Ensure file system ACLs of all files/directories are consistent with the type and state of data.

[pdblood]

Once data are uploaded, they pass through various states (upload, ingest, processing, QA, publication) and move to various locations on the file system. We want to ensure that file access controls are consistent with HuBMAP policy and best practices each time a change of state or location occurs.

See here for current policy:
https://docs.google.com/document/d/1pE-XxWVWhUHMQapTzX_VbUXHmYm7gRanMWG6BGEiXks/edit

[Daghis]

I had been considering a Python script, but it appears that Puppet can handle this far more easily.

For reference, I'm looking at posix_acl.

[Daghis]

Puppet code written to manage ACLs.

I'm making a replica data tree (same directory layout, same permissions, all data replaced with random 4K data files). This tree will test validation and correction as well as measuring performance. (The current filesystem makes this a very expensive operation, so gathering the "cost" will permit us to propose a run frequency.)

[Daghis]

Passed along proposed ACL setup (promoting hubmap and hubseq to Unix GID permissions and other minor tweaks) as well as a script that should be run daily/weekly (depending on how long it takes to complete). It's a security consideration given the protected information, so it is recommended to do this as a backup.

This information was passed to Bill for review before running it. Talked with Tod Pike about having a repository for configuration files and setting up a cronjob to run this periodically.

Notes were collected (including copy-and-pastes of the source files) in this doc.