Use NFSv4 ACLs to control access - Advanced Settings| Alibaba Cloud Documentation Center

This topic describes how to configure NFSv4 access control lists (ACLs) and apply these ACLs to NFSv4 file systems to control access to files and directories.

Prerequisites

An NFSv4 file system is mounted. For more information, see Mount an NFS file system.

Note

The NFS ACL feature is available only for NFS file systems in the following regions: China (Zhangjiakou-Beijing Winter Olympics), China (Beijing), China (Hohhot), China (Hangzhou), China (Shanghai), China (Chengdu), China (Hong Kong), Australia (Sydney), Indonesia (Jakarta), US (Silicon Valley), US (Virginia), Germany (Frankfurt), UK (London), and India (Mumbai). If the region where your file system resides does not support the NFS ACL feature, submit a ticket.

Background information

You can mount an NFSv4 file system on an Elastic Compute Service (ECS) instance that runs Linux and install the Linux-specific nfs4-acl-tools tool on the instance. You can use the standard nfs4_getfacl and nfs4_setfacl tools to configure NFSv4 ACLs after the installation is complete.

Description

Before you configure NFSv4 ACLs, we recommend that you familiarize yourself with the related commands.


Command	Description
`nfs4_getfacl <filename>`	Views the access permissions for the specified file.
`nfs4_setfacl -a A::GROUP@:W <filename>`	Adds an access control entry (ACE) that grants the GROUP@ principal the write access to the specified file.
`nfs4_setfacl -a A::1000:W <filename>`	Adds an ACE that grants a user principal named 1000 the write access to the specified file.
`nfs4_setfacl -a A:g:10001:W <filename>`	Adds an ACE that grants a group principal named 10001 the write access to the specified file.
`nfs4_setfacl -e <filename>`	Configures an ACL in an interactive mode.
`nfs4_getfacl <filename> > saved_acl.txt`	Saves a list of permissions for the specified file as a TXT file.
`nfs4_setfacl -S saved_acl.txt <filename>`	Configures permissions for the specified file by using a TXT file that includes a list of ready-made permissions.
`nfs4_setfacl -m A::1001:rwaxTNcCy A::1001:rxtcy file1`	Modifies the permission of an ACE that applies to the file1 file.
`nfs4_getfacl file1 \| nfs4_setfacl -S - file2`	Copies the permissions for the file1 file to the file2 file.
`nfs4_getfacl file1 \| grep @ \| nfs4_setfacl -S - file1`	Deletes all ACEs that apply to the file1 file except for ACEs that include the following principals: OWNER@, GROUP@, and EVERYONE@.
`nfs4_setfacl -R -a A:g:10001:rW dir`	Adds an ACE that grants a group principal named 10001 the read and write access to files and subdirectories in the dir directory.
`find dir -type f -exec sh -c 'for ace in $(nfs4_getfacl \{} \| grep "^A.*\:1005\:"); do nfs4_setfacl -x $ace \{}; done' \;`	Deletes ACEs that grant a user principal named 1005 any access to files in the dir directory.
`nfs4_setfacl -a A:fdg:10001:rW dir1`	Adds an ACE that grants a group principal named 10001 the read and write access to all newly created files and subdirectories in the dir1 directory.
`nfs4_setfacl -a A:fg:10001:rx dir1`	Adds an ACE that grants a group principal named 10001 the read and write access to all newly created files in the dir1 directory.

Procedure

You can configure NFSv4 ACLs to control access to files and directories by performing the following steps.

Create users and groups.
In this example, the following users are created: player, admini, and anonym. The following groups are created: players and adminis. The player user is added to the players group and the admini user is added to the adminis group.
```
sudo useradd player
sudo groupadd players
sudo usermod -g players player
sudo useradd admini
sudo groupadd adminis
sudo usermod -g adminis admini
sudo useradd anonym
```
Install the related tools that are used to configure NFSv4 ACLs.
If you have installed these tools, skip this step.
```
sudo yum -y install nfs4-acl-tools
```
Obtain the group IDs of the players and adminis groups.
Open the /etc/group file. The group IDs of the players and adminis groups are displayed as follows:
```
players:x:19064:player
adminis:x:19065:admini
```

Configure NFSv4 ACLs for files and directories.

Use the following commands to complete the operations: create a directory named dir0 and add ACEs that grant the players group the read-only access, the adminis group the read, write, and execute access, and other users no access to all the files in the dir0 directory.

sudo umask 777
sudo mkdir dir0
sudo nfs4_setfacl -a A:fdg:19064:RX dir0
sudo nfs4_setfacl -a A:fdg:19065:RWX dir0
sudo nfs4_setfacl -a A:fdg:OWNER@: dir0
sudo nfs4_setfacl -a A:fdg:GROUP@: dir0
sudo nfs4_setfacl -a A:fdg:EVERYONE@: dir0

Use the sudo nfs4_getfacl dir0 command to verify the configuration.

A::OWNER@:tTnNcCy
A::GROUP@:tncy
A::EVERYONE@:tncy
A:fdi:EVERYONE@:tncy
A:fdi:OWNER@:tTnNcCy
A:fdi:GROUP@:tncy
A:g:19064:rxtncy
A:g:19065:rwaDxtTnNcCy
A:fdig:19064:rxtncy
A:fdig:19065:rwaDxtTnNcCy

Verify the configuration of the ACL.

Use the following commands to verify the read and write access of the admini user.

[root@vbox test] sudo su admini -c 'touch dir0/file'
[root@vbox test] sudo su admini -c 'echo 123 > dir0/file'

Use the following command to verify the read-only access of the player user.

[root@vbox test] sudo su player -c 'touch dir0/file'
touch: cannot touch ‘dir0/file’: Permission denied
[root@vbox test] sudo su player -c 'echo 456 >> dir0/file'
bash: dir0/file: Permission denied
[root@vbox test] sudo su player -c 'cat dir0/file'
123
[root@vbox test] sudo su player -c 'nfs4_getfacl dir0/file'
A::OWNER@:tTnNcCy
A::GROUP@:tncy
A::EVERYONE@:tncy
A:g:19064:rxtncy
A:g:19065:rwaxtTnNcCy

Use the following command to verify that the anonym user has no access to the /dir0/file file.

[root@vbox test] sudo su anonym -c 'ls dir0'
ls: cannot open directory dir0: Permission denied
[root@vbox test] sudo su anonym -c 'cat dir0/file'
cat: dir0/file: Permission denied
[root@vbox test] sudo su anonym -c 'nfs4_getfacl dir0/file'
Invalid filename: di

Related operations

If you want to remove user permissions, use the following method.

We recommend that you sort each user into different groups when you use NFSv4 ACLs. Then, when you configure NFSv4 ACLs, you only need to configure permissions for a group rather than a separate user. You can disable access to an object from a user by removing the user from a group that has access to the object. For example, use the following commands to remove the admini user from the adminis group and add the user to the adminis2 group:

[root@vbox test] sudo groupadd adminis2
[root@vbox test] sudo usermod -g adminis2 admini
[root@vbox test] id admini
uid=1057(admini) gid=1057(admini) groups=1054(adminis2)
[root@vbox test] sudo su admini -c 'ls dir0'
ls: cannot open directory dir0: Permission denied
[root@vbox test] sudo su admini -c 'cat dir0/file'
cat: dir0/file: Permission denied
[root@vbox test] sudo su admini -c 'nfs4_getfacl dir0/file'
Invalid filename: dir0/file