryosp_projs/
[email protected]:~# chown cryosparc:cryosparc /data/cryosp_projs/
At this point, create some projects via the CryoSPARC UI which, will automatically create project subfolders. (e.g. "P1", "P2", "P3", etc). Decide which project subfolders should be owned by which group, and change the folder ownership appropriately as shown below. Note that the 'mkdir' lines are just simulating what the UI will do when creating a project - these don't need to actually be run.
[email protected]:~# su cryosparc
[email protected]:/root$ cd /data/cryosp_projs/
[email protected]:/data/cryosp_projs$ mkdir P1
[email protected]:/data/cryosp_projs$ mkdir P2
[email protected]:/data/cryosp_projs$ mkdir P3
[email protected]:/data/cryosp_projs$ chgrp lab1 P1
[email protected]:/data/cryosp_projs$ chgrp lab2 P2
[email protected]:/data/cryosp_projs$ chgrp lab2 P3
[email protected]:/data/cryosp_projs$ chmod o-rx *
[email protected]:/data/cryosp_projs$ ls -l
total 12
drwxrws--- 2 cryosparc lab1 4096 Jun 18 17:12 P1
drwxrws--- 2 cryosparc lab2 4096 Jun 18 17:12 P2
drwxrws--- 2 cryosparc lab2 4096 Jun 18 17:12 P3
[email protected]:/data/cryosp_projs$ exit
Take a look at the output of the
ls -l command. Notice that each project folder has an "s" where the group "x" would normally be. This happened because we added the "s" bit to the cryosparc_projs directory before we created the projects (it could be added with chmod if we were doing this retroactively). As a result of the presence of that "s" bit and the fact that each project folder is now owned by one of the lab groups, any files created inside the project folders will be owned by the corresponding lab group, which allows our researcher accounts to access and modify them as appropriate.Notice also that we used
chmod o-rx, meaning that users who aren't cryosparc or part of the appropriate lab group cannot even see the contents of the project directories.The resulting configuration is demonstrated below:
[email protected]:~# su tom
[email protected]:/root$ cd /data/cryosp_projs/
[email protected]:/data/cryosp_projs$ ls
P1 P2 P3
[email protected]:/data/cryosp_projs$ cd P1/
[email protected]:/data/cryosp_projs/P1$ touch file1
[email protected]:/data/cryosp_projs/P1$ cd ..
[email protected]:/data/cryosp_projs$ cd P2
bash: cd: P2: Permission denied
[email protected]:/data/cryosp_projs$ exit
[email protected]:~# su sonja
[email protected]:/root$ cd /data/cryosp_projs/
[email protected]:/data/cryosp_projs$ ls P1
ls: cannot open directory 'P1': Permission denied
[email protected]:/data/cryosp_projs$ touch P3/file
[email protected]:/data/cryosp_projs$ ls -l P3
total 0
-rw-rw-r-- 1 sonja lab2 0 Jun 18 17:14 file
[email protected]:/data/cryosp_projs$ exit
[email protected]:~# su cryosparc
[email protected]:/root$ cd /data/cryosp_projs/
[email protected]:/data/cryosp_projs$ ls
P1 P2 P3
[email protected]:/data/cryosp_projs$ find
.
./P3
./P3/file
./P1
./P1/file1
./P2
[email protected]:/data/cryosp_projs$ rm P3/file
[email protected]:/data/cryosp_projs$ rm P1/file1
Last modified 6mo ago