Home > Storage > PowerScale (Isilon) > Product Documentation > Security and Compliance > Access Control Lists on Dell EMC PowerScale OneFS > Mapping permissions in OneFS
When a client connects to a OneFS cluster with NFS or SMB, permission checking is based on the on-disk OneFS internal permission (POSIX mode bits or OneFS ACL). In OneFS, it is required to present a protocol-specific view of every file to clients. SMB clients can see the on-disk permissions with the SMB ACL, and NFSv4 clients can see the on-disk permissions with the NFSv4 ACL, so OneFS will map its internal permission to a protocol-specific view while the permission checking is still based on its internal permission representation. The following subsections show the permission-inheritance flag mapping and permission mapping between protocols and the OneFS ACL.
When a file contains an authoritative OneFS real ACL, the POSIX mode bits are only for representation, and it are not expressive enough to represent the actual OneFS real ACL permissions on disk. When an NFSv3 client checks the POSIX mode bits of a file, if the file contains a OneFS real ACL, it is not possible to see the actual permission of the file from the client side.
The rich ACL, including OneFS ACL, SMB ACL, and NFSv4 ACL, has its own inheritance flags defined, but they have the same function to enable ACL inheritance. Table 8 shows the mapping between the flags.
Windows icacls tool keyword | Linux keyword for NFSv4 | Flag set on file or directory | Description | |
object_inherit | (OI) | f | Directory only | Indicates that an ACE will apply to the current directory and files within the directory |
container_inherit | (CI) | d | Directory only | Indicates that an ACE will apply to the current directory and subdirectories within the directory |
inherit_only | (IO) | i | Directory only | Indicates that an ACE will apply to subdirectories only, files only, or both within the directory |
no_prop_inherit | (NP) | n | Directory only | Indicates that an ACE will apply to the current directory or only the first-level contents of the directory, not the second-level or subsequent contents |
inherited_ace | (I) | N/A | File or directory | Indicates that an ACE is inherited from the parent directory |
Under the OneFS default ACL policy settings, when configuring permissions from Windows Explorer, Table 9 shows the permissions a file will contain on the OneFS side, and how the permissions are mapped to NFSv4 ACL permissions and POSIX mode bits.
Icacls tool keyword | OneFS internal | Linux keyword for NFSv4 | POSIX mode bits approximation | |
Full control | F | dir_gen_all | rwaDdxtTnNcCoy | rwx |
file_gen_all | rwadxtTnNcCoy | |||
Modify | M | dir_gen_read dir_gen_write dir_gen_execute std_delete | rwadxtTnNcy | rwx |
file_gen_read file_gen_write file_gen_execute std_delete | ||||
Read and execute | RX | dir_gen_read dir_gen_execute | rxtncy | r-x |
file_gen_read file_gen_execute | ||||
Read | R | dir_gen_read | r-- | |
file_gen_read | ||||
Write | W | add_file add_subdir dir_write_ext_attr dir_write_attr std_synchronize | waTNy | -w- |
file_write append file_write_ext_attr file_write_attr | ||||
Delete | D | std_delete std_synchronize | dy | --- |
Read permissions | RC, S | std_read_dac std_synchronize | cy | --- |
Change permissions | WDAC, S | std_write_dac std_synchronize | Cy | --- |
Take ownership | WO, S | std_write_owner std_synchronize | oy | --- |
List folder/read data | RD, S | file_read std_synchronize | ry | r-- |
list | ||||
Create files/write data | WD, S | file_write std_synchronize | wy | -w- |
add_file | ||||
Create folders/ append data | AD, S | append std_synchronize | ay | -w- |
add_subdir | ||||
Read extended attributes | REA, S | file_read_ext_attr std_synchronize | ny | --- |
dir_read_ext_attr std_synchronize | ||||
Write extended attributes | WEA, S | file_write_ext_attr std_synchronize |
Ny | --- |
dir_write_ext_attr std_synchronize | ||||
Traverse folder/ execute file | X, S | execute std_synchronize | xy | -x- |
traverse | ||||
Delete subfolders and files (directory only) | DC, S | delete_child std_synchronize | Dy | -w- |
Read attributes | RA, S | file_read_attr std_synchronize | ty | --- |
dir_read_attr std_synchronize | ||||
Write attributes | WA, S | file_write_attr std_synchronize | Ty | --- |
dir_write_attr std_synchronize | --- |
Under the OneFS default ACL policy settings, when configuring permissions using the nfs4_setfacl command tool, Table 10 shows the permissions a file will contain on the OneFS side, and how the permissions are mapped to Windows NTFS ACL permissions and POSIX mode bits.
RFC3530 standard constant | OneFS internal ACE permission | Windows Explorer option | POSIX mode bits approximation | |
d | ACE4_DELETE | std_delete | Delete | --- |
c | ACE4_READ_ACL | std_read_dac | Read permissions | --- |
C | ACE4_WRITE_ACL | std_write_dac | Change permissions | --- |
o | ACE4_WRITE_OWNER | std_write_owner | Take ownership | --- |
y | ACE4_SYNCHRONIZE | std_synchronize | N/A | --- |
r | ACE4_ACE4READ_DATA | file_read | List folder/read data | r-- |
ACE4_LIST_DIRECTORY | list | |||
ACE4_WRITE_DATA | file_write | Create files/write data | -w- | |
ACE4_ADD_FILE | add_file | |||
a | ACE4_APPEND_DATA | append | Create folders/ append data | -w- |
ACE4_ADD_SUBDIRECTORY | add_subdir | |||
x | ACE4_EXECUTE | execute | Traverse folder/ execute file | --x |
traverse | ||||
t | ACE4_READ_ATTRIBUTES | file_read_attr | Read attributes | --- |
dir_read_attr | ||||
T | ACE4_WRITE_ATTRIBUTES | file_write_attr | Write attributes | --- |
dir_write_attr | ||||
n | ACE4_READ_NAMED_ATTRS | file_read_ext_attr | Read extended attributes | --- |
dir_read_ext_attr | ||||
N | ACE4_WRITE_NAMED_ATTRS | file_write_ext_attr | Write extended attributes | --- |
dir_write_ext_attr | ||||
D (directory only) | ACE4_DELETE_CHILD | delete_child | Delete subfolders and files | -w- |
Mapping POSIX mode bits to ACLs is simpler because the mode bits are a subset of the rich ACL model, so no security information is lost. Table 11 shows how OneFS processes the POSIX mode bits to be mapped to OneFS synthetic ACL, Window NTFS ACL permissions, and NFSv4 ACL permissions.
OneFS internal ACE permission | Windows Explorer option | Linux keyword for NFSv4 | |
r | dir_gen_read | Read | rtncy |
file_gen_read | |||
w | dir_gen_write, delete_child, dir_read_attr | Write, Read attributes, Delete subfolders and files, Read permissions | waDtTNcy |
file_gen_write, file_read_attr | Write, Read attributes, Read permissions | watTNcy | |
x | dir_gen_execute, dir_read_attr | Traverse folder/execute file, Read attributes, Read permissions | xtcy |
file_gen_execute, file_read_attr |
HDFS ACL is an Apache implementation of POSIX ACL. It provides more flexible access control than the traditional POSIX-mode-bit permission model. Starting from OneFS 9.3.0, OneFS supports HDFS ACL to improve compatibility with HDFS. By default, HDFS ACL is disabled, and the following configuration is required to get consistent HDFS ACL semantics in OneFS.
# isi auth settings acls modify --calcmode-group=group_aces --calcmode-traverse=ignore --group-owner-inheritance=creator
# isi hdfs settings modify --hdfs-acl-enabled=true --zone=System
# isi hdfs settings modify --hadoop-version-3-or-later=false
Table 12 shows the final on-disk permissions when applying POSIX ACL permissions from the Hadoop client with the command hdfs dfs -setfacl. OneFS always adds a deny ACE explicitly after the allow ACE when applying HDFS ACL.
HDFS ACE permission | Apply to | OneFS internal ACE permission |
rwx | Directory | allow dir_gen_read,dir_gen_write,dir_gen_execute,delete_child deny |
File | allow file_gen_read,file_gen_write,file_gen_execute deny | |
rw- | Directory | allow dir_gen_read,dir_gen_write,delete_child deny traverse |
File | allow file_gen_read,file_gen_write deny execute | |
r-x | Directory | allow dir_gen_read,dir_gen_execute deny add_file,add_subdir,dir_write_ext_attr,delete_child,dir_write_attr |
File | allow file_gen_read,file_gen_execute deny file_write,append,file_write_ext_attr,file_write_attr | |
r-- | Directory | allow dir_gen_read deny add_file,add_subdir,dir_write_ext_attr,traverse,delete_child,dir_write_attr |
File | allow file_gen_read deny file_write,append,file_write_ext_attr,execute,file_write_attr | |
-wx | Directory | allow dir_gen_write,dir_gen_execute,delete_child,dir_read_attr deny list,dir_read_ext_attr |
File | allow file_gen_write,file_gen_execute,file_read_attr deny file_read,file_read_ext_attr | |
-w- | Directory | allow dir_gen_write,delete_child,dir_read_attr deny list,dir_read_ext_attr,traverse |
File | allow file_gen_write,file_read_attr deny file_read,file_read_ext_attr,execute | |
--x | Directory | allow dir_gen_execute,dir_read_attr deny list,add_file,add_subdir,dir_read_ext_attr,dir_write_ext_attr,delete_child, dir_write_attr |
File | allow file_gen_execute,file_read_attr deny file_read,file_write,append,file_read_ext_attr,file_write_ext_attr,file_write_attr | |
--- | Directory | allow std_read_dac,std_synchronize,dir_read_attr deny list,add_file,add_subdir,dir_read_ext_attr,dir_write_ext_attr,traverse,delete_child, dir_write_attr |
File | allow std_read_dac,std_synchronize,file_read_attr deny file_read,file_write,append,file_read_ext_attr,file_write_ext_attr,execute, file_write_attr |