Topik ini menjelaskan fitur utama NFSv4 ACL: urutan izin, pewarisan izin, pengurutan, penggabungan, dan migrasi.
Urutan izin
Izin dievaluasi sesuai urutan Access Control Entries (ACEs) dalam NFSv4 ACL.
ACE dapat berupa Allow atau Deny. ACE Deny dapat ditempatkan di posisi mana pun dalam daftar. Misalnya, jika NFSv4 ACL berisi dua ACE, group:adminis:rwxc dan group:adminis:r---, urutannya secara langsung menentukan apakah pengguna adminis2 memiliki izin baca. Oleh karena itu, urutan ACE sangat penting saat mengonfigurasi NFSv4 ACL.
Misalnya, jika izin untuk pengguna adminis2 pada direktori dir4 adalah sebagai berikut, pengguna tersebut memiliki semua izin pada direktori tersebut.
#NFSv4 ACL
#owner:root
#group:root
group:adminis2:rwxc:allow
(X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(-)DELETE (X)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
group:adminis2:r---:deny
(X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
special:owner@:---c:allow
(-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(-)DELETE (-)DELETE_CHILD (X)CHOWN (-)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
special:group@:----:allow
(-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
special:everyone@:----:allow
(-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
Namun, jika izin untuk pengguna adminis2 pada direktori dir4 diatur dalam urutan berikut, pengguna tersebut tidak memiliki izin baca.
#NFSv4 ACL
#owner:root
#group:root
group:adminis2:r---:deny
(X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
group:adminis2:rwxc:allow
(X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(-)DELETE (X)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
special:owner@:---c:allow
(-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(-)DELETE (-)DELETE_CHILD (X)CHOWN (-)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
special:group@:----:allow
(-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
special:everyone@:----:allow
(-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
Pengurutan dan penggabungan ACE
Saat menambahkan ACE baru untuk pengguna, ACE tersebut tidak secara otomatis digabung dengan ACE yang sudah ada untuk pengguna tersebut.
Misalnya, asumsikan kelompok players memiliki ACL berikut pada file. Jika Anda menambahkan ACE baru yang memberikan izin tulis (W) kepada kelompok players, kedua ACE tersebut tidak akan digabung.
-
Izin ACE yang sudah ada
#NFSv4 ACL #owner:root #group:root special:everyone@:----:allow:FileInherit:DirInherit (-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL (-)READ_ATTR (-)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED special:group@:----:allow:FileInherit:DirInherit (-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL (-)READ_ATTR (-)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED special:owner@:----:allow:FileInherit:DirInherit (-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL (-)READ_ATTR (-)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED group:adminis:rwxc:allow:FileInherit:DirInherit (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (X)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED group:players:r-x-:allow:FileInherit:DirInherit (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED -
Izin ACE baru
#NFSv4 ACL #owner:root #group:root group:players:rwx-:allow:Inherited (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED special:everyone@:----:allow:FileInherit:DirInherit (-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL (-)READ_ATTR (-)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED special:group@:----:allow:FileInherit:DirInherit (-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL (-)READ_ATTR (-)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED special:owner@:----:allow:FileInherit:DirInherit (-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL (-)READ_ATTR (-)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED group:adminis:rwxc:allow:FileInherit:DirInherit (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (X)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED group:players:r-x-:allow:FileInherit:DirInherit (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
Verifikasi bahwa izin baru tersebut efektif.
-
Jalankan perintah
sudo su player -c 'echo 456 >> file'sudo su player -c 'cat file' -
Contoh output
123 456
Pewarisan izin
Asumsikan izin saat ini untuk direktori dir5 adalah: pemilik memiliki izin tulis, kelompok memiliki izin baca, dan semua pihak lain tidak memiliki akses.
-
Berikan pengguna
playerizin baca dan tulis yang dapat diwariskan.-
Konfigurasikan izin baca dan tulis untuk pengguna
playerdan simpan aturan tersebut ke file teks, sepertiacl2.txt.#NFSv4 ACL #owner:root #group:root user:player:rwx-:allow:DirInherit (X)READ/LIST (X)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL (-)READ_ATTR (-)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED user:player:rwx-:allow:FileInherit (X)READ/LIST (X)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL (-)READ_ATTR (-)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED -
Terapkan aturan dari
acl2.txtke direktoridir5.mmputacl -i ~/acl2.txt dir5
-
-
File atau direktori yang dibuat di dalam direktori
dir5secara otomatis mewarisi ACE tersebut.-
Masuk ke direktori
dir5.cd dir5 -
Buat file bernama
file.touch file -
Konfirmasi bahwa
filesecara otomatis mewarisi izin ACE dari direktoridir5.-
Jalankan perintah
mmgetacl file -
Contoh output
#NFSv4 ACL #owner:root #group:root user:player:rwx-:allow:Inherited (X)READ/LIST (X)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL (-)READ_ATTR (-)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
-
-
Buat subdirektori bernama
subdir.mkdir subdir -
Konfirmasi bahwa
subdirsecara otomatis mewarisi izin ACE dari direktoridir5.-
Jalankan perintah
mmgetacl subdir -
Contoh output
#NFSv4 ACL #owner:root #group:root user:player:rwx-:allow:DirInherit:Inherited (X)READ/LIST (X)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL (-)READ_ATTR (-)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED user:player:rwx-:allow:FileInherit:InheritOnly:Inherited (X)READ/LIST (X)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL (-)READ_ATTR (-)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
-
-
-
File atau direktori yang Anda buat di dalam direktori
subdirjuga secara otomatis mewarisi ACE tersebut.-
Buat direktori
subdir/subdir2.mkdir subdir/subdir2 -
Konfirmasi bahwa direktori
subdir/subdir2secara otomatis mewarisi ACE dari subdirektorisubdir.-
Jalankan perintah
mmgetacl subdir/subdir2 -
Contoh output
#NFSv4 ACL #owner:root #group:root user:player:rwx-:allow:DirInherit:Inherited (X)READ/LIST (X)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL (-)READ_ATTR (-)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED user:player:rwx-:allow:FileInherit:InheritOnly:Inherited (X)READ/LIST (X)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL (-)READ_ATTR (-)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
-
-
Buat file
subdir/file2.touch subdir/file2 -
Konfirmasi bahwa file
subdir/file2secara otomatis mewarisi ACE dari subdirektorisubdir.-
Jalankan perintah
mmgetacl subdir/file2 -
Contoh output
#NFSv4 ACL #owner:root #group:root user:player:rwx-:allow:Inherited (X)READ/LIST (X)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL (-)READ_ATTR (-)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
-
-
Flag InheritOnly menunjukkan bahwa ACE tersebut tidak digunakan untuk pemeriksaan izin pada direktori saat ini, tetapi diwariskan ke subdirektori dan file-nya.
-
Anda harus mengonfigurasi DirInherit dan FileInherit dalam ACE terpisah. Jika tidak, pesan error Combining FileInherit and DirInherit makes the mask ambiguous akan muncul.
-
Saat menggunakan flag
inherit only, ACE tersebut tidak dievaluasi untuk pemeriksaan akses. Anda harus memberikan izin baca (r) dan eksekusi (x) pada direktori induk. Jika tidak, penggunaplayertidak dapat mengakses subdirektori tersebut.
Ekspor
NFSv4 ACL tidak dapat diekspor menggunakan extended attributes.
Migrasi
Anda dapat menggunakan alat seperti cp untuk melakukan migrasi NFSv4 ACL.
Alibaba Cloud CPFS mendukung migrasi NFSv4 ACL dengan alat seperti cp, tar, dan rsync, sebagaimana dijelaskan dalam How to preserve NFSv4 ACLs via extended attributes when copying file.
Dalam contoh berikut, perintah cp --preserve=xattr file2 file5 menyalin file2 ke file5 beserta NFSv4 ACL-nya.
Alat rsync mungkin gagal melakukan migrasi NFSv4 ACL jika versinya lebih lama dari 3.1.2.
-
Lakukan migrasi NFSv4 ACL dari
file2kefile5.cp --preserve=xattr newsub/file2 newsub/file5 -
Lihat NFSv4 ACL dari
file2.-
Jalankan perintah
mmgetacl newsub/file2 -
Contoh output
#NFSv4 ACL #owner:player #group:players user:player:rwx-:allow:Inherited (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL (-)READ_ATTR (-)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
-
-
Lihat NFSv4 ACL dari
file5.-
Jalankan perintah
mmgetacl newsub/file5 -
Contoh output
#NFSv4 ACL #owner:root #group:root user:player:rwx-:allow:Inherited (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL (-)READ_ATTR (-)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
-
Interoperabilitas NFSv4 ACL dan mode
NFSv4 ACL dan mode izin tradisional saling interoperabel. Mengubah NFSv4 ACL dapat mengubah bit mode, dan sebaliknya.
Misalnya, mode saat ini dari file adalah 0666.
-
Izin mode dari
file-rw-rw-rw- 1 root root 0 Jun 1 14:45 file -
Izin ACE dari
file#NFSv4 ACL #owner:root #group:root special:owner@:rw-c:allow (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (-)DELETE_CHILD (X)CHOWN (-)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED special:group@:rw--:allow (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED special:everyone@:rw--:allow (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
-
Berikan pemilik izin eksekusi dengan mengubah mode. ACE yang sesuai juga diperbarui dengan izin eksekusi.
-
Berikan pemilik izin eksekusi dengan mengubah mode.
chmod u+x file -
Lihat izin mode dari
file.-
Jalankan perintah
ls -l file -
Contoh output
-rwxrw-rw- 1 root root 0 Jun 1 14:45 file
-
-
Konfirmasi bahwa izin eksekusi ditambahkan ke ACE untuk pemilik.
-
Jalankan perintah
mmgetacl file -
Contoh output
#NFSv4 ACL #owner:root #group:root special:owner@:rwxc:allow (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (-)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED special:group@:rw--:allow (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED special:everyone@:rw--:allow (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
-
-
-
Berikan kelompok izin eksekusi dengan mengubah ACE. Mode yang sesuai juga diperbarui dengan izin eksekusi.
-
Edit atribut ACL dari
fileuntuk memberikan izin eksekusi kepada kelompok.mmeditacl file -
Setelah output muncul, masukkan
yesuntuk menerapkan perubahan izin. -
Lihat izin ACE yang dimiliki kelompok pada
file.-
Jalankan perintah
mmgetacl file -
Contoh output
#NFSv4 ACL #owner:root #group:root special:owner@:rwxc:allow (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (-)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED special:group@:rwx-:allow (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED special:everyone@:rw--:allow (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
-
-
Konfirmasi bahwa izin eksekusi ditambahkan untuk kelompok dalam mode.
-
Jalankan perintah
ls -l file -
Contoh output
-rwxrwxrw- 1 root root 0 Jun 1 14:45 file
-
-
Interoperabilitas dengan POSIX ACL
Interoperabilitas dengan POSIX ACL tidak didukung.