|
| 1 | +<?xml version='1.0' encoding='UTF-8'?> |
| 2 | +<!-- This document was created with Syntext Serna Free. --><!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "docbookV4.5/docbookx.dtd" []> |
| 3 | +<chapter id="chap-Administration_Guide-ACLs"> |
| 4 | + <title>POSIX Access Control Lists </title> |
| 5 | + <para>POSIX Access Control Lists (ACLs) allows you to assign different permissions for different users or |
| 6 | +groups even though they do not correspond to the original owner or the owning group. |
| 7 | + </para> |
| 8 | + <para>For example: User john creates a file but does not want to allow anyone to do anything with this |
| 9 | +file, except another user, antony (even though there are other users that belong to the group john). |
| 10 | +</para> |
| 11 | + <para>This means, in addition to the file owner, the file group, and others, additional users and groups can |
| 12 | +be granted or denied access by using POSIX ACLs. |
| 13 | +</para> |
| 14 | + <section id="sect-Administration_Guide-ACLs-Activating_ACLs"> |
| 15 | + <title>Activating POSIX ACLs Support </title> |
| 16 | + <para>To use POSIX ACLs for a file or directory, the partition of the file or directory must be mounted with |
| 17 | +POSIX ACLs support. |
| 18 | +</para> |
| 19 | + <section id="sect-Administration_Guide-ACLs-Activating_ACLs-Server"> |
| 20 | + <title>Activating POSIX ACLs Support on Sever </title> |
| 21 | + <para>To mount the backend export directories for POSIX ACLs support, use the following command: |
| 22 | +</para> |
| 23 | + <para><command># mount -o acl <replaceable>device-name</replaceable><replaceable>partition</replaceable></command> |
| 24 | +</para> |
| 25 | + <para>For example: |
| 26 | +</para> |
| 27 | + <para><command># mount -o acl /dev/sda1 /export1 </command></para> |
| 28 | + <para>Alternatively, if the partition is listed in the /etc/fstab file, add the following entry for the partition |
| 29 | +to include the POSIX ACLs option: |
| 30 | +</para> |
| 31 | + <para><command>LABEL=/work /export1 ext3 rw, acl 14 </command></para> |
| 32 | + </section> |
| 33 | + <section> |
| 34 | + <title>Activating POSIX ACLs Support on Client </title> |
| 35 | + <para>To mount the glusterfs volumes for POSIX ACLs support, use the following command: |
| 36 | +</para> |
| 37 | + <para><command># mount –t glusterfs -o acl <replaceable>severname:volume-id</replaceable><replaceable>mount point</replaceable></command> |
| 38 | +</para> |
| 39 | + <para>For example: |
| 40 | +</para> |
| 41 | + <para><command># mount -t glusterfs -o acl 198.192.198.234:glustervolume /mnt/gluster</command> |
| 42 | +</para> |
| 43 | + </section> |
| 44 | + </section> |
| 45 | + <section> |
| 46 | + <title>Setting POSIX ACLs </title> |
| 47 | + <para>You can set two types of POSIX ACLs, that is, access ACLs and default ACLs. You can use |
| 48 | +access ACLs to grant permission for a specific file or directory. You can use default ACLs only |
| 49 | +on a directory but if a file inside that directory does not have an ACLs, it inherits the permissions of |
| 50 | +the default ACLs of the directory. |
| 51 | +</para> |
| 52 | + <para>You can set ACLs for per user, per group, for users not in the user group for the file, and via the |
| 53 | +effective right mask. |
| 54 | +</para> |
| 55 | + <section> |
| 56 | + <title>Setting Access ACLs </title> |
| 57 | + <para>You can apply access ACLs to grant permission for both files and directories. |
| 58 | +</para> |
| 59 | + <para><emphasis role="bold">To set or modify Access ACLs</emphasis> |
| 60 | +</para> |
| 61 | + <para>You can set or modify access ACLs use the following command: |
| 62 | +</para> |
| 63 | + <para><command># setfacl –m <replaceable>entry type</replaceable> file </command></para> |
| 64 | + <para>The ACL entry types are the POSIX ACLs representations of owner, group, and other. |
| 65 | +</para> |
| 66 | + <para>Permissions must be a combination of the characters <command>r</command> (read), <command>w</command> (write), and <command>x</command> (execute). You must |
| 67 | +specify the ACL entry in the following format and can specify multiple entry types separated by |
| 68 | +commas. |
| 69 | +</para> |
| 70 | + <informaltable frame="all"> |
| 71 | + <tgroup cols="2"> |
| 72 | + <colspec colname="c1"/> |
| 73 | + <colspec colname="c2"/> |
| 74 | + <thead> |
| 75 | + <row> |
| 76 | + <entry>ACL Entry</entry> |
| 77 | + <entry>Description</entry> |
| 78 | + </row> |
| 79 | + </thead> |
| 80 | + <tbody> |
| 81 | + <row> |
| 82 | + <entry>u:uid:<permission> </entry> |
| 83 | + <entry>Sets the access ACLs for a user. You can specify user name or UID </entry> |
| 84 | + </row> |
| 85 | + <row> |
| 86 | + <entry>g:gid:<permission> </entry> |
| 87 | + <entry>Sets the access ACLs for a group. You can specify group name or GID. </entry> |
| 88 | + </row> |
| 89 | + <row> |
| 90 | + <entry>m:<permission> </entry> |
| 91 | + <entry>Sets the effective rights mask. The mask is the combination of all access permissions of the owning group and all of the user and group entries. </entry> |
| 92 | + </row> |
| 93 | + <row> |
| 94 | + <entry>o:<permission> </entry> |
| 95 | + <entry>Sets the access ACLs for users other than the ones in the group for the file. </entry> |
| 96 | + </row> |
| 97 | + </tbody> |
| 98 | + </tgroup> |
| 99 | + </informaltable> |
| 100 | + <para>If a file or directory already has an POSIX ACLs, and the setfacl command is used, the additional |
| 101 | +permissions are added to the existing POSIX ACLs or the existing rule is modified. |
| 102 | +</para> |
| 103 | + <para>For example, to give read and write permissions to user antony: |
| 104 | +</para> |
| 105 | + <para><command># setfacl -m u:antony:rw /mnt/gluster/data/testfile </command></para> |
| 106 | + </section> |
| 107 | + <section> |
| 108 | + <title>Setting Default ACLs </title> |
| 109 | + <para>You can apply default ACLs only to directories. They determine the permissions of a file system |
| 110 | +objects that inherits from its parent directory when it is created. |
| 111 | +</para> |
| 112 | + <para>To set default ACLs |
| 113 | +</para> |
| 114 | + <para>You can set default ACLs for files and directories using the following command: |
| 115 | +</para> |
| 116 | + <para><command># setfacl –m –-set <replaceable>entry type directory</replaceable></command> |
| 117 | +</para> |
| 118 | + <para>For example, to set the default ACLs for the /data directory to read for users not in the user group: |
| 119 | +</para> |
| 120 | + <para><command># setfacl –m --set o::r /mnt/gluster/data </command></para> |
| 121 | + <para><note> |
| 122 | + <para>An access ACLs set for an individual file can override the default ACLs permissions. |
| 123 | +</para> |
| 124 | + </note></para> |
| 125 | + <para><emphasis role="bold">Effects of a Default ACLs </emphasis></para> |
| 126 | + <para>The following are the ways in which the permissions of a directory's default ACLs are passed to the |
| 127 | +files and subdirectories in it: |
| 128 | +</para> |
| 129 | + <itemizedlist> |
| 130 | + <listitem> |
| 131 | + <para>A subdirectory inherits the default ACLs of the parent directory both as its default ACLs and as an |
| 132 | +access ACLs. |
| 133 | +</para> |
| 134 | + </listitem> |
| 135 | + <listitem> |
| 136 | + <para>A file inherits the default ACLs as its access ACLs. |
| 137 | +</para> |
| 138 | + </listitem> |
| 139 | + </itemizedlist> |
| 140 | + </section> |
| 141 | + </section> |
| 142 | + <section> |
| 143 | + <title>Retrieving POSIX ACLs </title> |
| 144 | + <para>You can view the existing POSIX ACLs for a file or directory. |
| 145 | +</para> |
| 146 | + <para><emphasis role="bold">To view existing POSIX ACLs </emphasis></para> |
| 147 | + <itemizedlist> |
| 148 | + <listitem> |
| 149 | + <para>View the existing access ACLs of a file using the following command: |
| 150 | +</para> |
| 151 | + <para><command># getfacl <replaceable>path/filename</replaceable></command> |
| 152 | +</para> |
| 153 | + <para>For example, to view the existing POSIX ACLs for sample.jpg |
| 154 | +</para> |
| 155 | + <programlisting># getfacl /mnt/gluster/data/test/sample.jpg |
| 156 | +# owner: antony |
| 157 | +# group: antony |
| 158 | +user::rw- |
| 159 | +group::rw- |
| 160 | +other::r--</programlisting> |
| 161 | + </listitem> |
| 162 | + <listitem> |
| 163 | + <para>View the default ACLs of a directory using the following command: |
| 164 | +</para> |
| 165 | + <para><command># getfacl <replaceable>directory name</replaceable></command></para> |
| 166 | + <para>For example, to view the existing ACLs for /data/doc |
| 167 | +</para> |
| 168 | + <programlisting># getfacl /mnt/gluster/data/doc |
| 169 | +# owner: antony |
| 170 | +# group: antony |
| 171 | +user::rw- |
| 172 | +user:john:r-- |
| 173 | +group::r-- |
| 174 | +mask::r-- |
| 175 | +other::r-- |
| 176 | +default:user::rwx |
| 177 | +default:user:antony:rwx |
| 178 | +default:group::r-x |
| 179 | +default:mask::rwx |
| 180 | +default:other::r-x</programlisting> |
| 181 | + </listitem> |
| 182 | + </itemizedlist> |
| 183 | + </section> |
| 184 | + <section> |
| 185 | + <title>Removing POSIX ACLs </title> |
| 186 | + <para>To remove all the permissions for a user, groups, or others, use the following command: |
| 187 | +</para> |
| 188 | + <para><command># setfacl -x <replaceable>ACL entry type file</replaceable></command></para> |
| 189 | + <para>For example, to remove all permissions from the user antony: |
| 190 | +</para> |
| 191 | + <para><command># setfacl -x u:antony /mnt/gluster/data/test-file</command></para> |
| 192 | + </section> |
| 193 | + <section> |
| 194 | + <title>Samba and ACLs </title> |
| 195 | + <para>If you are using Samba to access GlusterFS FUSE mount, then POSIX ACLs are enabled by default. |
| 196 | +Samba has been compiled with the <command>--with-acl-support</command> option, so no special flags are required |
| 197 | +when accessing or mounting a Samba share. |
| 198 | +</para> |
| 199 | + </section> |
| 200 | + <section> |
| 201 | + <title>NFS and ACLs </title> |
| 202 | + <para>Currently we do not support ACLs configuration through NFS, i.e. setfacl and getfacl commands do |
| 203 | +not work. However, ACLs permissions set using Gluster Native Client applies on NFS mounts. |
| 204 | +</para> |
| 205 | + </section> |
| 206 | +</chapter> |
0 commit comments