0845680984
  1. 1 – Config NFS Server
  2. 2 – Configure NFS Client
  3. 3 – NFS 4 ACL Tool
[1] Install NFS 4 ACL Tool on NFS clients that mounts NFS share with NFSv4.
yum -y install nfs4-acl-tools
[2] On this example, Configure on the environment like follows.
df -hT /mnt
Filesystem                                 Type  Size  Used Avail Use% Mounted on
nfs.client.local:/var/lib/nfs/share nfs4   71G  1.3G   70G   2% /mnt
ll /mnt
[3] Show ACL of a file or directory on NFSv4 filesystem.
nfs4_getfacl /mnt/test.txt
# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
nfs4_getfacl /mnt/testdir
# file: /mnt/testdir
A::OWNER@:rwaDxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy

# each entry means like follows

# ACE = Access Control Entry

# (ACE Type):(ACE Flags):(ACE Principal):(ACE Permissions)

Description

ACE Type 
AA = Allow : it means Allow accesses.
DD = Deny : it means Deny accesses.
ACE Flags 
dDirectory-Inherit : New sub-directory inherits the same ACE.
fFile-Inherit : New file inherits the same ACE but not inherit inheritance-flag.
nNo-Propogate-Inherit : New sub-directory inherits the same ACE but not inherit inheritance-flag.
iInherit-Only : New file/sub-directory inherits the same ACE but this directory does not have ACE.
ACE Principal 
(USER)@(NFSDomain)Common User
For [NFSDomain], it is just the Domain name that is specified for [Domain] value in [idmapd.conf].
(GROUP)@(NFSDomain)Common Group
For group, Specify [g] flag like this ⇒ A:g:GROUP@NFSDomain:rxtncy
OWNER@Special Principal : Owner
GROUP@Special Principal : Group
EVERYONE@Special Principal : Everyone
ACE Permissions 
rRead data of files / List files in directory
wWrite data to files / Create new files in directory
aAppend data to files / Create new sub-directory
xExecute files / Change directory
dDelete files or directories
DDelete files or sub-directories under the directory
tRead attributes of files or directories
TWrite attributes to files or directories
nRead named attributes of files or directories
NWrite named attributes of files or directories
cRead ACL of files or directories
CWrite ACL of files or directories
oChange ownership of files or directories
ACE Permissions AliasesFor using nfs4_setfacl, possible to use Alias for ACE Permissions
RR = rntcy : Generic Read
WW = watTNcCy : Generic Write
XX = xtcy : Generic Execute
[4] Add or Delete ACE.
ll /mnt

total 4
drwx——. 2 root root 26 Dec 22 19:12 testdir
-rwx——. 1 root root 10 Dec 22 19:11 test.txt

nfs4_getfacl /mnt/test.txt
# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy

# add generic read/execute for [cent] user to [/mnt/test.txt] file

nfs4_setfacl -a A::soncq@client.local:rxtncy /mnt/test.txt
nfs4_getfacl /mnt/test.txt
# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::1000:rxtcy
A::GROUP@:tcy
A::EVERYONE@:tcy

# verify with [soncq] user

ll /mnt
cat /mnt/test.txt

# delete generic read/execute for [soncq] user from [/mnt/test.txt] file

nfs4_setfacl -x A::1000:rxtcy /mnt/test.txt
nfs4_getfacl /mnt/test.txt
# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
[5] Edit ACL directly
nfs4_setfacl -e /mnt/test.txt
# run an editor on $EDITOR (if null, default is [vi] editor)
## Editing NFSv4 ACL for file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
[6] Add ACE from a file

# create ACL list

vi acl.txt
A::soncq@client.local:RX
A::redhat@client.local:RWX

# add ACL from the file

nfs4_setfacl -A acl.txt /mnt/test.txt
nfs4_getfacl /mnt/test.txt
# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::1000:rxtcy
A::1001:rwaxtcy
A::GROUP@:tcy
A::EVERYONE@:tcy
[7] Replace current ACE to new ACE

# create ACL list

vi acl.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy

# replace ACL from the file

nfs4_setfacl -S acl.txt /mnt/test.txt
nfs4_getfacl /mnt/test.txt
# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
[8] Replace specific ACE to new ACE
nfs4_getfacl /mnt/test.txt
# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy

# replace EVERYONE’s ACE to read/execute

nfs4_setfacl -m A::EVERYONE@:tcy A::EVERYONE@:RX /mnt/test.txt
nfs4_getfacl /mnt/test.txt
# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:rxtcy
A::EVERYONE@:rxtcy

Leave a Comment

Your email address will not be published. Required fields are marked *

Bài viết gần đây:

Shopping Cart