Re: [gpfsug-discuss] NF4 ACLs

Fri, 02 Sep 2022 01:26:00 -0700 

On 01/09/2022 22:18, Taylor Joshua George (PSI) wrote:



Hi Everyone,
I'm trying implement some ACLs, however some of the documentation is a
bit unclear to me.

Using

>https://www.ibm.com/docs/en/spectrum-scale/5.1.4?topic=administration-setting-nfs-v4-access-control-lists

as a reference, I'm trying to understand what to use to achieve 0660
permissions on files and 2770 on directories.
It's not clear from this whether you are trying to achieve the equivalent of 0660 and 2770 on files and directories or have an ls show the permissions as 0660 and 2770. 


So far, I've managed to achieve 0000 perms, but user with the ACL
permission can chmod, or 0770 perms.
Basically neither of the above two options is possible because there is no exact mapping between POSIX permissions and NFSv4 ACL's.
For example you can't get the equivalent of the set group id permission. You can however put an inheritable ACL for a group on the directory that gives r/w plus say search directory and possibly execute permissions if you want those as well.
A user with ACL permissions can change permissions that is completely expected. Note that traditional 2770 permissions are only suggestive, the file or member of the group would be able to change them to something else. In fact programs often do when you save, and Samba just completely ignores them for the most part. At least with NFSv4 ACL's you can remove the ACL permission :-)
How permissions display on an ls/stat is not an exact mapping and will tend to go to something like 0000, but actual ability to access etc. the file will be based on the ACL not what you see in ls/stat. 


Attached is a txt file with the mmgetacl output, as well as file
listing on a test file, and finally, the ACL definition I used.

As one can see in the attachment, the ACL requested appears differently
for what it _actually_ applied.



What ACL schematics does the file system have? Is it NFSv4 or both?
If you are wedded to POSIX style permissions perhaps change to POSIX ACL schematics on the file system? 


JAB.

--
Jonathan A. Buzzard                         Tel: +44141-5483420
HPC System Administrator, ARCHIE-WeSt.
University of Strathclyde, John Anderson Building, Glasgow. G4 0NG

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at gpfsug.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org

Reply via email to