[gpfsug-discuss] default owner and group for POSIX ACLs

Simon Thompson S.J.Thompson at bham.ac.uk
Tue Oct 15 13:51:55 BST 2019


Hi Paul,

We use both Windows and Linux with our FS but only have NFSv4 ACLs enabled (we do also set “chmodAndSetAcl” on the fileset which makes chmod etc work whilst not breaking the ACL badly). We’ve only found 1 case where POSIX ACLs were needed, and really that was some other IBM software that didn’t understand ACLs (which is now fixed). The groups exist in both AD and our internal LDAP where they have gidNumbers assigned. For our research projects we set the following as the default on the directory:

$ mmgetacl some-project
#NFSv4 ACL
#owner:root
#group:gITS_BEAR_2019- some-project
special:owner@:rwxc:allow:FileInherit:DirInherit
(X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
(X)DELETE    (X)DELETE_CHILD (X)CHOWN        (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

group:gITS_BEAR_2019- some-project:rwxc:allow:FileInherit:DirInherit
(X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
(X)DELETE    (X)DELETE_CHILD (X)CHOWN        (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

special:everyone@:----:allow
(-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
(-)DELETE    (-)DELETE_CHILD (-)CHOWN        (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED

special:owner@:rwxc:allow
(X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
(-)DELETE    (X)DELETE_CHILD (X)CHOWN        (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

special:group@:rwx-:allow
(X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
(-)DELETE    (X)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED

Simon

From: <gpfsug-discuss-bounces at spectrumscale.org> on behalf of Paul Ward <p.ward at nhm.ac.uk>
Reply to: "gpfsug-discuss at spectrumscale.org" <gpfsug-discuss at spectrumscale.org>
Date: Tuesday, 15 October 2019 at 13:34
To: "gpfsug-discuss at spectrumscale.org" <gpfsug-discuss at spectrumscale.org>
Subject: [gpfsug-discuss] default owner and group for POSIX ACLs

We are in the process of changing the way GPFS assigns UID/GIDs from internal tdb to using AD RIDs with an offset that matches our linux systems.
We, therefore, need to change the ACLs for all the files in GPFS (up to 80 million).
We are running in mixed ACL mode, with some POSIX and some NFSv4 ACLs being applied.
(This system was set up 14 years ago and has changed roles over time)
We are running on linux, so need to have POSIX permissions enabled.

What I want to know for those in a similar environment, what do you have as the POSIX owner and group, when NFSv4 ACLs are in use?
root:root

or do you have all files owned by a filesystem administrator account and group:
<ad service account>:<ad fileserver admin group>

on our samba shares we have :
admin users = @<ad fileserver admin group>
So don’t actually need the group defined in POSIX.

Kindest regards,
Paul

Paul Ward
TS Infrastructure Architect
Natural History Museum
T: 02079426450
E: p.ward at nhm.ac.uk

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20191015/46d4fede/attachment-0002.htm>


More information about the gpfsug-discuss mailing list