Ubuntu 23.04
Sponsored Link

NFS : NFS 4 ACL Tool2023/04/25
 
It's possible to set ACL on NFS(v4) filesystem to install NFS 4 ACL tool.
Usage is mostly the same with POSIX ACL Tool.
[1] Install NFS 4 ACL Tool on NFS clients that mounts NFS share with NFSv4.
root@node01:~#
apt -y install nfs4-acl-tools
[2] On this example, it shows usage examples on the environment like follows.
root@node01:~#
df -hT /mnt 

Filesystem                   Type  Size  Used Avail Use% Mounted on
dlp.srv.world:/home/nfsshare nfs4   27G  5.6G   20G  23% /mnt
root@node01:~#
ll /mnt 

total 16
drwxr-xr-x  3 root root 4096 Apr 27 01:13 ./
drwxr-xr-x 19 root root 4096 Apr 26 05:39 ../
drwx------  2 root root 4096 Apr 27 01:13 testdir/
-rw-------  1 root root   15 Apr 27 01:13 testfile.txt
[3] Show ACL of a file or directory on NFSv4 filesystem.
root@node01:~#
nfs4_getfacl /mnt/testfile.txt 


A::OWNER@:rwatTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
root@node01:~#
nfs4_getfacl /mnt/testdir 


A::OWNER@:rwaDxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
# each entry means like follows
# ACE = Access Control Entry
# (ACE Type):(ACE Flags):(ACE Principal):(ACE Permissions)
Description
ACE Type  
A A = Allow : it means Allow accesses.
D D = Deny : it means Deny accesses.
ACE Flags  
d Directory-Inherit : New sub-directory inherits the same ACE.
f File-Inherit : New file inherits the same ACE but not inherit inheritance-flag.
n No-Propogate-Inherit : New sub-directory inherits the same ACE but not inherit inheritance-flag.
i Inherit-Only : New file/sub-directory inherits the same ACE but this directory does not have ACE.
ACE Principal  
(USER)@(NFSDomain) Common User
For [NFSDomain], it is just the Domain name that is specified for [Domain] value in [idmapd.conf].
(GROUP)@(NFSDomain) Common Group
For group, Specify [g] flag like this ⇒ A:g:GROUP@NFSDomain:rxtncy
OWNER@ Special Principal : Owner
GROUP@ Special Principal : Group
EVERYONE@ Special Principal : Everyone
ACE Permissions  
r Read data of files / List files in directory
w Write data to files / Create new files in directory
a Append data to files / Create new sub-directory
x Execute files / Change directory
d Delete files or directories
D Delete files or sub-directories under the directory
t Read attributes of files or directories
T Write attributes to files or directories
n Read named attributes of files or directories
N Write named attributes of files or directories
c Read ACL of files or directories
C Write ACL of files or directories
o Change ownership of files or directories
ACE Permissions Aliases For using nfs4_setfacl, possible to use Alias for ACE Permissions
R R = rntcy : Generic Read
W W = watTNcCy : Generic Write
X X = xtcy : Generic Execute

[4] Add or Delete ACE.
root@node01:~#
ll /mnt 

total 16
drwxr-xr-x  3 root root 4096 Apr 27 01:13 ./
drwxr-xr-x 19 root root 4096 Apr 26 05:39 ../
drwx------  2 root root 4096 Apr 27 01:13 testdir/
-rw-------  1 root root   15 Apr 27 01:13 testfile.txt
root@node01:~#
nfs4_getfacl /mnt/testfile.txt 


A::OWNER@:rwatTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
# add generic read/execute for [ubuntu] user to [/mnt/testfile.txt] file

root@node01:~#
nfs4_setfacl -a A::ubuntu@srv.world:rxtncy /mnt/testfile.txt
root@node01:~#
nfs4_getfacl /mnt/testfile.txt 


# file: /mnt/testfile.txt
D::OWNER@:x
A::OWNER@:rwatTcCy
A::1000:rxtcy
A::GROUP@:tcy
A::EVERYONE@:tcy
# verify with [ubuntu] user

ubuntu@node01:~$
ll /mnt 

total 16
drwxr-xr-x  3 root root 4096 Apr 27 01:13 ./
drwxr-xr-x 19 root root 4096 Apr 26 05:39 ../
drwx------  2 root root 4096 Apr 27 01:13 testdir/
-rw-r-x---  1 root root   15 Apr 27 01:13 testfile.txt*
ubuntu@node01:~$
cat /mnt/testfile.txt

test file

# delete generic read/execute for [ubuntu] user from [/mnt/testfile.txt] file

root@node01:~#
nfs4_setfacl -x A::1000:rxtcy /mnt/testfile.txt
root@node01:~#
nfs4_getfacl /mnt/testfile.txt 


A::OWNER@:rwatTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
[5] Edit ACL directly.
root@node01:~#
nfs4_setfacl -e /mnt/testfile.txt 


# run an editor on $EDITOR (if null, default is [vi] editor)
## Editing NFSv4 ACL for file: /mnt/testfile.txt
A::OWNER@:rwatTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
[6] Add ACE from a file.
# create ACL list

root@node01:~#
vi acl.txt 
A::ubuntu@srv.world:RX
A::lunar@srv.world:RWX
# add ACL from the file

root@node01:~#
nfs4_setfacl -A acl.txt /mnt/testfile.txt
root@node01:~#
nfs4_getfacl /mnt/testfile.txt 


D::OWNER@:x
A::OWNER@:rwatTcCy
A::1000:rxtcy
A::1001:rwaxtcy
A::GROUP@:tcy
A::EVERYONE@:tcy
[7] Replace current ACE to new ACE.
# create ACL list

root@node01:~#
vi acl.txt 
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
# replace ACL from the file

root@node01:~#
nfs4_setfacl -S acl.txt /mnt/testfile.txt
root@node01:~#
nfs4_getfacl /mnt/testfile.txt 


A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
[8] Replace specific ACE to new ACE.
root@node01:~#
nfs4_getfacl /mnt/testfile.txt 


A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
# replace EVERYONE's ACE to read/execute

root@node01:~#
nfs4_setfacl -m A::EVERYONE@:tcy A::EVERYONE@:RX /mnt/testfile.txt
root@node01:~#
nfs4_getfacl /mnt/testfile.txt 


A::OWNER@:rwaxtTcCy
A::GROUP@:rxtcy
A::EVERYONE@:rxtcy
Matched Content