-
Language:
English
-
Language:
English
Red Hat Training
A Red Hat training course is available for Red Hat Gluster Storage
7.4. POSIX Access Control Lists
POSIX Access Control Lists (ACLs) allow different permissions for different users or groups to be assigned to files or directories, independent of the original owner or the owning group.
For example, the user
John
creates a file. He does not allow anyone in the group to access the file, except for another user, Antony (even if there are other users who belong to the group john
).
This means, in addition to the file owner, the file group, and others, additional users and groups can be granted or denied access by using POSIX ACLs.
7.4.1. Setting POSIX ACLs
Two types of POSIX ACLs are available: access ACLs, and default ACLs.
Use access ACLs to grant permission to a specific file or directory.
Use default ACLs to set permissions at the directory level for all files in the directory. If a file inside that directory does not have an ACL, it inherits the permissions of the default ACLs of the directory.
ACLs can be configured for each file:
- Per user
- Per group
- Through the effective rights mask
- For users not in the user group for the file
7.4.1.1. Setting Access ACLs
Access ACLs grant permission for both files and directories.
The
# setfacl –m entry_typefile_name
command sets and modifies access ACLs
setfacl
entry_type Options
The ACL entry_type translates to the POSIX ACL representations of owner, group, and other.
Permissions must be a combination of the characters
r
(read), w
(write), and x
(execute). Specify the ACL entry_type as described below, separating multiple entry types with commas.
- u:user_name:permissons
- Sets the access ACLs for a user. Specify the user name, or the UID.
- g:group_name:permissions
- Sets the access ACLs for a group. Specify the group name, or the GID.
- m:permission
- Sets the effective rights mask. The mask is the combination of all access permissions of the owning group, and all user and group entries.
- o:permissions
- Sets the access ACLs for users other than the ones in the group for the file.
If a file or directory already has a POSIX ACL, and the
setfacl
command is used, the additional permissions are added to the existing POSIX ACLs or the existing rule is modified.
For example, to give read and write permissions to user antony:
# setfacl -m u:antony:rw /mnt/gluster/data/testfile
7.4.1.2. Setting Default ACLs
New files and directories inherit ACL information from their parent directory, if that parent has an ACL that contains default entries. Default ACL entries can only be set on directories.
The
# setfacl -d --set entry_type directory
command sets default ACLs for files and directories.
setfacl
entry_type Options
The ACL entry_type translates to the POSIX ACL representations of owner, group, and other.
Permissions must be a combination of the characters
r
(read), w
(write), and x
(execute). Specify the ACL entry_type as described below, separating multiple entry types with commas.
- u:user_name:permissons
- Sets the access ACLs for a user. Specify the user name, or the UID.
- g:group_name:permissions
- Sets the access ACLs for a group. Specify the group name, or the GID.
- m:permission
- Sets the effective rights mask. The mask is the combination of all access permissions of the owning group, and all user and group entries.
- o:permissions
- Sets the access ACLs for users other than the ones in the group for the file.
For example, run
# setfacl -d --set o::r /mnt/gluster/data
to set the default ACLs for the /data
directory to read-only for users not in the user group,
Note
An access ACL set for an individual file can override the default ACL permissions.
Effects of a Default ACL
The following are the ways in which the permissions of a directory's default ACLs are passed to the files and subdirectories in it:
- A subdirectory inherits the default ACLs of the parent directory both as its default ACLs and as an access ACLs.
- A file inherits the default ACLs as its access ACLs.
7.4.2. Retrieving POSIX ACLs
Run the
# getfacl
command to view the existing POSIX ACLs for a file or directory.
-
# getfacl path/filename
- View the existing access ACLs of the
sample.jpg
file using the following command.# getfacl /mnt/gluster/data/test/sample.jpg # owner: antony # group: antony user::rw- group::rw- other::r--
-
# getfacl directory name
- View the default ACLs of the
/doc
directory using the following command.# getfacl /mnt/gluster/data/doc # owner: antony # group: antony user::rw- user:john:r-- group::r-- mask::r-- other::r-- default:user::rwx default:user:antony:rwx default:group::r-x default:mask::rwx default:other::r-x
7.4.3. Removing POSIX ACLs
Run
# setfacl -x ACL entry_type file
to remove all permissions for a user, groups, or others.
setfacl
entry_type Options
The ACL entry_type translates to the POSIX ACL representations of owner, group, and other.
Permissions must be a combination of the characters
r
(read), w
(write), and x
(execute). Specify the ACL entry_type as described below, separating multiple entry types with commas.
- u:user_name
- Sets the access ACLs for a user. Specify the user name, or the UID.
- g:group_name
- Sets the access ACLs for a group. Specify the group name, or the GID.
- m:permission
- Sets the effective rights mask. The mask is the combination of all access permissions of the owning group, and all user and group entries.
- o:permissions
- Sets the access ACLs for users other than the ones in the group for the file.
For example, to remove all permissions from the user
antony
:
# setfacl -x u:antony /mnt/gluster/data/test-file
7.4.4. Samba and ACLs
POSIX ACLs are enabled by default when using Samba to access a Red Hat Gluster Storage volume. Samba is compiled with the
--with-acl-support
option, so no special flags are required when accessing or mounting a Samba share.