[gpfsug-discuss] NF4 ACLs

Jonathan Buzzard jonathan.buzzard at strath.ac.uk
Fri Sep 2 09:23:48 BST 2022 

On 01/09/2022 22:18, Taylor Joshua George (PSI) wrote:

> 
> Hi Everyone,
> I'm trying implement some ACLs, however some of the documentation is a
> bit unclear to me.
> 
> Using
 >https://www.ibm.com/docs/en/spectrum-scale/5.1.4?topic=administration-setting-nfs-v4-access-control-lists
> as a reference, I'm trying to understand what to use to achieve 0660
> permissions on files and 2770 on directories.
> 

It's not clear from this whether you are trying to achieve the 
equivalent of 0660 and 2770 on files and directories or have an ls show 
the permissions as 0660 and 2770.

> So far, I've managed to achieve 0000 perms, but user with the ACL
> permission can chmod, or 0770 perms.
> 

Basically neither of the above two options is possible because there is 
no exact mapping between POSIX permissions and NFSv4 ACL's.

For example you can't get the equivalent of the set group id permission. 
You can however put an inheritable ACL for a group on the directory that 
gives r/w plus say search directory and possibly execute permissions if 
you want those as well.

A user with ACL permissions can change permissions that is completely 
expected. Note that traditional 2770 permissions are only suggestive, 
the file or member of the group would be able to change them to 
something else. In fact programs often do when you save, and Samba just 
completely ignores them for the most part. At least with NFSv4 ACL's you 
can remove the ACL permission :-)

How permissions display on an ls/stat is not an exact mapping and will 
tend to go to something like 0000, but actual ability to access etc. the 
file will be based on the ACL not what you see in ls/stat.

> Attached is a txt file with the mmgetacl output, as well as file
> listing on a test file, and finally, the ACL definition I used.
> 
> As one can see in the attachment, the ACL requested appears differently
> for what it _actually_ applied.
> 

What ACL schematics does the file system have? Is it NFSv4 or both?

If you are wedded to POSIX style permissions perhaps change to POSIX ACL 
schematics on the file system?


JAB.

-- 
Jonathan A. Buzzard                         Tel: +44141-5483420
HPC System Administrator, ARCHIE-WeSt.
University of Strathclyde, John Anderson Building, Glasgow. G4 0NG

More information about the gpfsug-discuss mailing list