|< Day Day Up >|| |
The Access Control Lists for GPFS is a mechanism to restrict access to files in a GPFS file system. It is an enhancement to regular UNIX access controls provided though the chmod, chown, and chgrp commands. While chmod only permits you to specify rights for the files owner, group and all others, GPFS access control lists allow much finer grained control. Working in conjunction with regular file permissions, GPFS ACLs can establish control over files and directories based on multiple users and groups.
GPFS ACLs are manipulated with the GPFS mmgetacl, mmputacl, mmeditacl and mmdelacl commands.
Example 8-13 shows a hypothetical GPFS ACL file.
Example 8-13: Sample GPFS ACL
user::rwx group::rwx other::--x mask::rw- user:shill:rwx group:itso:rwx group:control:-w-
The first three lines of the ACL (user, group and other) are mandatory and correspond to the standard UNIX permissions of the file. The mask line is mandatory and specifies the maximum permissions available for entries other than user and other. The bottom three lines (user and group) specify the permissions for the users or groups they correspond to.
Note that always the most specific part of the ACL is the one that actually applies. For example, if an ACL specifies permissions for a user and a group the user is a member of, the user permissions and not the group apply, even if the user permissions are more restrictive.
For example, suppose we wanted to create a file in a GPFS file system that has different access depending on group: writable by the system administrators, readable by the staff, and no access to regular users. Using ordinary UNIX permissions, we would not be able to accomplish this, except via a user shared among the administrators. ACLs allow this to be accomplished easily, allowing permissions to be set differently for multiple groups or users.
ACLs can be applied to any file or directory in a GPFS file system using the mmputacl command. The mmgetacl command can then be used to confirm a successful ACL change. Example 8-14 shows how this can be done.
Example 8-14: Setting and inspecting the GPFS ACL on a file
[root@storage001 root]# ls -l secretfile -rw-r----- 1 root staff 1424 Oct 18 15:41 secretfile [root@storage001 root]# cat > acl user::rw- group::r-- other::--- mask::rw- group:sysadmin:rw- ^D [root@storage001 root]# mmputacl -i acl secretfile [root@storage001 root]# mmgetacl secretfile #owner:root #group:staff user::rw- group::r-- other::--- mask::rw- group:sysadmin:rw- [root@storage001 root]#
You can also edit ACLs using the mmeditacl command; it will get the ACL, start your preferred text editor (set by the EDITOR environment variable) to allow it to be modified, then write the ACL back when the editor exits. If there are any errors with the ACL, mmeditacl will re-start the editor so they may be corrected. Before you use mmeditacl, you must ensure the EDITOR environment variable points to the full path of your editor. For example:
# export EDITOR=/usr/bin/vim # mmeditacl secretfile
|< Day Day Up >|| |