このコンテンツは選択した言語では利用できません。
6.4. POSIX Access Control Lists
Basic Linux file system permissions are assigned based on three user types: the owning user, members of the owning group, and all other users. POSIX Access Control Lists (ACLs) work around the limitations of this system by allowing administrators to also configure file and directory access permissions based on any user and any group, rather than just the owning user and group.
This section covers how to view and set access control lists, and how to ensure this feature is enabled on your Red Hat Gluster Storage volumes. For more detailed information about how ACLs work, see the Red Hat Enterprise Linux 7 System Administrator's Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Access_Control_Lists.html.
6.4.1. Setting ACLs with setfacl
The
setfacl
command lets you modify the ACLs of a specified file or directory. You can add access rules for a file with the -m
subcommand, or remove access rules for a file with the -x
subcommand. The basic syntax is as follows:
# setfacl subcommand access_rule file_path
The syntax of an access rule depends on which roles need to obey the rule.
- Rules for users start with
u:
# setfacl -m u:user:perms file_path
For example,setfacl -m u:fred:rw /mnt/data
gives the userfred
read and write access to the/mnt/data
directory.setfacl -x u::w /works_in_progress/my_presentation.txt
prevents all users from writing to the/works_in_progress/my_presentation.txt
file (except the owning user and members of the owning group, as these are controlled by POSIX).- Rules for groups start with
g:
# setfacl -m g:group:perms file_path
For example,setfacl -m g:admins:rwx /etc/fstab
gives users in theadmins
group read, write, and execute permissions to the/etc/fstab
file.setfacl -x g:newbies:x /mnt/harmful_script.sh
prevents users in thenewbies
group from executing/mnt/harmful_script.sh
.- Rules for other users start with
o:
# setfacl -m o:perms file_path
For example,setfacl -m o:r /mnt/data/public
gives users without any specific rules about their username or group permission to read files in the/mnt/data/public directory
.- Rules for setting a maximum access level using an effective rights mask start with
m:
# setfacl -m m:mask file_path
For example,setfacl -m m:r-x /mount/harmless_script.sh
gives all users a maximum of read and execute access to the/mount/harmless_script.sh
file.
You can set the default ACLs for a directory by adding
d:
to the beginning of any rule, or make a rule recursive with the -R
option. For example, setfacl -Rm d:g:admins:rwx /etc
gives all members of the admins
group read, write, and execute access to any file created under the /etc
directory after the point when setfacl
is run.
6.4.2. Checking current ACLs with getfacl
The
getfacl
command lets you check the current ACLs of a file or directory. The syntax for this command is as follows:
# getfacl file_path
This prints a summary of current ACLs for that file. For example:
# getfacl /mnt/gluster/data/test/sample.jpg # owner: antony # group: antony user::rw- group::rw- other::r--
If a directory has default ACLs set, these are prefixed with
default:
, like so:
# getfacl /mnt/gluster/data/doc # owner: antony # group: antony user::rw- user:john:r-- group::r-- mask::r-- other::r-- default:user::rwx default:user:antony:rwx default:group::r-x default:mask::rwx default:other::r-x
6.4.3. Mounting volumes with ACLs enabled
To mount a volume with ACLs enabled using the Native FUSE Client, use the
acl
mount option. For further information, see Section 6.1.3, “Mounting Red Hat Gluster Storage Volumes”.
ACLs are enabled by default on volumes mounted using the NFS and SMB access protocols. To check whether ACLs are enabled on other mounted volumes, see Section 6.4.4, “Checking ACL enablement on a mounted volume”.
6.4.4. Checking ACL enablement on a mounted volume
The following table shows you how to verify that ACLs are enabled on a mounted volume, based on the type of client your volume is mounted with.
Client type | How to check | Further info |
---|---|---|
Native FUSE |
Check the output of the
mount command for the default_permissions option:
# mount | grep mountpoint
If
default_permissions appears in the output for a mounted volume, ACLs are not enabled on that volume.
Check the output of the
ps aux command for the gluster FUSE mount process (glusterfs):
# ps aux | grep gluster root 30548 0.0 0.7 548408 13868 ? Ssl 12:39 0:00 /usr/local/sbin/glusterfs --acl --volfile-server=127.0.0.2 --volfile-id=testvol /mnt/fuse_mnt
If
--acl appears in the output for a mounted volume, ACLs are enabled on that volume.
| See Section 6.1, “Native Client” for more information. |
Gluster Native NFS |
On the server side, check the output of the
gluster volume info volname command. If nfs.acl appears in the output, that volume has ACLs disabled. If nfs.acl does not appear, ACLs are enabled (the default state).
On the client side, check the output of the
mount command for the volume. If noacl appears in the output, ACLs are disabled on the mount point. If this does not appear in the output, the client checks that the server uses ACLs, and uses ACLs if server support is enabled.
|
Refer to the output of
gluster volume set help pertaining to NFS, or see the Red Hat Enterprise Linux Storage Administration Guide for more information: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Storage_Administration_Guide/ch-nfs.html
|
NFS Ganesha |
On the server side, check the volume's export configuration file,
/run/gluster/shared_storage/nfs-ganesha/exports/export.volname.conf . If the Disable_ACL option is set to true , ACLs are disabled. Otherwise, ACLs are enabled for that volume.
Note
NFS-Ganesha supports NFSv4 protocol standardized ACLs but not NFSACL protocol used for NFSv3 mounts. Only NFSv4 mounts can set ACLs.
There is no option to disable NFSv4 ACLs on the client side, so as long as the server supports ACLs, clients can set ACLs on the mount point.
|
See Section 6.2.3, “NFS Ganesha” for more information. For client side settings, refer to the Red Hat Enterprise Linux Storage Administration Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Storage_Administration_Guide/ch-nfs.html
|
samba |
POSIX ACLs are enabled by default when using Samba to access a Red Hat Gluster Storage volume.
| See Section 6.3, “SMB” for more information. |