Apsara File Storage NAS supports NFSv4 access control lists (ACLs) and Portable Operating System Interface of UNIX (POSIX) ACLs. This topic describes POSIX ACLs and NFSv4 ACLs and lists precautions for using these ACLs.

Access control and user management are necessary for enterprises that want to share files among different users and groups by using a shared file system. NAS provides the Network File System (NFS) ACL feature that allows you to grant users and groups different access permissions on directories and files. An ACL is a list of permissions associated with a file or directory and consists of one or more access control entries (ACEs).

The NFSv3 protocol implements access control by using the file mode creation mask. The POSIX ACL feature is an extension to this permission model. You can grant permissions to specific users and groups in addition to the owner, group, and other classes. In a file system, a directory or file can inherit the permissions from its parent directory. For more information, visit acl - Linux man page.

The NFSv4 ACL feature is an extension to the NFSv4 protocol. Compared with POSIX ACLs, this feature provides finer-grained access control. For more information, visit nfs4_acl - Linux man page.

You can use the NFSv3 protocol to mount a file system to which NFSv4 ACLs are applied. After the file system is mounted, the NFSv4 ACLs are converted into POSIX ACLs. You can also use the NFSv4 protocol to mount a file system to which POSIX ACLs are applied. After the file system is mounted, the POSIX ACLs are converted into NFSv4 ACLs. However, if you use NFS ACLs, we recommend that you use the NFSv4 protocol to mount file systems and configure only NFS ACLs for the file systems. Do not use the file mode creation mask or POSIX ACLs along with NFSv4 ACLs. The reasons are listed as follows: 1. NFSv4 ACLs and POSIX ACLs are not fully compatible. 2. The interaction between ACLs and the file mode creation mask is not in an ideal state. 3. NFSv3 file systems do not support locks. For information about NFS ACL feature, see Features.

Note

The NFS ACL feature is available only for NFS file systems in the following regions: China (Zhangjiakou-Beijing Winter Olympics), China (Beijing), China (Hohhot), China (Hangzhou), China (Shanghai), China (Chengdu), China (Hong Kong), Australia (Sydney), Indonesia (Jakarta), US (Silicon Valley), US (Virginia), Germany (Frankfurt), UK (London), and India (Mumbai). If the region where your file system resides does not support the NFS ACL feature, submit a ticket.

Enable the NFS ACL feature in the NAS console

Log on to the NAS console and choose NAS File System > File System > File System List. Find the target file system, and click the ID of the file system or click Management. On the Access Control tab of the page that appears, select On to enable the NFS ACL feature.NAS_ACL_Open
Select Off to disable the NFS ACL feature. The Off option is selected by default.
NAS_ACL_Close

Precautions for using POSIX ACLs

  • Configurations of ACLs
    • We recommend that you use the default method that allows a subdirectory to inherit the same ACL from the parent directory. Then, you do not need to configure another ACL when you create a new file or subdirectory.
    • Use caution when you configure ACLs by using the recursive method (setfacl -R). A large amount of metadata is generated when you apply an ACL recursively to a directory that contains a large number of files and subdirectories. This may decrease the performance of file systems.
    • Before you configure ACLs, we recommend that you manage groups and the corresponding permissions. For example, you can add a user to one or more groups. To add, remove, or change permissions for a user, you can move the user to a group that has the required permissions. You need to modify the ACL of the group only if the group structure changes. We recommend that you configure ACLs for groups rather than single users. This is a simple and time-saving method to implement access control.
    • You can apply a POSIX ACL to a user or group that accesses the file system from multiple clients. NAS identifies the user or group based on the user ID (UID) or group ID (GID). Therefore, you must set the same UID or GID for the user or group on the clients.
  • Use of ACLs
    • A file system scans all ACEs each time it performs a permission check. To ensure optimal performance, we recommend that you retain a minimum number of ACEs. If redundant ACLs exist, the performance of the file system decreases.
  • Permissions of the other class
    • All users have the permissions that are granted to the other class. Therefore, we recommend that you grant the least permissions to the other class. If the other class has more permissions than an ACE, a security vulnerability may exist.
    • We recommend that you grant the least permissions to the other class. Before you create files or directories, run the umask 777 command. This command sets the file mode creation mask to 000 and ensures that the new file or directory has the least permissions. For more information, visit umask and the default mode.
    • We recommend that you grant the least permissions to the other class. Before you create files or directories, run the umask 777 command. This command sets the file mode creation mask to 000 and ensures that the new file or directory has the least permissions. For more information, visit umask and the default mode.
    • After you enable the POSIX ACL feature, the other class is moved to the everyone@ user category and the file mode creation mask is also set. When NAS performs a permission check, NAS treats the other class as everyone.

Precautions for using NFSv4 ACLs

  • Configurations of ACLs
    • Use UIDs or GIDs, such as UID 1001, to configure ACLs.
    • We recommend that you use the default method that allows a subdirectory or a file to inherit the same ACL from the parent directory. Then, you do not need to configure another ACL when you create a new file or subdirectory in the parent directory.
    • Use caution when you configure ACLs by using the recursive method (nfs4_setfacl -R). A large amount of metadata is generated when you apply an ACL recursively to a directory that contains a large number of files and subdirectories. This may decrease the performance of file systems.
  • Use of ACLs
    • A file system scans all ACEs each time it performs a permission check. To ensure optimal performance, we recommend that you retain a minimum number of ACEs. If redundant ACLs exist, the performance of the file system decreases.
  • ACEs in ACLs
    • We recommend that you do not use the file mode creation mask along with NFSv4 ACLs.
    • The nfs4_setfacl command provides multiple options such as the -a, -x, and -m options to add, remove, and modify ACEs. We recommend that you run the nfs4_setfacl -e <file> command to edit an ACL in an editor.
    • NFSv4 ACLs support fine-grained permissions. In most cases, permission control based on fine-grained write permissions is unnecessary. For example, if a user has the write-data (w) access to a file but does not have the append-data (a) access, an error may occur when the user writes data to the file. The same issue occurs for a directory. To avoid unexpected permission errors, we recommend that you specify a capital W when you run the nfs4_setfacl command to configure an ACL. The nfs4_setfacl command specifies full write access. For a file, W is expanded to wadT. For a directory, W is expanded to wadTD.
    • Before you configure ACLs, we recommend that you manage groups and the corresponding permissions. For example, you can add a user to one or more groups. To add, remove, or change permissions for a user, you can move the user to a group that has the required permissions. You need to modify the ACL of the group only if the group structure changes. We recommend that you configure ACLs for groups rather than single users. This is a simple and time-saving method to implement access control.
    • NAS NFSv4 ACLs support Allow ACEs rather than Deny ACEs. All users have the permissions that are granted to everyone. Therefore, we recommend that you grant the least permissions to everyone. If everyone has more permissions than an ACE, a security vulnerability may exist.