[gpfsug-discuss] Adding to an existing GPFS ACL

Kerner, Chad A ckerner at illinois.edu
Fri Mar 29 08:05:15 GMT 2019


I got this code cleaned up a little bit and posted the initial version out to https://github.com/ckerner/ssacl.git .  There are detailed examples in the README, but I listed a few quick ones below.  I will be merging in the default ACL code, recursion, and backup/restoration of ACL branches hopefully over the next few days.

Usage Examples:

- List the ACLs on a file
> ssacl --list /data/acl/testfile

- Set the ACL to the contents of a specified ACL file.
> ssacl --set -f acl.testfile /data/acl/testfile

- Add a user ACL to a file
> ssacl --add -u ckerner -a='rwx-' /data/acl/testfile

- Add a group ACL to a file
> ssacl --add -g nfsnobody -a='r-x-' /data/acl/testfile

- Clear the ACLs on a file, leaving the permissions alone.
> ssacl --clear /data/acl/testfile

- Clear the ACLs on a file and reset the permissions to 760:
> ssacl --clear -U=rwxc --GID=r-x- -O=---- /data/acl/testfile

- Delete a user ACL to a file
> ssacl --del -u ckerner /data/acl/testfile

- Delete a group ACL to a file
> ssacl --del -g nfsnobody /data/acl/testfile

Chad
--
Chad Kerner – ckerner at illinois.edu<mailto:ckerner at illinois.edu>
Senior Storage Engineer, Storage Enabling Technologies
National Center for Supercomputing Applications
University of Illinois, Urbana-Champaign


From: "Kerner, Chad A" <ckerner at illinois.edu>
Date: Wednesday, March 27, 2019 at 11:53 AM
To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Subject: Re: [gpfsug-discuss] Adding to an existing GPFS ACL

I have a python module that I am nearing the completion of for a project that wraps all of that.  It also contains another python script for the easy manipulation of the ACLs from the command line. Once I have that wraped up, hopefully this week, I would be happy to share.

Chad
--
Chad Kerner – ckerner at illinois.edu<mailto:ckerner at illinois.edu>
Senior Storage Engineer, Storage Enabling Technologies
National Center for Supercomputing Applications
University of Illinois, Urbana-Champaign

From: <gpfsug-discuss-bounces at spectrumscale.org> on behalf of "Fosburgh,Jonathan" <jfosburg at mdanderson.org>
Reply-To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Date: Wednesday, March 27, 2019 at 11:13 AM
To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Subject: Re: [gpfsug-discuss] Adding to an existing GPFS ACL


Try mmeditacl.


--
Jonathan Fosburgh
Principal Application Systems Analyst
IT Operations Storage Team
The University of Texas MD Anderson Cancer Center
(713) 745-9346
Error! Filename not specified.
________________________________
From: gpfsug-discuss-bounces at spectrumscale.org <gpfsug-discuss-bounces at spectrumscale.org> on behalf of Buterbaugh, Kevin L <Kevin.Buterbaugh at Vanderbilt.Edu>
Sent: Wednesday, March 27, 2019 10:59:17 AM
To: gpfsug main discussion list
Subject: [EXT] [gpfsug-discuss] Adding to an existing GPFS ACL

WARNING: This email originated from outside of MD Anderson. Please validate the sender's email address before clicking on links or attachments as they may not be safe.
Hi All,

First off, I have very limited experience with GPFS ACL’s, so please forgive me if I’m missing something obvious here.  AFAIK, this is the first time we’ve hit something like this…

We have a fileset where all the files / directories have GPFS NFSv4 ACL’s set on them.  However, unlike most of our filesets where the same ACL is applied to every file / directory in the share, this one has different ACL’s on different files / directories.  Now we have the need to add to the existing ACL’s … another group needs access.  Unlike regular Unix / Linux ACL’s where setfacl can be used to just add to an ACL (i.e. setfacl -R g:group_name:rwx), I’m not seeing where GPFS has a similar command … i.e. mmputacl seems to expect the _entire_ new ACL to be supplied via either manual entry or an input file.  That’s obviously problematic in this scenario.

So am I missing something?  Is there an easier solution than writing a script which recurses over the fileset, gets the existing ACL with mmgetacl and outputs that to a file, edits that file to add in the new group, and passes that as input to mmputacl?  That seems very cumbersome and error prone, especially if I’m the one writing the script!

Thanks…

Kevin
—
Kevin Buterbaugh - Senior System Administrator
Vanderbilt University - Advanced Computing Center for Research and Education
Kevin.Buterbaugh at vanderbilt.edu<mailto:Kevin.Buterbaugh at vanderbilt.edu> - (615)875-9633

The information contained in this e-mail message may be privileged, confidential, and/or protected from disclosure. This e-mail message may contain protected health information (PHI); dissemination of PHI should comply with applicable federal and state laws. If you are not the intended recipient, or an authorized representative of the intended recipient, any further review, disclosure, use, dissemination, distribution, or copying of this message or any attachment (or the information contained therein) is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender by return e-mail and delete all references to it and its contents from your systems.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20190329/621cd8c0/attachment-0002.htm>


More information about the gpfsug-discuss mailing list