| Managing Users | |
Add system users on your computer, and configure the account for the fasp transfer.
Aspera transfer products use system accounts for connection authentication, and these accounts requires additional configuration for Aspera transfers. You may specify user-based settings, such as bandwidth, document root (docroot), and file handling rules.
Follow these steps to set up transfer accounts in a command terminal:
On top of SSH authentication, Connect Server uses Apache's authentication to authorize Web UI access. To set up a system user for Apache authentication (asp1), use the htpasswd command to set up the user for Web UI.
$ htpasswd /opt/aspera/etc/webpasswd asp1
To set up system users for fasp files transfers, locate the Aspera transfer product's configuration file, aspera.conf, and open it with a text editor:
/opt/aspera/etc/aspera.conf
You can find an example of aspera.conf in the following location:
/opt/aspera/etc/samples/aspera-everything.conf
The following steps explain how to update this file.
When setting up a test user for the Web UI, the following default setting is created. This setting sets the token key and docroot for all users:
| Item | Value |
|---|---|
| String for generating the token | secRet |
| Default docroot | /sandbox/$(name) |
<CONF version="2">
<default>
<authorization>
<value>allow</value> <!-- Allow token authentication for HTTP -->
<token>
<encryption_key>secRet</encryption_key> <!-- String for token -->
</token>
</authorization>
<file_system>
<access><paths><path>
<absolute>/sandbox/$(name)</absolute> <!-- Default docroot -->
</path></paths></access>
</file_system>
</default>
...
</CONF>
Notice that the docroot setting uses a substitutional string $(name). If your system user's docroot setting has a pattern (for example, /sandbox/username, you can take advantage of this feature. The substitutional string lets you assign an independent docroot to each user by means of a single default setting, instead of setting a docroot for each user individually.
| Substitutional String | Definition | Example |
|---|---|---|
| $(name) | The system user's name. | /sandbox/$(name) |
By default, all system users can establish a fasp connection and are only restricted by file permissions. You can restrict the user's file operations through the aspshell, which permits only the following operations:
The following steps explain how to change a user account so that it uses the aspshell. Keep in mind that this is an example, and there may be other ways to do so on your system. Open the following file with a text editor:
/etc/passwd
Add or replace the user's shell with aspshell. For example, to apply aspshell to the user asp1, use the following settings in this file:
...
asp1:x:501:501:...:/home/asp1:/bin/aspshell
...
You can also restrict a user's file access with docroot (document root) settings in the <file_system /> section of aspera.conf, using the following tags: <absolute />, <read_allowed />, <write_allowed />, and <dir_allowed />. For details, see aspera.conf - File System.
Besides the default (global) transfer settings, you can also create user-specific and group-specific transfer settings. The user-specific settings have the highest priority, overriding both group and global settings.
Add the following section to aspera.conf:
<?xml version='1.0' encoding='UTF-8'?>
<CONF version="2">
<aaa>
<realms>
<realm>
<users>
<user> <!-- Each user tag contains a user's profile. -->
<name>asp1</name> <!-- user name -->
<authorization>...</authorization> <!-- authorization settings -->
<transfer>...</transfer> <!-- transfer settings -->
<file_system>...</file_system> <!-- file system settings -->
</user>
<user><!-- another user's profile -->
... <!-- settings -->
</user>
</users>
</realm>
</realms>
</aaa>
...
</CONF>
When you have finished updating the user's settings in the aspera.conf, use the following command to verify it (In this example, verify the user asp1's settings):
$ /opt/aspera/bin/asuserdata -b -u asp1