[CentOS] Tools/mechanisms for the management of access permissions in big filebased datasets

Tue Nov 27 13:25:45 UTC 2018
Frank Thommen <list.centos at drosera.ch>


we are currently managing access permissions through classical 
user-group-others permissions on a multi-petabyte directory tree with 
partially very deep and broad directories.  Projects are represented by 
directory trees and mapped through GIDs.  Lately we had lots of 
"singular" permission request (one single user needs access to a single 
dataset but should not be able to see all other datasets belonging to 
the same project).  We realized, that the UGO model doesn't scale and is 
becoming more and more unmanageable.

Can you recommend tools/mechanisms/technologies to overcome the 
drawbacks of the UGO model?  We are thinking about some purely ACL based 
mechanism (but are open to other ideas).  All filesystems in question 
are mounted via NFSv4 and the clients are (almost) completely CentOS 7.x 
hsots.  Ideally the tool would have some web UI and some kind of 
(REST)API which allows us to modify permissions from our inhouse data 
management application (which does /not/ manage permissions, just the 
structure of the data).  Additionally it should be able to 
visualize/report permissions in directory.

I wasn't very successful in googling possible candidates, hence the 
question to the list.