CentOS 8
Sponsored Link

NFS : NFS 4 ACL Tool
2019/10/04
 
It's possible to set ACL on NFS(v4) filesystem to install NFS 4 ACL tool.
Usage is mostly the same with POSIX ACL Tool.
[1] Install NFS 4 ACL Tool on NFS clients that mounts NFS share with NFSv4.
[root@node01 ~]#
dnf -y install nfs4-acl-tools
[2] On this example, it shows usage examples on the environment like follows.
[root@node01 ~]#
df -hT /mnt

Filesystem                   Type  Size  Used Avail Use% Mounted on
dlp.srv.world:/home/nfsshare nfs4   26G  1.8G   25G   7% /mnt

[root@node01 ~]#
ll /mnt

total 8
drwxr-xr-x. 2 root root  6 Oct  3 19:58 testdir
-rw-r-----. 1 root root 10 Oct  3 19:14 testfile.txt
-rw-------. 1 root root  5 Oct  3 19:17 test.txt
[3] Show ACL of a file or directory on NFSv4 filesystem.
[root@node01 ~]#
nfs4_getfacl /mnt/test.txt


# file: /mnt/test.txt
A::OWNER@:rwatTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy

[root@node01 ~]#
nfs4_getfacl /mnt/testdir


# file: /mnt/testdir
A::OWNER@:rwaDxtTcCy
A::GROUP@:rxtcy
A::EVERYONE@:rxtcy

# each entry means like follows

# ACE = Access Control Entry

# (ACE Type):(ACE Flags):(ACE Principal):(ACE Permissions)
Description
ACE Type  
A A = Allow : it means Allow accesses.
D D = Deny : it means Deny accesses.
ACE Flags  
d Directory-Inherit : New sub-directory inherits the same ACE.
f File-Inherit : New file inherits the same ACE but not inherit inheritance-flag.
n No-Propogate-Inherit : New sub-directory inherits the same ACE but not inherit inheritance-flag.
i Inherit-Only : New file/sub-directory inherits the same ACE but this directory does not have ACE.
ACE Principal  
(USER)@(NFSDomain) Common User
For [NFSDomain], it is just the Domain name that is specified for [Domain] value in [idmapd.conf].
(GROUP)@(NFSDomain) Common Group
For group, Specify [g] flag like this ⇒ A:g:GROUP@NFSDomain:rxtncy
OWNER@ Special Principal : Owner
GROUP@ Special Principal : Group
EVERYONE@ Special Principal : Everyone
ACE Permissions  
r Read data of files / List files in directory
w Write data to files / Create new files in directory
a Append data to files / Create new sub-directory
x Execute files / Change directory
d Delete files or directories
D Delete files or sub-directories under the directory
t Read attributes of files or directories
T Write attributes to files or directories
n Read named attributes of files or directories
N Write named attributes of files or directories
c Read ACL of files or directories
C Write ACL of files or directories
o Change ownership of files or directories
ACE Permissions Aliases For using nfs4_setfacl, possible to use Alias for ACE Permissions
R R = rntcy : Generic Read
W W = watTNcCy : Generic Write
X X = xtcy : Generic Execute

[4] Add or Delete ACE.
[root@node01 ~]#
ll /mnt

total 8
drwxr-xr-x. 2 root root  6 Oct  3 19:58 testdir
-rw-r-----. 1 root root 10 Oct  3 19:14 testfile.txt
-rw-------. 1 root root  5 Oct  3 19:17 test.txt

[root@node01 ~]#
nfs4_getfacl /mnt/test.txt


# file: /mnt/test.txt
A::OWNER@:rwatTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy

# add generic read/execute for [cent] user to [/mnt/test.txt] file

[root@node01 ~]#
nfs4_setfacl -a A::cent@srv.world:rxtncy /mnt/test.txt
[root@node01 ~]#
nfs4_getfacl /mnt/test.txt


# file: /mnt/test.txt
D::OWNER@:x
A::OWNER@:rwatTcCy
A::1000:rxtcy
A::GROUP@:tcy
A::EVERYONE@:tcy


# verify with [cent] user

[cent@node01 ~]$
ll /mnt

total 8
drwxr-xr-x. 2 root root  6 Oct  4 15:58 testdir
-rw-r-----. 1 root root 10 Oct  4 15:14 testfile.txt
-rw-r-x---. 1 root root  5 Oct  4 15:17 test.txt

[cent@node01 ~]$
cat /mnt/test.txt

test file

# delete generic read/execute for [cent] user from [/mnt/test.txt] file

[root@node01 ~]#
nfs4_setfacl -x A::1000:rxtcy /mnt/test.txt
[root@node01 ~]#
nfs4_getfacl /mnt/test.txt


# file: /mnt/test.txt
A::OWNER@:rwatTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
[5] Edit ACL directly.
[root@node01 ~]#
nfs4_setfacl -e /mnt/test.txt


# run an editor on $EDITOR (if null, default is [vi] editor)
## Editing NFSv4 ACL for file: /mnt/test.txt
A::OWNER@:rwatTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
[6] Add ACE from a file.
# create ACL list

[root@node01 ~]#
vi acl.txt
A::cent@srv.world:RX
A::redhat@srv.world:RWX

# add ACL from the file

[root@node01 ~]#
nfs4_setfacl -A acl.txt /mnt/test.txt
[root@node01 ~]#
nfs4_getfacl /mnt/test.txt


# file: /mnt/test.txt
D::OWNER@:x
A::OWNER@:rwatTcCy
A::1000:rxtcy
A::1001:rwaxtcy
A::GROUP@:tcy
A::EVERYONE@:tcy
[7] Replace current ACE to new ACE.
# create ACL list

[root@node01 ~]#
vi acl.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy

# replace ACL from the file

[root@node01 ~]#
nfs4_setfacl -S acl.txt /mnt/test.txt
[root@node01 ~]#
nfs4_getfacl /mnt/test.txt


# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
[8] Replace specific ACE to new ACE.
[root@node01 ~]#
nfs4_getfacl /mnt/test.txt


# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy

# replace EVERYONE's ACE to read/execute

[root@node01 ~]#
nfs4_setfacl -m A::EVERYONE@:tcy A::EVERYONE@:RX /mnt/test.txt
[root@node01 ~]#
nfs4_getfacl /mnt/test.txt


# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:rxtcy
A::EVERYONE@:rxtcy
Matched Content