NFSv4 ACLs

From HPCWIKI
Revision as of 12:43, 2 January 2024 by Admin (talk | contribs) (→‎Examples)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

NFSv4 ACLs (Access Control Lists) are mechanism to manipulate access controls on network-mounted filesystems to supplement traditional Unix permissions.[1]

Commands

nfs4_setfacl to add, remove, or modify the ACL
  • -a – to add the specified Access Control Entry (ACE - defined below). Basically, this adds a new rule.
  • -x – to remove the specified control. Note that this needs to match the rule exactly. Usually, to remove a control, it is easier to invoke nfs4_setfacl with the -eswitch, or to use nfs4_getfacl, then copy/paste the line you'd like to remove.
  • -e – This switch, instead of directly modifying the ACL, puts you into a file editor with the ACL, so that you can add/remove/modify all the entries at once. Note that it puts you into whichever editor is specified in your EDITOR environment variable (run echo $EDITOR to see what yours is set to), or vi if none is specified. (See how to change system default editor on Ubuntu)

This option is also being used for troubleshooting incorrect ACLs Fixing permissions that have gotten out-of-whack

  • –test – This switch tells nfs4_setfacl to not actually modify the ACL, but print out what it would be once it applied the operation you specified.
nfs4_getfacl prints out the ACL of the file or directory

Access Control Entry (ACE)

ACE structure format,


[access type]:[flags]:[principal]:[permissions]


Where,

ACE entry Description
access type The 'A' denotes "Allow"

'D' can denote a Deny ACE

flags
d directory-inherit New subdirectories will have the same ACE
f file-inherit New files will have the same ACE minus the inheritence flags
n no-propogate inherit New subdirectories will inherit the ACE minus the inheritence flags
i inherit-only New files and subdirectories will have this ACE but the ACE for the directory with the flag is null
principal
  • A named user : Example: user@nfsdomain.org
  • Special principals
    • OWNER@
    • GROUP@
    • EVERYONE@
  • A group, Note: When the principal is a group, you need to add a group flag, 'g', as shown in the below example
    • A:g:group@osc.edu:rxtncy
permissions
r read-data (files) / list-directory (directories)
w write-data (files) / create-file (directories)
a append-data (files) / create-subdirectory (directories)
x execute (files) / change-directory (directories)
d delete the file/directory
D delete-child : remove a file or subdirectory from the given directory (directories only)
t read the attributes of the file/directory
T write the attribute of the file/directory
n read the named attributes of the file/directory
N write the named attributes of the file/directory
c read the file/directory ACL
C write the file/directory ACL
o change ownership of the file/directory

simlarly to POSIX Read/Write/Execute, aliases such as 'R', 'W', and 'X' represented as

Alias Name Expansion
R Read rntcy
W Write watTNcCy (with D added to directory ACE's)
X Execute xtcy

Examples[2]

Check ACL on file or folder

$nfs4_getfacl file or folder

using an acl file

One can also specify the acl to be used in a single file, then apply that acl to avoid duplicate entries and keep the acl entries consistent.

$ cat << EOF > ~/group_acl.txt
A:fdg:clntstf@example.com:rxtncy
A::OWNER@:rwaDxtTnNcCy
A:g:GROUP@:tcy
A::EVERYONE@:rxtncy
EOF
$ nfs4_setfacl -R -S ~/group_acl.txt ~/share_group

using single cli command

1. Give auser read permissions to the file file1:

nfs4_setfacl -a "A::auser@example.com:R" file1

2. Allow the webserver running as user userweb to access your personal web directory (webhome), and all files underneath. You can use the find command and its -exec command to run a command on a set of files
find ~/webhome -type d -exec nfs4_setfacl -a "A::userweb@example.com</span>:RX" {} \;

That command gives RX (i.e. read and execute) permissions to all directories (the –type d option to find) under the ~webhome directory.
find ~/webhome -type f -exec nfs4_setfacl -a "A::userweb@example.com</span>:R" {} \;

The second command gives userweb read (R) access to any non-directory file (–type f) in ~webhome. Note, you may want to do this if you want certain files to be accessible via the web, e.g. behind a password, but not to local EECS users. Very useful for making answers to quizzes, etc. password protected.

3. Give your research group named research1, read access to your project directory project1:
find project1 -type d -exec nfs4_setfacl -a "A:g:research1@example.com</span>:RX" {} \;f
find project1 -type f -exec nfs4_setfacl -a "A:g:research1@example.com</span>:R" {} \;

References

  1. https://www.osc.edu/book/export/html/4523
  2. https://help.eecs.utk.edu/knowledge-base/linux-topics/nfsv4-acls
Retrieved from "http://wiki.hpcmate.com/index.php?title=NFSv4_ACLs&oldid=1668"