- 1 – Config NFS Server
- 2 – Configure NFS Client
- 3 – NFS 4 ACL Tool
Mục Lục
- 1 [1] Install NFS 4 ACL Tool on NFS clients that mounts NFS share with NFSv4.
- 2 [2] On this example, Configure on the environment like follows.
- 3 [3] Show ACL of a file or directory on NFSv4 filesystem.
- 4 [4] Add or Delete ACE.
- 5 [5] Edit ACL directly
- 6 [6] Add ACE from a file
- 7 [7] Replace current ACE to new ACE
- 8 [8] Replace specific ACE to new ACE
[1] Install NFS 4 ACL Tool on NFS clients that mounts NFS share with NFSv4.
yum -y install nfs4-acl-tools
[2] On this example, Configure on the environment like follows.
df -hT /mnt
Filesystem Type Size Used Avail Use% Mounted on
nfs.client.local:/var/lib/nfs/share nfs4 71G 1.3G 70G 2% /mnt
ll /mnt
[3] Show ACL of a file or directory on NFSv4 filesystem.
nfs4_getfacl /mnt/test.txt
# file: /mnt/test.txt A::OWNER@:rwaxtTcCy A::GROUP@:tcy A::EVERYONE@:tcy
nfs4_getfacl /mnt/testdir
# file: /mnt/testdir A::OWNER@:rwaDxtTcCy A::GROUP@:tcy A::EVERYONE@:tcy
# each entry means like follows
# ACE = Access Control Entry
# (ACE Type):(ACE Flags):(ACE Principal):(ACE Permissions)
Description
ACE Type | |
A | A = Allow : it means Allow accesses. |
D | D = Deny : it means Deny accesses. |
ACE Flags | |
d | Directory-Inherit : New sub-directory inherits the same ACE. |
f | File-Inherit : New file inherits the same ACE but not inherit inheritance-flag. |
n | No-Propogate-Inherit : New sub-directory inherits the same ACE but not inherit inheritance-flag. |
i | Inherit-Only : New file/sub-directory inherits the same ACE but this directory does not have ACE. |
ACE Principal | |
(USER)@(NFSDomain) | Common User For [NFSDomain], it is just the Domain name that is specified for [Domain] value in [idmapd.conf]. |
(GROUP)@(NFSDomain) | Common Group For group, Specify [g] flag like this ⇒ A:g:GROUP@NFSDomain:rxtncy |
OWNER@ | Special Principal : Owner |
GROUP@ | Special Principal : Group |
EVERYONE@ | Special Principal : Everyone |
ACE Permissions | |
r | Read data of files / List files in directory |
w | Write data to files / Create new files in directory |
a | Append data to files / Create new sub-directory |
x | Execute files / Change directory |
d | Delete files or directories |
D | Delete files or sub-directories under the directory |
t | Read attributes of files or directories |
T | Write attributes to files or directories |
n | Read named attributes of files or directories |
N | Write named attributes of files or directories |
c | Read ACL of files or directories |
C | Write ACL of files or directories |
o | Change ownership of files or directories |
ACE Permissions Aliases | For using nfs4_setfacl, possible to use Alias for ACE Permissions |
R | R = rntcy : Generic Read |
W | W = watTNcCy : Generic Write |
X | X = xtcy : Generic Execute |
[4] Add or Delete ACE.
ll /mnt
total 4
drwx——. 2 root root 26 Dec 22 19:12 testdir
-rwx——. 1 root root 10 Dec 22 19:11 test.txt
nfs4_getfacl /mnt/test.txt
# file: /mnt/test.txt A::OWNER@:rwaxtTcCy A::GROUP@:tcy A::EVERYONE@:tcy
# add generic read/execute for [cent] user to [/mnt/test.txt] file
nfs4_setfacl -a A::soncq@client.local:rxtncy /mnt/test.txt
nfs4_getfacl /mnt/test.txt
# file: /mnt/test.txt A::OWNER@:rwaxtTcCy A::1000:rxtcy A::GROUP@:tcy A::EVERYONE@:tcy
# verify with [soncq] user
ll /mnt
cat /mnt/test.txt
# delete generic read/execute for [soncq] user from [/mnt/test.txt] file
nfs4_setfacl -x A::1000:rxtcy /mnt/test.txt
nfs4_getfacl /mnt/test.txt
# file: /mnt/test.txt A::OWNER@:rwaxtTcCy A::GROUP@:tcy A::EVERYONE@:tcy
[5] Edit ACL directly
nfs4_setfacl -e /mnt/test.txt
# run an editor on $EDITOR (if null, default is [vi] editor) ## Editing NFSv4 ACL for file: /mnt/test.txt A::OWNER@:rwaxtTcCy A::GROUP@:tcy A::EVERYONE@:tcy
[6] Add ACE from a file
# create ACL list
vi acl.txt
A::soncq@client.local:RX
A::redhat@client.local:RWX
# add ACL from the file
nfs4_setfacl -A acl.txt /mnt/test.txt
nfs4_getfacl /mnt/test.txt
# file: /mnt/test.txt A::OWNER@:rwaxtTcCy A::1000:rxtcy A::1001:rwaxtcy A::GROUP@:tcy A::EVERYONE@:tcy
[7] Replace current ACE to new ACE
# create ACL list
vi acl.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
# replace ACL from the file
nfs4_setfacl -S acl.txt /mnt/test.txt
nfs4_getfacl /mnt/test.txt
# file: /mnt/test.txt A::OWNER@:rwaxtTcCy A::GROUP@:tcy A::EVERYONE@:tcy
[8] Replace specific ACE to new ACE
nfs4_getfacl /mnt/test.txt
# file: /mnt/test.txt A::OWNER@:rwaxtTcCy A::GROUP@:tcy A::EVERYONE@:tcy
# replace EVERYONE’s ACE to read/execute
nfs4_setfacl -m A::EVERYONE@:tcy A::EVERYONE@:RX /mnt/test.txt
nfs4_getfacl /mnt/test.txt
# file: /mnt/test.txt A::OWNER@:rwaxtTcCy A::GROUP@:rxtcy A::EVERYONE@:rxtcy