0845680984
  1. Configure NFS Server
  2. Configure NFS Client
  3. NFS 4 ACL Tool

It’s possible to set ACL on NFS(v4) filesystem to install NFS 4 ACL tool.
Usage is mostly the same with POSIX ACL Tool.

[1] Install NFS 4 ACL Tool on NFS clients that mounts NFS share with NFSv4.
root@client:~# apt -y install nfs4-acl-tools
[2] On this example, it shows usage examples on the environment like follows.
root@client:~# df -hT /mnt
Filesystem                       Type  Size  Used Avail Use% Mounted on
nfs.srv.local:/var/lib/nfs/share nfs4   71G  1.3G   70G   2% /mnt

root@client:~# ll /mnt
total 4
drwx------. 2 root root 26 Oct 22 19:12 testdir
-rwx------. 1 root root 10 Oct 22 19:11 test.txt
[3] Show ACL of a file or directory on NFSv4 filesystem.
root@client:~# nfs4_getfacl /mnt/test.txt

# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy

root@client:~# nfs4_getfacl /mnt/testdir

# file: /mnt/testdir
A::OWNER@:rwaDxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy

# each entry means like follows
# ACE = Access Control Entry
# (ACE Type):(ACE Flags):(ACE Principal):(ACE Permissions)

Description

ACE Type 
AA = Allow : it means Allow accesses.
DD = Deny : it means Deny accesses.
ACE Flags 
dDirectory-Inherit : New sub-directory inherits the same ACE.
fFile-Inherit : New file inherits the same ACE but not inherit inheritance-flag.
nNo-Propogate-Inherit : New sub-directory inherits the same ACE but not inherit inheritance-flag.
iInherit-Only : New file/sub-directory inherits the same ACE but this directory does not have ACE.
ACE Principal 
(USER)@(NFSDomain)Common User
For [NFSDomain], it is just the Domain name that is specified for [Domain] value in [idmapd.conf].
(GROUP)@(NFSDomain)Common Group
For group, Specify [g] flag like this ⇒ A:g:GROUP@NFSDomain:rxtncy
OWNER@Special Principal : Owner
GROUP@Special Principal : Group
EVERYONE@Special Principal : Everyone
ACE Permissions 
rRead data of files / List files in directory
wWrite data to files / Create new files in directory
aAppend data to files / Create new sub-directory
xExecute files / Change directory
dDelete files or directories
DDelete files or sub-directories under the directory
tRead attributes of files or directories
TWrite attributes to files or directories
nRead named attributes of files or directories
NWrite named attributes of files or directories
cRead ACL of files or directories
CWrite ACL of files or directories
oChange ownership of files or directories
ACE Permissions AliasesFor using nfs4_setfacl, possible to use Alias for ACE Permissions
RR = rntcy : Generic Read
WW = watTNcCy : Generic Write
XX = xtcy : Generic Execute
[4] Add or Delete ACE.
root@client:~# ll /mnt
total 4
drwx------. 2 root root 26 Oct 22 19:12 testdir
-rwx------. 1 root root 10 Oct 22 19:11 test.txt

root@client:~# nfs4_getfacl /mnt/test.txt

# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy

# add generic read/execute for [ubuntu] user to [/mnt/test.txt] file
root@client:~# nfs4_setfacl -a A::ubuntu@srv.local:rxtncy /mnt/test.txt
root@client:~# nfs4_getfacl /mnt/test.txt

# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::1000:rxtcy
A::GROUP@:tcy
A::EVERYONE@:tcy


# verify with [ubuntu] user
ubuntu@client:~$ ll /mnt
total 4
drwx------. 2 root root 26 Oct 22 10:12 testdir
-rwxr-x---. 1 root root 10 Oct 22 10:11 test.txt

ubuntu@client:~$ cat /mnt/test.txt
test file

# delete generic read/execute for [ubuntu] user from [/mnt/test.txt] file
root@client:~# nfs4_setfacl -x A::1000:rxtcy /mnt/test.txt
root@client:~# nfs4_getfacl /mnt/test.txt

# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
[5] Edit ACL directly.
root@client:~# nfs4_setfacl -e /mnt/test.txt

# run an editor on $EDITOR (if null, default is [vi] editor)
## Editing NFSv4 ACL for file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
[6] Add ACE from a file.
# create ACL list
root@client:~# vi acl.txt
A::ubuntu@srv.local:RX
A::debian@srv.local:RWX

# add ACL from the file
root@client:~# nfs4_setfacl -A acl.txt /mnt/test.txt
root@client:~# nfs4_getfacl /mnt/test.txt

# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::1000:rxtcy
A::1001:rwaxtcy
A::GROUP@:tcy
A::EVERYONE@:tcy
[7] Replace current ACE to new ACE.
# create ACL list
root@client:~# vi acl.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy

# replace ACL from the file
root@client:~# nfs4_setfacl -S acl.txt /mnt/test.txt
root@client:~# nfs4_getfacl /mnt/test.txt

# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy
[8] Replace specific ACE to new ACE.
root@client:~# nfs4_getfacl /mnt/test.txt

# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy

# replace EVERYONE's ACE to read/execute
root@client:~# nfs4_setfacl -m A::EVERYONE@:tcy A::EVERYONE@:RX /mnt/test.txt
root@client:~# nfs4_getfacl /mnt/test.txt

# file: /mnt/test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:rxtcy
A::EVERYONE@:rxtcy

Leave a Comment

Your email address will not be published. Required fields are marked *

Bài viết gần đây:

Shopping Cart