Access Control Lists on NFSv4
This manual describes one of many possibilities how to share data between users. Access Control Lists on NFSv4 allow to set up access rights for the files and directories. This manual assumes the reader's knowledge of standard POSIX access rights.
Tool for ACL setting
Available tools nfs4_getfacl, nfs4_setfacl a nfs4_editfacl in module nfs4acl -
module add nfs4acl
General rules are:
- After manipulating with ACL on NFSv4 level, it is no longer recommended to use the standard POSIX chmod command on the files and directories (can change the ACL setting in an unwanted way)
- the ls -l command does not show the correct permissions when the ACLs are set, nfs4_getfacl command must be used.
We strongly recommend do not mix the POSIX access and NFSv4 ACL (for example, separate the directory in which you are using NFSv4 ACL).
- Program nfs4_getfacl
$ nfs4_getfacl /storage/home/xhejtman/c A::OWNER@:rtTcCy A::GROUP@:rtcy A::EVERYONE@:rtcy
- The meaning of the fields <type>:<flags>:<principal>:<permissions>
- The meaning is explained in the nfs4_acl man page, common options are:
- A - allow
- D - disable (deny)
- D is a standard policy for everything that is not explicitly allowed; it is usually not necessary to write D rules explicitly. If you are doing more complicated constructions combining A and D rules (group exceptions, etc.) check nfs4_acl.
- 'f' inherit ACL on files (for directories)
- 'd' inherit ACL on directories (for directories)
- 'g' principal is a group
- user or group name, eg. xhejtman@META
- special OWNER@, GROUP@, EVERYONE@, which correspond to standard Unix User/Group/Other
- 'r' read file/directory listing
- 'w' write to file/create file in directory
- 'and' assign to file/create subdirectory
- 'x' execute
- 'd' deletion
- 'D' delete a subdirectory or file
- 't' read attributes
- 'T' write attribute
- 'n' read named attributes
- 'N' write named attributes
- 'c' read ACL
- 'C' write ACL
- 'o' change the owner of the file or directory
- 'y' will enable synchronized reading and writing of data from/to the server
- When setting up the rights, you can use the 'R', 'W' and 'X' abbreviations for general read, write, and execute. They expand to detailed lists as above (details in the nfs4_setfacl manual):
- 'R' = rntcy
- 'W' = watTNcCy (for extra D directories)
- 'X' = xtcy
- Recommended path: nfs4_editfacl opens a text editor for editing permissions (according to EDITOR settings)
- Adding a specific ACL is done by simply adding a line, deleting ACL is done by simply deleting a line, rows can be edited arbitrarily.
- After editing the rights, we recommend checking that the operation has been performed (using nfs4_getfacl or check the editor again).
- From the command line: nfs4_setfacl
- nfs4_editfacl is an abbreviation for nfs4_setfacl -e
- otherwise nfs4_setfacl rather not recommended. Using the -s and -a options is non-intuitive
- Add read and write permission to the file:
$ nfs4_setfacl -e /storage/home/xhejtman/c … editing in text… A::OWNER@:rtTcCy A::antos@META:rwatcy A::GROUP@:rtcy A::EVERYONE@:rtcy
Setting rights interactively
Easily set up rights for a directory like this:
$ nfs4_setfacl -e /storage/home/xhejtman/xxx
This command will open a file with the rights to the specified directory in the vi text editor. Just type the line into (first, press the i key for editing):
Then save the file: first with the Esc key, then enter :wq and Enter.
Setting the rights in the job
First, you have to prepare an ACL file that we then use to set the rights in the batch:
$ nfs4_getfacl . >acl_spec # actual rights $ sed -n 's/^A::OWNER@:/A::jeronimo@META:/p' acl_spec >>acl_spec # same for others
This will set the same rights for user jeronimo@META as for the owner of the directory. Check:
$ cat acl_spec A::OWNER@:rwaDxtTcCy A::jeronimo@META:rwaDxtTcCy A::GROUP@:rxtcy A::EVERYONE@:rxtcy
Apply the ACL file (acl_spec) to the directory or files by:
$ nfs4_setfacl -R -S acl_spec dirs... files...