AFS: Andrew File System

History

Development of AFS started in 1983 at Carnegie Mellon University with the Andrew Project. Most parts of this project are replaced by newer implementations. Only the file system survives nowadays even though it had an eventful past:

in 1988 Transarc was founded by Carnegie Mellon employees, who commercially supported server and client code for several different operating systems.
To create an open version of the AFS client, the Arla project started in 1993 at the Royal Institute of Technology in Stockholm (Sweden).
In 1994 Transarc was sold to IBM and became the IBM Pittsburgh Lab in 1999.
The next year (in 2000), IBM open sourced the AFS code as OpenAFS under the IBM Public License.
Nowadays both OpenAFS and Arla are actively developed.

The goal of the Andrew File System is to provide a scalable and global file system that allows storage and sharing of files independent of location and operating system. This has been achieved with a server side consisting of a namespace database, volume based fileservers and clients for almost every desktop operating system available.

AFS and Kerberos

Part of the AFS server suite is the Authentication Server which provided mutual authentication and was implemented using a set of algorithms developed during Massachusetts Institute of Technology's Project Athena; hence these were known as Kerberos. This original authentication server is still available in the OpenAFS code, but has been superseded by newer implementations: Kerberos5 from both MIT and Heimdal. The current AFS servers are compatible with Kerberos5 even though the kerberos ticket on the user side still has to be converted to an AFS token. In the example below this is done by a additional command, but some implementations of kinit can do this nativly.

#>kinit <username>@<REALM>
Please enter the password for <username>@<REALM>: ********
#>afslog <cell>
#>tokens
Tokens held by the Cache Manager:
Tokens for afs@<cell> [Expires Mar  2 07:40]
   --End of list--

For the conversion command, several implementations are available and may be called aklog (from kerberos4 era), afslog (newer kerberos5 implementations) or afs5log (something RedHat has come up with).

AFS design

One of the great things about AFS is it being a global file system: it has a namespace through which all available AFS cells (an administrative unit) can be reached. The root of the namespace tends to be the /afs directory. When doing a ls in this root directory, arla contacts the vlserver of its parent cell to query the available cells and displays them:

#>ls /afs
.e.kth.se               besserwisser.org        iastate.edu             ncsa.uiuc.edu           stacken.kth.se
.kth.se                 cern.ch                 ies.auc.dk              northstar.dartmouth.edu su.se
...

If you go a step further into the filesystem and query e.g. the cell stacken.kth.se, arla will first contact the vlserver of this cell to point to the root volume of the cell. Next arla contacts the fileserver containing this volume to provide the actual data:

#>ls /afs/stacken.kth.se
admin           hp_ux102        i386_fbsd_51    i386_obsd29     pkg             sparc_nbsd13    sun4c_open_21   usr
alpha_dux40d    i386_fbsd22     i386_linux24    i386_obsd30     pkg.old         sparc_nbsd14    sun4m_413       var
...

Something similar happens when contacting the cell pitts.edu:

#>ls /afs/pitt.edu
backup  pittnet usr11   usr19   usr26   usr33   usr40   usr48   usr55   usr62   usr7    usr77   usr84   usr91   usr99
class   public  usr12   usr2    usr27   usr34   usr41   usr49   usr56   usr63   usr70   usr78   usr85   usr92   web
...

The example above shows two great features: AFS allows a user to browse through cells all over the world, as simple as moving through a local filesystem. Secondly it doesn't require any knowledge of servers or shares within a cell, the namespace will take care of providing a view, and pointing to the correct fileservers.

Have a look here to find more info on the server side.

AFS usage

anonymous and authenticated access

The above ls examples can be done by anyone, since the you are by definition part of the system:anyuser group. This group normally has list and read rights for the root of a AFS cel.

#> fs listacl /afs/meiland.nl/
Access list for /afs/meiland.nl/ is
Normal rights:
  system:administrators rlidwka
  system:anyuser rl

When descending into a directory to which you don't have rights, you will be stopped:

#> fs la /afs/meiland.nl/users/hugo/
fs: You don't have the required access rights on '/afs/meiland.nl/users/hugo/'

After becoming a authenticated user:

#> kinit hugo
hugo@MEILAND.NL's Password: 
kinit: NOTICE: ticket renewable lifetime is 1 week
#> afslog meiland.nl
#> tokens

Tokens held by the Cache Manager:

Tokens for afs@meiland.nl [Expires Mar  2 20:41]
   --End of list--

#> fs la /afs/meiland.nl/users/hugo
Access list for /afs/meiland.nl/users/hugo is
Normal rights:
  system:administrators rlidwka
  hugo rlidwka

#> echo "hello afs" > /afs/meiland.nl/users/hugo/hello.txt
#> cat /afs/meiland.nl/users/hugo/hello.txt 
hello afs

There are 7 levels of access to a directory or files in a directory:

r: read (files)
l: list (directory)
i: insert (directory)
d: delete (directory)
w: write (files)
k: lock (files)
a: administer (directory)

These acl's can only be set on directories, not at file level.

ls
volume properties
quota
directory acl

Arla support and FreeBSD

FreeBSD version	Supported Arla versions	Notes
FreeBSD 8.x	Arla CVS	Arla support for FreeBSD 8.x is still being merged into Arla CVS
FreeBSD 7.0	Arla CVS	tested on FreeBSD 7.0-release
FreeBSD 6.x	Arla CVS	tested on FreeBSD 6.3
FreeBSD 5.x	Arla-0.43	tested on FreeBSD 5.5
FreeBSD 4.x	not supported	tested Arla 0.39 up to 0.43 on FreeBSD 4.11

Arla installation through ports

#>cd /usr
#>fetch http://setfilepointer.com/pub/afs/FreeBSD/arla-devel.tgz
#>tar zxvf arla-devel.tgz
#>cd ports/net/arla-devel
#>make
#>make install
#>/usr/local/arla/sbin/startarla

(tested on FreeBSD 6.2, 6.3 and FreeBSD 7.0-release)

#>/usr/local/arla/sbin/startarla
#>ls /afs
alfvenlab.kth.se        cs.wisc.edu             ir.stanford.edu         nxs.se                  su.se
andrew.cmu.edu          dementia.org            isk.kth.se              openafs.org             telge.kth.se
assv.net                desy.de                 it.kth.se               pdc.kth.se              tu-chemnitz.de
asu.edu                 dev.mit.edu             kth.se                  pi.infn.it              umich.edu
athena.mit.edu          e.kth.se                mech.kth.se             pitt.edu                umr.edu
besserwisser.org        ece.cmu.edu             msc.cornell.edu         sanchin.se              wam.umd.edu
cern.ch                 iastate.edu             nada.kth.se             sipb.mit.edu
club.cc.cmu.edu         ies.auc.dk              ncsa.uiuc.edu           slac.stanford.edu
cmf.nrl.navy.mil        ipp-garching.mpg.de     northstar.dartmouth.edu stacken.kth.se

Note that the above list of cells in /afs will vary based on the version of CellServDB and/or the default cell configured in the client. New versions of CellServDB can be downloaded from grand.central.org.

Arla installation from source

#>fetch ftp://ftp.stacken.kth.se/pub/arla/arla-0.43.tar.gz
#>tar zxvf arla-0.43.tar.gz
#>cd arla-0.43
#>./configure
#>make
#>make install
#>/usr/arla/sbin/startarla

(tested on FreeBSD-5.5)