[gpfsug-discuss] NF4 ACLs

Taylor Joshua George (PSI) joshua.taylor at psi.ch
Fri Sep 2 10:49:01 BST 2022


Perhaps I should try and describe my use-case a bit:

There is a daemon process that gets data and must then write it out
into a project directory in GPFS. The project directory is owned by the
project owner, and has the setgid bit set on the directory. This is so
that members of the group can read/write/etc files put in the
directory. The daemon is not a member of the project group.

The daemon process used to run as root, however, my goal with ACLs is
to enable it to write into project dirs, without needing to change the
effective UID/GID (or be a member of the group) - so, in this case, it
runs as a regular user. The ACL should allow it to write into the
project directory. Essentially, the ACL is to enable the daemon to run
as a regular user. Once the data is written, the Daemon will (likely)
never access the data again, only the users in the project.

So, my goal is to have the daemon write files owned by the project
Group (so, with g+rw), as the project users would just use the standard
posix permissions to access the data. I suppose I'm trying to blend the
use of ACLs and standard posix perms. More importantly, I'm trying to
get rid of the execute bit that new files are created with/inherited.

Answers to questions below...


On Fri, 2022-09-02 at 09:23 +0100, Jonathan Buzzard wrote:
> On 01/09/2022 22:18, Taylor Joshua George (PSI) wrote:
> 
> > 
> > Hi Everyone,
> > I'm trying implement some ACLs, however some of the documentation
> > is a
> > bit unclear to me.
> > 
> > Using
>  >
> https://www.ibm.com/docs/en/spectrum-scale/5.1.4?topic=administration-setting-nfs-v4-access-control-lists
> > as a reference, I'm trying to understand what to use to achieve
> > 0660
> > permissions on files and 2770 on directories.
> > 
> 
> It's not clear from this whether you are trying to achieve the 
> equivalent of 0660 and 2770 on files and directories or have an ls
> show 
> the permissions as 0660 and 2770.

I'm trying to get the files to be created with 0660 perms (currently,
they are created 0770). I've tried playing with the `rwxc` in the first
line of the NFS4 ACL definition, with no luck (it seems to ignore that,
except for error checking). E.g. I've tried removing the `x`, which
passes the syntax check but doesn't seem to change anything.

so, daemon uses ACLs to write/create files, users use posix perms to
access/modify those files.

> 
> > So far, I've managed to achieve 0000 perms, but user with the ACL
> > permission can chmod, or 0770 perms.
> > 
> 
> Basically neither of the above two options is possible because there
> is 
> no exact mapping between POSIX permissions and NFSv4 ACL's.
> 
> For example you can't get the equivalent of the set group id
> permission. 
> You can however put an inheritable ACL for a group on the directory
> that 
> gives r/w plus say search directory and possibly execute permissions
> if 
> you want those as well.
> 
> A user with ACL permissions can change permissions that is completely
> expected. Note that traditional 2770 permissions are only suggestive,
> the file or member of the group would be able to change them to 
> something else. In fact programs often do when you save, and Samba
> just 
> completely ignores them for the most part. At least with NFSv4 ACL's
> you 
> can remove the ACL permission :-)
> 
> How permissions display on an ls/stat is not an exact mapping and
> will 
> tend to go to something like 0000, but actual ability to access etc.
> the 
> file will be based on the ACL not what you see in ls/stat.
> > Attached is a txt file with the mmgetacl output, as well as file
> > listing on a test file, and finally, the ACL definition I used.
> > 
> > As one can see in the attachment, the ACL requested appears
> > differently
> > for what it _actually_ applied.
> > 
> 
> What ACL schematics does the file system have? Is it NFSv4 or both?
> 

It's pure NFSv4
-D       nfs4       File locking semantics in effect
-k       nfs4       ACL semantics in effect

> 
> If you are wedded to POSIX style permissions perhaps change to POSIX
> ACL 
> schematics on the file system?

I confess, I was hoping to mix the perms so as not to change our
processes too much. (we currently use reg. posix perms to enable group
writes [via sgid])

> 
> 
> JAB.
> 

-- 
Joshua Taylor

---
Paul Scherrer Institut
System Engineer
Science IT Infrastructure and Services department (AWI)
WHGA/038
Forschungstrasse 111
5232 Villigen PSI
Switzerlandd
+41 56 310 52 50


More information about the gpfsug-discuss mailing list