Setting Up Transfer Users (Terminal)

Aspera transfer products use system accounts for connection authentication, and these accounts require additional configuration for Aspera transfers. You can specify user-based settings, such as bandwidth, document root (docroot), and file handling rules.

Follow these steps to set up transfer accounts in a command terminal:

  1. Create default (global) transfer settings.
    To set default values to authorize transfers in and out, set the encryption key, and set the default docroot, run the following commands (if not already set):
    $ asconfigurator -x "set_node_data;authorization_transfer_in_value,allow"
    $ asconfigurator -x "set_node_data;authorization_transfer_out_value,allow"
    $ asconfigurator -x "set_node_data;token_encryption_key,token_key"
    $ asconfigurator -x "set_node_data;absolute,docroot"

    These create the following lines in aspera.conf, found in the following location:

    /opt/aspera/etc/aspera.conf

    In the example below, the encryption key is secRet and the default docroot is /sandbox/$(name). The substitutional string $(name) in the docroot setting can be used if your system users docroot settings have a pattern -- for example, /sandbox/(user name). This way you can assign independent docroot to each user by setting only the default docroot, instead of adding docroot for each user.

    <CONF version="2">
       ...
       <default>
        <authorization>
           <transfer>
            <in>
              <value>allow</value>
            </in>
            <out>
              <value>allow</value>
            </out>
          </transfer>
          <token>
            <encryption_key>secRet</encryption_key>
          </token>
        </authorization>
        <file_system>
          <access>
            <paths>
              <path>
                <absolute>/sandbox/$(name)</absolute>
              </path>
            </paths>
          </access>
        </file_system>
        ...
       </default>
    </CONF>
  2. Restrict user permissions with aspshell.
    By default, all system users can establish a FASP connection and are only restricted by file permissions. You can restrict the user's file operations through the aspshell, which permits only the following operations:
    • Running Aspera uploads and downloads to or from this computer.
    • Establishing connections in the application, and browsing, creating, deleting, renaming, or listing contents.

    These instructions explain one way to change a user account so that it uses the aspshell; there may be other ways to do so on your system.

    Open the following file with a text editor:

    /etc/passwd

    Add or replace the user's shell with aspshell. For example, to apply aspshell to the user aspera_user_1, use the following settings in this file:

    ...
    aspera_user_1:x:501:501:...:/home/aspera_user_1:/bin/aspshell
    ...

    You can also restrict a user's file access with docroot (document root) settings in the <file_system/> section of aspera.conf, using the following tags: <absolute/>, <read_allowed/>, <write_allowed/>, and <dir_allowed/>. For details, see aspera.conf - File System.

  3. Configure a user's transfer settings.
    Besides the default (global) transfer settings, you can also create user-specific transfer settings. Point-to-Point picks up settings in the order of user, global, and default. In the following example, Point-to-Point applies settings in bold text to aspera_user_1:
    Settings User aspera_user_1 Global Default
    Target rate 5M 40M 45M
    Docroot n/a /pod/$(name) n/a
    Encryption n/a n/a any

    To set user-specific values to authorize transfers in and out, set the user's docroot, and set the user's target rate, run the following commands:

    $ asconfigurator -x "set_user_data;user_name,username;authorization_transfer_in_value,allow"
    $ asconfigurator -x "set_user_data;user_name,username;authorization_transfer_out_value,allow"
    $ asconfigurator -x "set_user_data;user_name,username;absolute,docroot"
    $ asconfigurator -x "set_user_data;user_name,username;transfer_in_bandwidth_flow_target_rate_default,rate"
    $ asconfigurator -x "set_user_data;user_name,username;transfer_out_bandwidth_flow_target_rate_default,rate"

    These commands add the following section to aspera.conf, found in:

    /opt/aspera/etc/aspera.conf

    <?xml version='1.0' encoding='UTF-8'?>
    <CONF version="2">
        <aaa>
            <realms>
                <realm>
                    <users>
                        <user>
                            <name>username</name>
                            <authorization>
                                <transfer>
                                    <in>
                                        <value>allow</value>
                                    </in>
                                    <out>
                                        <value>allow</value>
                                    </out>
                                </transfer>
                            </authorization>
                            <file_system>
                                <access>
                                    <paths>
                                        <path>
                                            <absolute>docroot</absolute>
                                        </path>
                                    </paths>
                                </access>
                            </file_system>
                            <transfer>
                                <in>
                                    <bandwidth>
                                        <flow>
                                            <target_rate>
                                                <default>rate_in</default>
                                            </target_rate>
                                        </flow>
                                    </bandwidth>
                                </in>
                                <out>
                                    <bandwidth>
                                        <flow>
                                            <target_rate>
                                                <default>rate_out</default>
                                            </target_rate>
                                        </flow>
                                    </bandwidth>
                                </out>
                            </transfer>
                        </user>
                    </users>
                </realm>
            </realms>
        </aaa>
       ...
    </CONF>

    For more information about other user settings, see aspera.conf - Authorization, aspera.conf - Transfer, and aspera.conf - File System.

  4. Verify the configuration.
    If you modify aspera.conf by editing the text, use the following command to verify the XML form and values:
    # /opt/aspera/bin/asuserdata -v