Grant Other Users Access to Their CGE Query Engine
Configuration settings to enable one user to allow other users access to the CGE query engine
The Cray Graph Engine (CGE) can protect the contents of user-owned data sets from view/modification by unauthorized users via CGE instances that you run. Regardless of this protection, it is required to protect the raw data in user-owned data sets using traditional Linux file protection, otherwise users who have access to their data can start their query engine, using their data without knowledge. To ensure that only authorized users gain access to user-owned data, it is best to set the permissions on each directory containing a data set to permit access (read, write and execute/search) only by its owner, and then to set the permissions on the files in the directory to permit access (read and write) only to their owners.
As the owner of a running instance of a CGE, it is possible to control the list of users to whom access is granted. There are two modes of granting access to other users:
- Access to a single data set
- Access to any provided data set
A key first step to any of this is protecting owned data sets from being used under some other user's instance of CGE. If a user can run her own instance of CGE using your data, then you have no further control. So, if it is required to control access to owned data sets, make sure they are protected against access by users other than you. By setting the permissions on the data directory for the data set to rwx------ you achieve this by preventing other users from looking in that directory for files. If other users can be allowed to run their own instances of CGE using user-owned data, these permissions may be set any way desired.
Assuming data sets have been protected against other users, now individual users can be granted access. Regardless of whether you want to grant access to one or all data sets, you need the contents of each user's public key file from that user's .ssh directory. The user can follow the steps for setting up keys shown above if she does not have them yet. It is okay for the user to send you the public key(s) via e-mail, or any other method (including letting you copy them from the files yourself). They need to be appended to an appropriate authorized_keys file.
For more information, see Configure the ACL File User Permissions.
Ask users to do the following after granting them access:
$ cge echo --db-port=73737 The authenticity of host localhost' can't be established. RSA key fingerprint is d2:b4:ad:70:f1:44:d3:8a:f5:16:db:db:76:07:19:47. Are you sure you want to continue connecting? [Yes/No]: yes 13835 [main] WARN com.cray.cge.communications.client.ssh.LoggingBridge - Permanently added 'localhost' (RSA) to the list of known hosts. 14110 [main] INFO com.cray.cge.sparql.cli.lightweight.commands.debug.EchoCommand - Sending echo request... 14157 [main] INFO com.cray.cge.sparql.cli.lightweight.commands.debug.EchoCommand - Echoed data received and validated successfully
$ ls -ld /lus/scratch/username/lubm0 drwxr-xr-x 2 username group 4096 Oct 20 14:23 /lus/scratch/username/lubm0 $ chmod og-rwx /lus/scratch/username/lubm0 $ ls -ld /lus/scratch/username/lubm0 drwx------ 2 username group 4096 Oct 20 14:23 /lus/scratch/username/lubm0 $ ls -l /lus/scratch/username/lubm0/ total 4796 -rw-r--r-- 1 username group 221 Jan 6 13:13 authorized_keys -rwxr-xr-x 1 username group 3321856 Oct 9 11:52 dbQuads -rwxr-xr-x 1 username group 1568768 Oct 9 11:52 string_table_chars -rw-r--r-- 1 username group 8192 Oct 9 11:52 string_table_chars.index $ chmod og-rwx /lus/scratch/username/lubm0/* $ ls -l /lus/scratch/username/lubm0/ total 4796 -rw------- 1 username group 221 Jan 6 13:13 authorized_keys -rwx------ 1 username group 3321856 Oct 9 11:52 dbQuads -rwx------ 1 username group 1568768 Oct 9 11:52 string_table_chars -rw------- 1 username group 8192 Oct 9 11:52 string_table_chars.index
Now this data set can only be used by instances of the query engine that the user starts. Other users wanting access will need to connect with a client and will be subject to client authentication.