[CentOS] Tools/mechanisms for the management of access permissions in big filebased datasets

Wed Nov 28 09:36:35 UTC 2018
Frank Thommen <list.centos at drosera.ch>

Thank you.  Basically our problem are not the ACLs or their support per 
se, but that we have to manage a huge number of individual ACLS (several 
hundred users in more than hundred projects) in multi-petabyte 
filesystem and still have to keep overview and control.  Our problem is 
more the management side.  Effectively we are looking for a tool that 
helps us manage these permissions and we would accept whatever 
permissions mechanism this tool uses (UGO/ACLs).


On 11/27/2018 03:06 PM, Leroy Tennison wrote:
> Well, there are extended ACLs if they're available in CentOS, when I first worked with them (long ago) they were new (and on a different Distro).  I hope support for them has improved.  They allow multiple users/groups to be assigned permissions to a file/directory.  The problem then was that chmod (and other programs) were not extended-ACL-aware and could over-ride extended ACLs.  There was a mechanism to recover from the situation but what it basically came down to was eternal vigilance - the system administrators had to understand (and agree about) extended ACLs and be careful/diligent in applying them.  There are hacks which could possibly help (rename chmod and replace it with a script warning about extended ACLs) but, in the final analysis, it's not a decision to be undertaken lightly (unless the situation has changed dramatically).
> Leroy Tennison
> Network Information/Cyber Security Specialist
> E: leroy at datavoiceint.com
> 2220 Bush Dr
> McKinney, Texas
> 75070
> www.datavoiceint.com
> TThis message has been sent on behalf
> of a company that is part of the Harris Operating Group of
> Constellation Software Inc. These companies are listed
> here
> .
> If you prefer not to be contacted by Harris
> Operating Group
> please notify us
> .
> This message is intended exclusively for the
> individual or entity to which it is addressed. This communication
> may contain information that is proprietary, privileged or
> confidential or otherwise legally exempt from disclosure. If you are
> not the named addressee, you are not authorized to read, print,
> retain, copy or disseminate this message or any part of it. If you
> have received this message in error, please notify the sender
> immediately by e-mail and delete all copies of the
> message.
> ________________________________________
> From: CentOS <centos-bounces at centos.org> on behalf of Frank Thommen <list.centos at drosera.ch>
> Sent: Tuesday, November 27, 2018 7:25 AM
> To: CentOS mailing list
> Subject: [EXTERNAL] [CentOS] Tools/mechanisms for the management of access permissions in big filebased datasets
> Hello,
> we are currently managing access permissions through classical
> user-group-others permissions on a multi-petabyte directory tree with
> partially very deep and broad directories.  Projects are represented by
> directory trees and mapped through GIDs.  Lately we had lots of
> "singular" permission request (one single user needs access to a single
> dataset but should not be able to see all other datasets belonging to
> the same project).  We realized, that the UGO model doesn't scale and is
> becoming more and more unmanageable.
> Can you recommend tools/mechanisms/technologies to overcome the
> drawbacks of the UGO model?  We are thinking about some purely ACL based
> mechanism (but are open to other ideas).  All filesystems in question
> are mounted via NFSv4 and the clients are (almost) completely CentOS 7.x
> hsots.  Ideally the tool would have some web UI and some kind of
> (REST)API which allows us to modify permissions from our inhouse data
> management application (which does /not/ manage permissions, just the
> structure of the data).  Additionally it should be able to
> visualize/report permissions in directory.
> I wasn't very successful in googling possible candidates, hence the
> question to the list.
> Cheers
> frank
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos