Alpha supports the use of Access Control List (ACL) entries to permit specific other users to interact with your data. ACLs provide robust and fine-grained access control that goes well beyond the capabilities of simple POSIX file/directory permissions.
The usage of these commands is different for managing ACL entries on /mnt/luster vs /mnt/home.
Managing ACLs on /mnt/home
ACLs on /mnt/home are managed through the commands `nfs4_setfacl` and `nfs4_getfacl`. One significant caveat for ACLs on /mnt/home are that they must use UID numbers and NOT usernames. See the following workflow for a basic overview:
Example: Allow another user to view your home directory
Step 1: Identify the UID of the user you want to share with by using the "id -u" command. This will print the UID number of the user on the next line.
[kmclennan@alpha1 ~] id -u kmclennan 1029
Step 2: Add the ACL to grant UID 1029 Read and eXecute permissions on $HOME
[kmclennan@alpha1 ~] nfs4_setfacl -a "A::1029:RX" $HOME
Step 3: Verify the new ACL
[kmclennan@alpha1 ~] nfs4_getfacl $HOME # file: /mnt/home/kmclennan A::1029:rxtncy A::OWNER@:rwaDxtTnNcy A:g:GROUP@: A::EVERYONE@:
Example: Allow another user to view all contents of your home
To accomplish this, you will need to do 2 things: modify the existing ACLs recursively, and then set new inherited ACLs.
Step 1: Identify the UID of the user you want to share with by using the "id -u" command. This will print the UID number of the user on the next line.
[kmclennan@alpha1 ~] id -u kmclennan 1029
Step 2: Recursively modify existing ACL entries to permit this user access to files/directories.
[kmclennan@alpha1 ~] nfs4_setfacl -R -a "A::1029:RX" $HOME
Step 3: Add new default directory/file ACL entries. The 'fdi' portion of this command applies the ACL to "files" and "directories" as well as applying it as "inheritable" so that it gets carried forward on newly created files/directories.
# Add entries to make yourself have inherited RWX permissions and your group have RX [kmclennan@alpha1 ~] nfs4_setfacl -a "A:fdi:OWNER@:RWX" $HOME [kmclennan@alpha1 ~] nfs4_setfacl -a "A:gfdi:GROUP@:RX" $HOME # Add an entry so that UID 1029 has inherited RX permissions [kmclennan@alpha1 ~] nfs4_setfacl -a "A:fdi:1029:RX" $HOME
More information about NFS4 ACLs can be found at: https://linux.die.net/man/5/nfs4_acl
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article