Exceptions and limitations to NFS V4 ACLs support

Review the exceptions and limitations to NFS V4 ACLs in IBM Storage Scale.

  1. IBM Storage Scale has limited support for ACLs, but only with Samba on Linux®. In that environment, IBM Storage Scale can only save and retrieve Alarm and Audit access control entries (ACEs). No actions are defined that can be taken for ACEs during ACL evaluation.
  2. Some types of access for which NFS V4 defines controls don't currently exist in IBM Storage Scale. For these, ACL entries are accepted and saved, but because there's no corresponding operation they have no effect. These include READ_NAMED, WRITE_NAMED, and SYNCHRONIZE.
    Note: Even if IBM Storage Scale ignores these bits, the SMB service enforces them on the protocol level.
  3. AIX® requires that READ_ACL and WRITE_ACL always be granted to the object owner. Although granting these ACL entries contradicts NFS Version 4 protocol, it's considered as an area where users would otherwise erroneously leave an ACL that only privileged users can change. Since ACLs are file attributes, READ_ATTR and WRITE_ATTR are similarly granted to the owner. As it wouldn't make sense to then prevent the owner from accessing the ACL from a non-AIX node, IBM Storage Scale has implemented this exception everywhere.
  4. AIX does not support the use of special name values other than owner@, group@, and everyone@. Therefore, these are the only valid special name values for use in IBM Storage Scale NFS V4 ACLs.
  5. NFS V4 allows ACL entries that grant permission to users or groups to change the ownership of a file with a command such as the chown command. For security reasons, IBM Storage Scale now restricts these permissions so that a non-privileged user can chown such a file only to self or to a group that the user is a member of.
  6. With some limitations, Windows clients that access IBM Storage Scale through Samba can use their native NTFS ACLs, which are mapped to the underlying NFS v4 ACLs. For limitations, see Authorization limitations.
  7. Ganesha supports NFS v4 ACLs to and from IBM Storage Scale. However, to export a file system with cNFS/KNFS, you must configure the file system to support POSIX ACLs. Use the mmcrfs command with the -k all or -k posix parameter. With Samba, use the -k nfs4 parameter. NFS V4 Linux servers handle ACLs properly only if they're stored in GPFS as POSIX ACLs. For more information, see Linux ACLs and extended attributes.
  8. The cluster can include Samba, CES NFS, AIX NFS, and IBM Storage Scale Windows nodes.
  9. NFS V4 ACLs can be stored in GPFS file systems using Samba exports, NFS V4 AIX servers, GPFS Windows nodes, aclput, and mmputacl. Clients of Linux V4 servers can't see stored ACLs but can see the permissions from the mode.
  10. Start of changeStarting from IBM Storage Scale 5.1.7, IBM Storage Scale supports setting the extended system.nfs4_acl attribute as another method for manipulating NFSv4 ACLs. You can employ the syntax of these tools to manage NFSv4 ACLs in IBM Storage Scale. For requirements and limitations, see Q.2.41 in IBM Storage Scale FAQ.End of change

For more information about ACLs and NFS export, see Managing GPFS access control lists.