Setting Up Transfer Users

Aspera transfer products use system accounts to authenticate transfers, but these accounts require additional configuration. You can set global values for default transfer rate, docroot, and file handling rules, and can also specify user-specific settings.

Follow these steps to set up transfer accounts in a command terminal:

  1. Create default (global) transfer settings.
    To set default values to authorize transfers in and out, set the encryption key, and set the default docroot for all users, run the following commands (if not already set):
    $ asconfigurator -x "set_node_data;authorization_transfer_in_value,allow"
    $ asconfigurator -x "set_node_data;authorization_transfer_out_value,allow"
    $ asconfigurator -x "set_node_data;token_encryption_key,token_key"
    $ asconfigurator -x "set_node_data;absolute,docroot"

    These create the following lines in aspera.conf, found in the following location:

    In the example below, the encryption key is secRet and the default docroot is /sandbox/$(name). The substitutional string $(name) in the docroot setting can be used if your system users docroot settings have a pattern -- for example, /sandbox/(user name). This way you can assign independent docroot to each user by setting only the default docroot, instead of adding docroot for each user.

    <CONF version="2">
       ...
       <default>
        <authorization>
           <transfer>
            <in>
              <value>allow</value>
            </in>
            <out>
              <value>allow</value>
            </out>
          </transfer>
          <token>
            <encryption_key>secRet</encryption_key>
          </token>
        </authorization>
        <file_system>
          <access>
            <paths>
              <path>
                <absolute>/sandbox/$(name)</absolute>
              </path>
            </paths>
          </access>
        </file_system>
        ...
       </default>
    </CONF>
  2. Restrict user permissions with aspshell.
    By default, all system users can establish a FASP connection and are only restricted by file permissions. You can restrict the user's file operations through the aspshell, which permits only the following operations:
    • Running Aspera uploads and downloads to or from this computer.
    • Establishing connections in the application.
    • Browsing, listing, creating, renaming, or deleting contents.

    These instructions explain one way to change a user account so that it uses the aspshell; there may be other ways to do so on your system.

    Modify the passwd file to update user accounts to the aspshell.

    /etc/passwd

    Add or replace the user's shell with aspshell. For example, to apply aspshell to the user aspera_user_1, use the following settings in this file:

    ...
    aspera_user_1:x:501:501:...:/home/aspera_user_1:/bin/aspshell
    ...
  3. Configure user-specific transfer settings.
    Besides the default (global) transfer settings, you can also create user-specific and group-specific transfer settings. The user-specific settings have the highest priority, overriding both group and global settings.

    To set user-specific values to authorize transfers in and out, set the user's docroot and target rate, then run the following commands:

    $ asconfigurator -x "set_user_data;user_name,username;authorization_transfer_in_value,allow"
    $ asconfigurator -x "set_user_data;user_name,username;authorization_transfer_out_value,allow"
    $ asconfigurator -x "set_user_data;user_name,username;absolute,docroot"
    $ asconfigurator -x "set_user_data;user_name,username;transfer_in_bandwidth_flow_target_rate_default,rate"
    $ asconfigurator -x "set_user_data;user_name,username;transfer_out_bandwidth_flow_target_rate_default,rate"

    These commands add the following section to aspera.conf, found in:

    <?xml version='1.0' encoding='UTF-8'?>
    <CONF version="2">
        <aaa>
            <realms>
                <realm>
                    <users>
                        <user>
                            <name>username</name>
                            <authorization>
                                <transfer>
                                    <in>
                                        <value>allow</value>
                                    </in>
                                    <out>
                                        <value>allow</value>
                                    </out>
                                </transfer>
                            </authorization>
                            <file_system>
                                <access>
                                    <paths>
                                        <path>
                                            <absolute>docroot</absolute>
                                        </path>
                                    </paths>
                                </access>
                            </file_system>
                            <transfer>
                                <in>
                                    <bandwidth>
                                        <flow>
                                            <target_rate>
                                                <default>rate_in</default>
                                            </target_rate>
                                        </flow>
                                    </bandwidth>
                                </in>
                                <out>
                                    <bandwidth>
                                        <flow>
                                            <target_rate>
                                                <default>rate_out</default>
                                            </target_rate>
                                        </flow>
                                    </bandwidth>
                                </out>
                            </transfer>
                        </user>
                    </users>
                </realm>
            </realms>
        </aaa>
       ...
    </CONF>

    For more information about other user settings, see aspera.conf - Authorization, aspera.conf - Transfer, and aspera.conf - File System.

  4. Verify the configuration.
    If you modify aspera.conf by editing the text, use the following command to verify the XML form and values:
    # /opt/aspera/bin/asuserdata -v
  5. Restart asperanoded and asperacentral to activate your changes.
    Run the following commands to restart asperanoded:
    # /etc/init.d/asperanoded restart
    Run the following command in a Terminal window to restart asperacentral:
    # /etc/init.d/asperacentral stop
    # /etc/init.d/asperacentral start