[gpfsug-discuss] NF4 ACLs
Jonathan Buzzard
jonathan.buzzard at strath.ac.uk
Fri Sep 2 09:23:48 BST 2022
On 01/09/2022 22:18, Taylor Joshua George (PSI) wrote:
>
> Hi Everyone,
> I'm trying implement some ACLs, however some of the documentation is a
> bit unclear to me.
>
> Using
>https://www.ibm.com/docs/en/spectrum-scale/5.1.4?topic=administration-setting-nfs-v4-access-control-lists
> as a reference, I'm trying to understand what to use to achieve 0660
> permissions on files and 2770 on directories.
>
It's not clear from this whether you are trying to achieve the
equivalent of 0660 and 2770 on files and directories or have an ls show
the permissions as 0660 and 2770.
> So far, I've managed to achieve 0000 perms, but user with the ACL
> permission can chmod, or 0770 perms.
>
Basically neither of the above two options is possible because there is
no exact mapping between POSIX permissions and NFSv4 ACL's.
For example you can't get the equivalent of the set group id permission.
You can however put an inheritable ACL for a group on the directory that
gives r/w plus say search directory and possibly execute permissions if
you want those as well.
A user with ACL permissions can change permissions that is completely
expected. Note that traditional 2770 permissions are only suggestive,
the file or member of the group would be able to change them to
something else. In fact programs often do when you save, and Samba just
completely ignores them for the most part. At least with NFSv4 ACL's you
can remove the ACL permission :-)
How permissions display on an ls/stat is not an exact mapping and will
tend to go to something like 0000, but actual ability to access etc. the
file will be based on the ACL not what you see in ls/stat.
> Attached is a txt file with the mmgetacl output, as well as file
> listing on a test file, and finally, the ACL definition I used.
>
> As one can see in the attachment, the ACL requested appears differently
> for what it _actually_ applied.
>
What ACL schematics does the file system have? Is it NFSv4 or both?
If you are wedded to POSIX style permissions perhaps change to POSIX ACL
schematics on the file system?
JAB.
--
Jonathan A. Buzzard Tel: +44141-5483420
HPC System Administrator, ARCHIE-WeSt.
University of Strathclyde, John Anderson Building, Glasgow. G4 0NG
More information about the gpfsug-discuss
mailing list