6.4. POSIX Access Control Lists
Basic Linux file system permissions are assigned based on three user types: the owning user, members of the owning group, and all other users. POSIX Access Control Lists (ACLs) work around the limitations of this system by allowing administrators to also configure file and directory access permissions based on any user and any group, rather than just the owning user and group.
This section covers how to view and set access control lists, and how to ensure this feature is enabled on your Red Hat Gluster Storage volumes. For more detailed information about how ACLs work, see the Red Hat Enterprise Linux 7 System Administrator's Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Access_Control_Lists.html.
6.4.1. Setting ACLs with setfacl
setfaclcommand lets you modify the ACLs of a specified file or directory. You can add access rules for a file with the
-msubcommand, or remove access rules for a file with the
-xsubcommand. The basic syntax is as follows:
# setfacl subcommand access_rule file_path
The syntax of an access rule depends on which roles need to obey the rule.
- Rules for users start with
# setfacl -m u:user:perms file_pathFor example,
setfacl -m u:fred:rw /mnt/datagives the user
fredread and write access to the
setfacl -x u::w /works_in_progress/my_presentation.txtprevents all users from writing to the
/works_in_progress/my_presentation.txtfile (except the owning user and members of the owning group, as these are controlled by POSIX).
- Rules for groups start with
# setfacl -m g:group:perms file_pathFor example,
setfacl -m g:admins:rwx /etc/fstabgives users in the
adminsgroup read, write, and execute permissions to the
setfacl -x g:newbies:x /mnt/harmful_script.shprevents users in the
newbiesgroup from executing
- Rules for other users start with
# setfacl -m o:perms file_pathFor example,
setfacl -m o:r /mnt/data/publicgives users without any specific rules about their username or group permission to read files in the
- Rules for setting a maximum access level using an effective rights mask start with
# setfacl -m m:mask file_pathFor example,
setfacl -m m:r-x /mount/harmless_script.shgives all users a maximum of read and execute access to the
You can set the default ACLs for a directory by adding
d:to the beginning of any rule, or make a rule recursive with the
-Roption. For example,
setfacl -Rm d:g:admins:rwx /etcgives all members of the
adminsgroup read, write, and execute access to any file created under the
/etcdirectory after the point when
6.4.2. Checking current ACLs with getfacl
getfaclcommand lets you check the current ACLs of a file or directory. The syntax for this command is as follows:
# getfacl file_path
This prints a summary of current ACLs for that file. For example:
# getfacl /mnt/gluster/data/test/sample.jpg # owner: antony # group: antony user::rw- group::rw- other::r--
If a directory has default ACLs set, these are prefixed with
default:, like so:
# getfacl /mnt/gluster/data/doc # owner: antony # group: antony user::rw- user:john:r-- group::r-- mask::r-- other::r-- default:user::rwx default:user:antony:rwx default:group::r-x default:mask::rwx default:other::r-x
6.4.3. Mounting volumes with ACLs enabled
To mount a volume with ACLs enabled using the Native FUSE Client, use the
aclmount option. For further information, see Section 6.1.3, “Mounting Red Hat Gluster Storage Volumes”.
ACLs are enabled by default on volumes mounted using the NFS and SMB access protocols. To check whether ACLs are enabled on other mounted volumes, see Section 6.4.4, “Checking ACL enablement on a mounted volume”.
6.4.4. Checking ACL enablement on a mounted volume
The following table shows you how to verify that ACLs are enabled on a mounted volume, based on the type of client your volume is mounted with.
|Client type||How to check||Further info|
|Native FUSE|| |
Check the output of the
# mount | grep mountpoint
Check the output of the
# ps aux | grep gluster root 30548 0.0 0.7 548408 13868 ? Ssl 12:39 0:00 /usr/local/sbin/glusterfs --acl --volfile-server=127.0.0.2 --volfile-id=testvol /mnt/fuse_mnt
|See Section 6.1, “Native Client” for more information.|
|Gluster Native NFS|| |
On the server side, check the output of the
On the client side, check the output of the
Refer to the output of
|NFS Ganesha|| |
On the server side, check the volume's export configuration file,
NFS-Ganesha supports NFSv4 protocol standardized ACLs but not NFSACL protocol used for NFSv3 mounts. Only NFSv4 mounts can set ACLs.
There is no option to disable NFSv4 ACLs on the client side, so as long as the server supports ACLs, clients can set ACLs on the mount point.
See Section 6.2.3, “NFS Ganesha” for more information. For client side settings, refer to the Red Hat Enterprise Linux Storage Administration Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Storage_Administration_Guide/ch-nfs.html
POSIX ACLs are enabled by default when using Samba to access a Red Hat Gluster Storage volume.
|See Section 6.3, “SMB” for more information.|