Home > Storage > PowerScale (Isilon) > Product Documentation > Security and Compliance > Access Control Lists on Dell EMC PowerScale OneFS > NFSv4 ACL
ACLs are not supported nor defined in any RFC document for NFSv3 or earlier. They are influenced by the granular and expressive access control in Windows NTFS ACL. NFSv4 has defined its own ACLs and operations in RFC 3530.
The NFSv4 ACL defines allow and deny ACE types for access control which are similar to the Windows NTFS DACL, and also defines audit and alarm ACE types for system-access logging attempts, which is similar to the Windows NTFS SACL. This section discusses allow and deny ACEs of the NFSv4 ACL.
An NFSv4 ACE contains the following information:
There is a variety of ACE permissions, each which is represented by a single character in Linux. The ACE4_DELETE_CHILD permission can only be applied to directories. An ACE should have one or more of the permissions specified in Table 19.Error! Reference source not found.
RFC3530 constant | Linux keyword | Description |
ACE4_READ_ACL | c | Permission to read the ACL |
ACE4_WRITE_ACL | C | Permission to write the ACL |
ACE4_WRITE_OWNER | o | Permission to change the owner |
ACE4_SYNCHRONIZE | y | Permission to access file locally at the server with synchronous reads and writes |
ACE4_DELETE | d | Permission to delete the file/directory. |
ACE4_DELETE_CHILD | D | Used for a directory only, the permission to delete a file or directory within the directory |
ACE4_READ_DATA | r | Permission to read the data of a file |
ACE4_LIST_DIRECTORY | Permission to list contents of a directory | |
ACE4_WRITE_DATA | w | Permission to modify the data of a file |
ACE4_ADD_FILE | Permission to add a new file to a directory | |
ACE4_APPEND_DATA | a | Permission to append data to a file |
ACE4_ADD_SUBDIRECTORY | Permission to create a subdirectory to a directory | |
ACE4_EXECUTE | x | For a file, the permission to execute the file For a directory, the permission to traverse the directory |
ACE4_READ_ATTRIBUTES | t | Permission to read basic attributes (non-acls) of a file |
ACE4_WRITE_ATTRIBUTES | T | Permission to change basic attributes (non-acls) of a file |
ACE4_READ_NAMED_ATTRS | n | Permission to read the named attributes of a file |
ACE4_WRITE_NAMED_ATTRS | N | Permission to change named attributes of a file |
ACEs can be inherited from the parent directory’s ACL when a file or subdirectory is created. The ACE inheritance flags can be used only on directories. The inheritance behavior is similar to Windows.
RFC3530 constant | Linux keyword | Description |
ACE4_FILE_INHERIT_ACE | f | Indicates that an ACE applies to the current directory and files within the directory |
ACE4_DIRECTORY_INHERIT_ACE | d | Indicates that an ACE applies to the current directory and subdirectories within the directory |
ACE4_NO_PROPAGATE_INHERIT_ACE | n | Indicates that an ACE applies to subdirectories only, files only, or both within the directory. |
ACE4_INHERIT_ONLY_ACE | i | Indicates that an ACE applies to the current directory, only the first-level contents of the directory, or both but not the second-level or subsequent contents. |
To manage and manipulate NFSv4 ACL, the Linux nfs4-acl-tools package is required. You can install this package using command yum install nfs4-acl-tools or apt-get install nfs4-acl-tools depending on your Linux distribution.
Example 1: Set, modify, or view an NFSv4 ACL
When a file or directory is created over NFSv4, the NFSv4 ACL contains three ACEs for OWNER@, GROUP@, and EVERYONE@, if there is no inherited ACL from parent directory. As Figure 47 shows, the nfs4_getfacl command gets the NFSv4 ACL of a file or directory.
To add an ACL entry, use the nfs4_setfacl command with the -a option. Specify an index (2 in the example) to indicate the ACL entry index, as shown in Figure 48. The default is 1.
To remove an ACL entry, use the nfs4_setfacl command with -x option as shown in Figure 49.
To modify an ACL entry, use the nfs4_setfacl command with the -m option as shown in Figure 50.
Besides modifying an ACL using a command, you can also use nfs4_setfacl with the -e option to open an editor program and edit the ACL as text.
Example 2: ACE inheritance
Add an ACL entry with f and d inheritance flags specified, which is similar to Windows (OI)(CI) flags. This will makes the ACE apply to the current directory and propagate to subdirectories and files within the top-dir directory.
Now, create a new directory under top-dir. As Figure 52 shows, the ACE with flags f and d are specified in the parent directory and have been propagated to the new directory.