[CentOS] Tools/mechanisms for the management of access permissions in big filebased datasets
Paul Heinlein
heinlein at madboa.com
Wed Nov 28 19:16:42 UTC 2018
On Wed, 28 Nov 2018, Warren Young wrote:
> Who here uses ACLs to good effect? Are you using more than just
> getfacl/setfacl to do it?
We use NFSv4 ACLs on Lustre and Isilon filesystems, so we employ
nfs4_getfacl and nfs4_setfacl -- but all of our work is done on the
command line, not via a GUI and larger management tool.
Our best practice is to script up the ACLs so they can be reapplied in
case they get deleted or inappropriately changed. My current scripting
logic usually writes the desired ACLs to temp files and deploys them
in one swoop.
Take the following case:
owner: bob
read-write group: boblab
read-only group: alicelab
target directory: /srv/group/boblab
A skeleton version of the script would look something like this
# define directory-level ACL and write to temp file
cat <<__DIRACL__ > /tmp/diracl
A::OWNER@:rwaDdxtTnNcCoy
A::GROUP@:rwaDxtTnNcy
A::EVERYONE@:tncy
A:fdg:boblab at domain.com:RWX
A:fdg:alicelab at domain.com:RX
__DIRACL__
# define file-level ACL and write to temp file
cat <<__FILEACL__ > /tmp/fileacl
A::OWNER@:rwaDdxtTnNcCoy
A::GROUP@:rwaDxtTnNcy
A::EVERYONE@:tncy
A:g:boblab at domain.com:RWX
A:g:alicelab at domain.com:RX
__FILEACL__
# apply ownership, perms, and ACLs.
chown -R bob:boblab /srv/group/boblab
chmod -R ug+rw,o-rwx /srv/group/boblab
find /srv/group/boblab -type d \
-exec nfs4_setfacl -S /tmp/diracl {} \;
find /srv/group/boblab -type f \
-exec nfs4_setfacl -S /tmp/fileacl {} \;
Once the directory ACLs are applied, any new files created within
those directories should inherit the proper ACLs.
--
Paul Heinlein
heinlein at madboa.com
45°38' N, 122°6' W
More information about the CentOS
mailing list