[CentOS] Tools/mechanisms for the management of access permissions in big filebased datasets

Wed Nov 28 19:16:42 UTC 2018
Paul Heinlein <heinlein at madboa.com>

On Wed, 28 Nov 2018, Warren Young wrote:

> Who here uses ACLs to good effect?  Are you using more than just 
> getfacl/setfacl to do it?

We use NFSv4 ACLs on Lustre and Isilon filesystems, so we employ 
nfs4_getfacl and nfs4_setfacl -- but all of our work is done on the 
command line, not via a GUI and larger management tool.

Our best practice is to script up the ACLs so they can be reapplied in 
case they get deleted or inappropriately changed. My current scripting 
logic usually writes the desired ACLs to temp files and deploys them 
in one swoop.

Take the following case:

owner: bob
read-write group: boblab
read-only group: alicelab
target directory: /srv/group/boblab

A skeleton version of the script would look something like this

# define directory-level ACL and write to temp file
cat <<__DIRACL__ > /tmp/diracl
A::OWNER@:rwaDdxtTnNcCoy
A::GROUP@:rwaDxtTnNcy
A::EVERYONE@:tncy
A:fdg:boblab at domain.com:RWX
A:fdg:alicelab at domain.com:RX
__DIRACL__

# define file-level ACL and write to temp file
cat <<__FILEACL__ > /tmp/fileacl
A::OWNER@:rwaDdxtTnNcCoy
A::GROUP@:rwaDxtTnNcy
A::EVERYONE@:tncy
A:g:boblab at domain.com:RWX
A:g:alicelab at domain.com:RX
__FILEACL__

# apply ownership, perms, and ACLs.
chown -R bob:boblab /srv/group/boblab
chmod -R ug+rw,o-rwx /srv/group/boblab
find /srv/group/boblab -type d \
   -exec nfs4_setfacl -S /tmp/diracl {} \;
find /srv/group/boblab -type f \
   -exec nfs4_setfacl -S /tmp/fileacl {} \;


Once the directory ACLs are applied, any new files created within 
those directories should inherit the proper ACLs.

-- 
Paul Heinlein
heinlein at madboa.com
45°38' N, 122°6' W