NFSv4 ACLs♯
Picotte Support
Storage mounted under /ifs and /home does not currently support NFSv4 ACLs.
This page shows how to restrict access permissions using NFSv4 ACLs on file systems that support it.
The Ohio Supercomputer Center maintains a detailed guide for using NSFv4 ACLs in common research scenarios.
Set ACLs♯
To set access control entry to a file or directory, use the command:
nfs4_setfacl [OPTIONS] COMMAND file
Modify ACLs♯
To modify an access control entry of a file or directory, use the command:
nfs4_editfacl [OPTIONS] file
View ACLs♯
To view the access control list of a file or directory, use the command:
nfs4_getfacl file
Commands♯
The commands to use for setting access control entry are:
| COMMANDS | FUNCTION |
|---|---|
-a acl_spec [index] |
add ACL entries in acl_spec at index (DEFAULT: 1). |
-x acl_spec index |
remove ACL entries or entry-at-index from ACL |
-A file [index] |
read ACL entries to add from file |
-X file |
read ACL entries to remove from file |
-s acl_spec |
set ACL to acl_spec (replaces existing ACL) |
-S file |
read ACL entries to set from file |
-m from_ace to_ace |
modify in-place: replace 'from_ace' with 'to_ace' |
Those commands are just used for first setting an access control entry. The function column above shows the uses of every command so that you can choose the suitable one for your purpose.
Options♯
Below is the list of all options to use when set or modify an access control entry. These options can also be used as a combination.
| OPTION | NAME | FUNCTION |
|---|---|---|
-R |
recursive | Applies ACE to a directory's files and subdirectories |
-L |
logical | Used with -R, follows symbolic links |
-P |
physical | Used with -R, skips symbolic links |
Example♯
The example below will show how to use NFS v4 to set and modify permission for your group.
Situation♯
There are three people in a group including a professor and two students.
The group directory has 5 sub directories: shared,
original_data, prof, student1, and student2.
prof is owner for all.
The directory shared can be written to by all and deleted by all.
The original_data directory can only be read by students.
Then each student personal directory is owner-only, but prof can read all (not delete).
Step 1: Create the group directory using the mkdir command.
mkdir group
Step 2: Move inside the group directory using cd command and create 5 directories under the group directory.
cd group
mkdir shared original_data prof student1 student2
Step 3: Now we set the permission for each subdirectory using nfs4_setfacl command.
The shared directory can be written and deleted by all.
nfs4_setfacl -R -a A:dfg:group@cm.cluster:RWX shared
In this command:
nfs4_setfaclis the required command-R- apply ACE recursively to a files and subdirectoriesA- allowd- new subdirectories will have the same ACEf- new files will have the same ACE minus the inheritance flagsg- apply to groupgroup@cm.cluster- the group nameRXW- read, execute, and writeshared- this is the path for the targeted directory or file
The original_data directory can only be read by students.
nfs4_setfacl -a A::student1@cm.cluster:rtxcny original_data
nfs4_setfacl -a A::student2@cm.cluster:rtxcny original_data
In this command:
rtxcnyis the expansion of read permission.
Each student personal directory is owner-only, but prof can read all (not delete).
We try another command for this target, which is
nfs4_editfacl.
nfs4_editfacl -R group/student1
You should see the content of a file which shows the explicit permissions for each person to the directory student1.
Try to edit the permission for OWNER@, GROUP@ and EVERYONE@ according to the requirement.
- Add this line to allow
student1all permissions.
A:fd:student1id@cm.cluster:rwaDdxtTnNcCoy
- Change the line after
OWNER@to berxtncyso that the owner (the professor) can read but cannot delete. - Change the line after
GROUP@to berxtncyso that the other members of the group (the professor and student2) can read but cannot delete or modify. - Continue to do the same steps above for
student2.
Step 4: To check if we assigned the right permission, use command nfs4_getfacl.
nfs4_getfacl group/shared
The owner and 2 group members who are student 1 and student 2 can read, write, and delete. Other people who are not in the group can just read the content.
nfs4_getfacl group/original_data
The owner can read, write, and delete. Other people who are not in the group and 2 group members who are student 1 and student 2 can just read the content.
nfs4_getfacl group/student1
