Re: Tools/mechanisms for the management of access permissions in big filebased datasets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Wed, 28 Nov 2018, Warren Young wrote:

Who here uses ACLs to good effect? Are you using more than just getfacl/setfacl to do it?

We use NFSv4 ACLs on Lustre and Isilon filesystems, so we employ nfs4_getfacl and nfs4_setfacl -- but all of our work is done on the command line, not via a GUI and larger management tool.

Our best practice is to script up the ACLs so they can be reapplied in case they get deleted or inappropriately changed. My current scripting logic usually writes the desired ACLs to temp files and deploys them in one swoop.

Take the following case:

owner: bob
read-write group: boblab
read-only group: alicelab
target directory: /srv/group/boblab

A skeleton version of the script would look something like this

# define directory-level ACL and write to temp file
cat <<__DIRACL__ > /tmp/diracl
A::OWNER@:rwaDdxtTnNcCoy
A::GROUP@:rwaDxtTnNcy
A::EVERYONE@:tncy
A:fdg:boblab@xxxxxxxxxx:RWX
A:fdg:alicelab@xxxxxxxxxx:RX
__DIRACL__

# define file-level ACL and write to temp file
cat <<__FILEACL__ > /tmp/fileacl
A::OWNER@:rwaDdxtTnNcCoy
A::GROUP@:rwaDxtTnNcy
A::EVERYONE@:tncy
A:g:boblab@xxxxxxxxxx:RWX
A:g:alicelab@xxxxxxxxxx:RX
__FILEACL__

# apply ownership, perms, and ACLs.
chown -R bob:boblab /srv/group/boblab
chmod -R ug+rw,o-rwx /srv/group/boblab
find /srv/group/boblab -type d \
  -exec nfs4_setfacl -S /tmp/diracl {} \;
find /srv/group/boblab -type f \
  -exec nfs4_setfacl -S /tmp/fileacl {} \;


Once the directory ACLs are applied, any new files created within those directories should inherit the proper ACLs.

--
Paul Heinlein
heinlein@xxxxxxxxxx
45°38' N, 122°6' W
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux