NFSv4 ACLs: Difference between revisions
Jump to navigation
Jump to search
(Created page with "NFSv4 ACLs (Access Control Lists) are mechanism to manipulate access controls on network-mounted filesystems to supplement traditional Unix permissions.<ref>https://www.osc.edu/book/export/html/4523</ref> == Commands == {| class="wikitable" |+ ! ! ! |- |<code>nfs4_setfacl</code> |to add, remove, or modify the <abbr>ACL</abbr> | * <code>-a</code> – to '''add''' the specified Access Control Entry (ACE - defined below). Basically, this adds a new rule. * <code>-x</code>...") |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 4: | Line 4: | ||
{| class="wikitable" | {| class="wikitable" | ||
|+ | |+ | ||
|- | |- | ||
|<code>nfs4_setfacl</code> | |<code>nfs4_setfacl</code> | ||
| Line 36: | Line 33: | ||
!ACE entry | !ACE entry | ||
!Description | !Description | ||
|- | |- | ||
|access type | |access type | ||
|The ''''A'''<nowiki/>' denotes "Allow" | |The ''''A'''<nowiki/>' denotes "Allow" | ||
''''D'''<nowiki/>' can denote a Deny ACE | ''''D'''<nowiki/>' can denote a Deny ACE | ||
|- | |- | ||
|flags | |flags | ||
| Line 62: | Line 57: | ||
|New files and subdirectories will have this ACE but the ACE for the directory with the flag is null | |New files and subdirectories will have this ACE but the ACE for the directory with the flag is null | ||
|} | |} | ||
|- | |- | ||
|principal | |principal | ||
| Line 73: | Line 67: | ||
* A group, Note: When the principal is a group, you need to add a group flag, ''''g'''<nowiki/>', as shown in the below example | * A group, Note: When the principal is a group, you need to add a group flag, ''''g'''<nowiki/>', as shown in the below example | ||
** A:g:group@osc.edu:rxtncy | ** A:g:group@osc.edu:rxtncy | ||
|- | |- | ||
|permissions | |permissions | ||
| Line 135: | Line 128: | ||
|xtcy | |xtcy | ||
|} | |} | ||
|} | |} | ||
== Examples == | == Examples<ref>https://help.eecs.utk.edu/knowledge-base/linux-topics/nfsv4-acls</ref> == | ||
=== Check ACL on file or folder === | === Check ACL on file or folder === | ||
Latest revision as of 12:43, 2 January 2024
NFSv4 ACLs (Access Control Lists) are mechanism to manipulate access controls on network-mounted filesystems to supplement traditional Unix permissions.[1]
Commands
nfs4_setfacl
|
to add, remove, or modify the ACL |
This option is also being used for troubleshooting incorrect ACLs Fixing permissions that have gotten out-of-whack
|
nfs4_getfacl
|
prints out the ACL of the file or directory |
Access Control Entry (ACE)
ACE structure format,
[access type]:[flags]:[principal]:[permissions]
Where,
| ACE entry | Description | ||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| access type | The 'A' denotes "Allow"
'D' can denote a Deny ACE | ||||||||||||||||||||||||||||||||||||||
| flags |
| ||||||||||||||||||||||||||||||||||||||
| principal |
| ||||||||||||||||||||||||||||||||||||||
| permissions |
simlarly to POSIX Read/Write/Execute, aliases such as 'R', 'W', and 'X' represented as
|
Examples[2]
Check ACL on file or folder
$nfs4_getfacl file or folder
using an acl file
One can also specify the acl to be used in a single file, then apply that acl to avoid duplicate entries and keep the acl entries consistent.
$ cat << EOF > ~/group_acl.txt
A:fdg:clntstf@example.com:rxtncy
A::OWNER@:rwaDxtTnNcCy
A:g:GROUP@:tcy
A::EVERYONE@:rxtncy
EOF
$ nfs4_setfacl -R -S ~/group_acl.txt ~/share_group
using single cli command
1. Give auser read permissions to the file file1:
nfs4_setfacl -a "A::auser@example.com:R" file1
2. Allow the webserver running as user userweb to access your personal web directory (webhome), and all files underneath. You can use the find command and its -exec command to run a command on a set of files
find ~/webhome -type d -exec nfs4_setfacl -a "A::userweb@example.com</span>:RX" {} \;
That command gives RX (i.e. read and execute) permissions to all directories (the –type d option to find) under the ~webhome directory.
find ~/webhome -type f -exec nfs4_setfacl -a "A::userweb@example.com</span>:R" {} \;
The second command gives userweb read (R) access to any non-directory file (–type f) in ~webhome. Note, you may want to do this if you want certain files to be accessible via the web, e.g. behind a password, but not to local EECS users. Very useful for making answers to quizzes, etc. password protected.
3. Give your research group named research1, read access to your project directory project1:
find project1 -type d -exec nfs4_setfacl -a "A:g:research1@example.com</span>:RX" {} \;f
find project1 -type f -exec nfs4_setfacl -a "A:g:research1@example.com</span>:R" {} \;