On Wed, 28 Nov 2018, Warren Young wrote:
Who here uses ACLs to good effect? Are you using more than just
getfacl/setfacl to do it?
We use NFSv4 ACLs on Lustre and Isilon filesystems, so we employ
nfs4_getfacl and nfs4_setfacl -- but all of our work is done on the
command line, not via a GUI and larger management tool.
Our best practice is to script up the ACLs so they can be reapplied in
case they get deleted or inappropriately changed. My current scripting
logic usually writes the desired ACLs to temp files and deploys them
in one swoop.
Take the following case:
owner: bob
read-write group: boblab
read-only group: alicelab
target directory: /srv/group/boblab
A skeleton version of the script would look something like this
# define directory-level ACL and write to temp file
cat <<__DIRACL__ > /tmp/diracl
A::OWNER@:rwaDdxtTnNcCoy
A::GROUP@:rwaDxtTnNcy
A::EVERYONE@:tncy
A:fdg:boblab@xxxxxxxxxx:RWX
A:fdg:alicelab@xxxxxxxxxx:RX
__DIRACL__
# define file-level ACL and write to temp file
cat <<__FILEACL__ > /tmp/fileacl
A::OWNER@:rwaDdxtTnNcCoy
A::GROUP@:rwaDxtTnNcy
A::EVERYONE@:tncy
A:g:boblab@xxxxxxxxxx:RWX
A:g:alicelab@xxxxxxxxxx:RX
__FILEACL__
# apply ownership, perms, and ACLs.
chown -R bob:boblab /srv/group/boblab
chmod -R ug+rw,o-rwx /srv/group/boblab
find /srv/group/boblab -type d \
-exec nfs4_setfacl -S /tmp/diracl {} \;
find /srv/group/boblab -type f \
-exec nfs4_setfacl -S /tmp/fileacl {} \;
Once the directory ACLs are applied, any new files created within
those directories should inherit the proper ACLs.
--
Paul Heinlein
heinlein@xxxxxxxxxx
45°38' N, 122°6' W
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
