CentOS 7
Sponsored Link

NFS 4 ACL Tool2018/12/21

 
It's possible to set ACL on NFS(v4) filesystem to install NFS 4 ACL tool.
For setting ACL of XFS or ext4 filesystem, refer to here.
[1] Install NFS 4 ACL Tool on NFS clients that mounts NFS share with NFSv4.
[root@node01 ~]#
yum -y install nfs4-acl-tools
[2] On this example, Configure on the environment like follows.
[root@node01 ~]#
df -hT /mnt

Filesystem                       Type  Size  Used Avail Use% Mounted on
dlp.srv.world:/var/lib/nfs/share nfs4   71G  1.3G   70G   2% /mnt

[root@node01 ~]#
ll /mnt

total 4
drwx------. 2 root root 26 Dec 20 19:12 testdir
-rwx------. 1 root root 10 Dec 20 19:11 test.txt
[3] Show ACL of a file or directory on NFSv4 filesystem.
[root@node01 ~]#
nfs4_getfacl /mnt/test.txt


# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy

[root@node01 ~]#
nfs4_getfacl /mnt/testdir


# file: /mnt/testdir
A::OWNER@:rwaDxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy

# each entry means like follows

# ACE = Access Control Entry

# (ACE Type):(ACE Flags):(ACE Principal):(ACE Permissions)
Description
ACE Type  
A A = Allow : it means Allow accesses.
D D = Deny : it means Deny accesses.
ACE Flags  
d Directory-Inherit : New sub-directory inherits the same ACE.
f File-Inherit : New file inherits the same ACE but not inherit inheritance-flag.
n No-Propogate-Inherit : New sub-directory inherits the same ACE but not inherit inheritance-flag.
i Inherit-Only : New file/sub-directory inherits the same ACE but this directory does not have ACE.
ACE Principal  
(USER)@(NFSDomain) Common User
For [NFSDomain], it is just the Domain name that is specified for [Domain] value in [idmapd.conf].
(GROUP)@(NFSDomain) Common Group
For group, Specify [g] flag like this ⇒ A:g:GROUP@NFSDomain:rxtncy
OWNER@ Special Principal : Owner
GROUP@ Special Principal : Group
EVERYONE@ Special Principal : Everyone
ACE Permissions  
r Read data of files / List files in directory
w Write data to files / Create new files in directory
a Append data to files / Create new sub-directory
x Execute files / Change directory
d Delete files or directories
D Delete files or sub-directories under the directory
t Read attributes of files or directories
T Write attributes to files or directories
n Read named attributes of files or directories
N Write named attributes of files or directories
c Read ACL of files or directories
C Write ACL of files or directories
o Change ownership of files or directories
ACE Permissions Aliases For using nfs4_setfacl, possible to use Alias for ACE Permissions
R R = rntcy : Generic Read
W W = watTNcCy : Generic Write
X X = xtcy : Generic Execute

[4] Add or Delete ACE.
[root@node01 ~]#
ll /mnt

total 4
drwx------. 2 root root 26 Dec 20 19:12 testdir
-rwx------. 1 root root 10 Dec 20 19:11 test.txt

[root@node01 ~]#
nfs4_getfacl /mnt/test.txt


# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy

# add generic read/execute for [cent] user to [/mnt/test.txt] file

[root@node01 ~]#
nfs4_setfacl -a A::cent@srv.world:rxtncy /mnt/test.txt
[root@node01 ~]#
nfs4_getfacl /mnt/test.txt


# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::1000:rxtcy
A::GROUP@:tcy
A::EVERYONE@:tcy


# verify with [cent] user

[cent@node01 ~]$
ll /mnt

total 4
drwx------. 2 root root 26 Dec 21 10:12 testdir
-rwxr-x---. 1 root root 10 Dec 21 10:11 test.txt

[cent@node01 ~]$
cat /mnt/test.txt

test file

# delete generic read/execute for [cent] user from [/mnt/test.txt] file

[root@node01 ~]#
nfs4_setfacl -x A::1000:rxtcy /mnt/test.txt
[root@node01 ~]#
nfs4_getfacl /mnt/test.txt


# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
[5] Edit ACL directly,
[root@node01 ~]#
nfs4_setfacl -e /mnt/test.txt


# run an editor on $EDITOR (if null, default is [vi] editor)
## Editing NFSv4 ACL for file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
[6] Add ACE from a file.
# create ACL list

[root@node01 ~]#
vi acl.txt
A::cent@srv.world:RX
A::redhat@srv.world:RWX

# add ACL from the file

[root@node01 ~]#
nfs4_setfacl -A acl.txt /mnt/test.txt
[root@node01 ~]#
nfs4_getfacl /mnt/test.txt


# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::1000:rxtcy
A::1001:rwaxtcy
A::GROUP@:tcy
A::EVERYONE@:tcy
[7] Replace current ACE to new ACE.
# create ACL list

[root@node01 ~]#
vi acl.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy

# replace ACL from the file

[root@node01 ~]#
nfs4_setfacl -S acl.txt /mnt/test.txt
[root@node01 ~]#
nfs4_getfacl /mnt/test.txt


# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
[8] Replace specific ACE to new ACE.
[root@node01 ~]#
nfs4_getfacl /mnt/test.txt


# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy

# replace EVERYONE's ACE to read/execute

[root@node01 ~]#
nfs4_setfacl -m A::EVERYONE@:tcy A::EVERYONE@:RX /mnt/test.txt
[root@node01 ~]#
nfs4_getfacl /mnt/test.txt


# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:rxtcy
A::EVERYONE@:rxtcy
Matched Content