AMP Task Groups Summary

.........................

AMP Task Group Summary

Goal: Try to identify the secondary group id's needed for users in the DICE world.
Actioned: This report was actioned in the meeting of 2002-02-19

There will only be two primary group id's, user and pseudo user, but users can still belong to a number of secondary groups. We don't envisage migrating all existing legacy group ids into the DICE world. So we need to identify what the legacy sites were using group id's for and provide groups for similar functions in the DICE world. These primary and secondary groups are to be used only for restricting access to files via the standard unix chmod permissions. Restricting access to services will be done via the new "roles" mechanism.

Current Situation

By looking at the 3 sites /etc/group files (or equivalent) and trawling through exported file systems on the legacy sites, we find the roughly the following numbers of groups ids in use:

Site	in /etc/group	found on disk
AI	81	233
CG	73	123
CS	160	101

As you can see AI and CogSci claim to only have 81 and 73 official groups in /etc/group, but there are actually more in use on exported file systems, ie a fair number only show up as numeric ids. At CS the situation is reversed, with 160 groups recorded in /etc/group, but only 101 actually used by files, of those about 5 do not map to entries in /etc/group.

Note When it comes to exporting file systems between legacy sites to implement the common home directory, it is likely that there will be group id clashes. This report does not identify those groups.

Looking at the number of files using with a particular group id then the top uses are for "staff" files and local software installation.

AI CogSci CS

Top groups
staff 1,304,573 phd 817,561 other 574,144 mscs 453,988

staff 1,533,981 pg_cog 859,953 local 431,424 ltg 222,153

misc 1,875,903 local 1,610,012 lfcs_lec 652,545 cs_pg 629,758

Total count
5,195,528
4,119,580
8,944,307

	AI	CogSci	CS
Top groups	staff 1,304,573 phd 817,561 other 574,144 mscs 453,988	staff 1,533,981 pg_cog 859,953 local 431,424 ltg 222,153	misc 1,875,903 local 1,610,012 lfcs_lec 652,545 cs_pg 629,758
Total count	5,195,528	4,119,580	8,944,307

DICE groups

For DICE we want to import as little of the old world as possible. It is assumed the "standard" linux system groups will remain, eg root, bin, daemon, sys, adm, nobody. The following are the additional suggested groups:

Group Description

staff A member of staff ie has a staff id, the DB concept of staff
admin For those files that admin staff are allowed to see, but the rest of us are not!
aisubmit The submissions system, until a better solution comes along.
tutor PhDs tutoring undergrads need access to some files that other students should not see, but they can't be restricted to staff as PhDs would not be able to access them.
phd Not sure about this, what situations are there where files need to be accessible to PhDs and not staff or undergrads?
collaborative Those collaborative groups that have to exist for when CVS isn't the appropriate way to work. Identifying these cases is still to be done. For example admin shared areas via samba: ipu, ito, room3421. Could these three be boiled down to just admin.
local Locally installed system software.

Group	Description
staff	A member of staff ie has a staff id, the DB concept of staff
admin	For those files that admin staff are allowed to see, but the rest of us are not!
aisubmit	The submissions system, until a better solution comes along.
tutor	PhDs tutoring undergrads need access to some files that other students should not see, but they can't be restricted to staff as PhDs would not be able to access them.
phd	Not sure about this, what situations are there where files need to be accessible to PhDs and not staff or undergrads?
collaborative	Those collaborative groups that have to exist for when CVS isn't the appropriate way to work. Identifying these cases is still to be done. For example admin shared areas via samba: ipu, ito, room3421. Could these three be boiled down to just `admin`.
local	Locally installed system software.

Notes:

No "student" group, ie not staff => student
No need to for 1st 2nd 3rd, etc year undergrad groups. Is there any reason why one year of undergrads shouldn't be able to access the files of another year?
Few, if any collaborative groups. We want people to use CVS if possible.
No package groups, eg sendmail, ssh, etc
Remember that users will automatically have the primary group "user" or "pseudo-user".

Comments welcome.

Neil
(neilb @ dcs)

: Deploy : Meetings

Please contact us with any comments or corrections.
Unless explicitly stated otherwise, all material is copyright The University of Edinburgh