NFS V4 ACL translation

NFS V4 access requires that an NFS V4 ACL is returned to clients whenever the ACL is read. This means that if a traditional GPFS ACL is associated with the file, a translation to NFS V4 ACL format must be performed when the ACL is read by an NFS V4 client. Since this translation must be done, an option (-k nfs4) is provided on the mmgetacl and mmeditacl commands so that this translation can be seen locally as well.

It can also be the case that NFS V4 ACLs are set for some file system objects (directories and individual files) before the administrator action to revert to a POSIX-only configuration. Since the NFS V4 access evaluation is no longer performed, it is desirable that the mmgetacl command returns an ACL representative of the evaluation that now occurs (translating NFS V4 ACLs into traditional POSIX style). The -k posix option returns the result of this translation.

Users can see ACLs in their true form. They can also see how they are translated for access evaluations. There are four cases:
  1. By default, the mmgetacl command returns the ACL in a format consistent with the file system setting:
    • If posix only, it is shown as a traditional ACL.
    • If nfs4 only, it is shown as an NFS V4 ACL.
    • If all formats are supported, the ACL is returned in its true form.
  2. The command mmgetacl -k nfs4 always produces an NFS V4 ACL.
  3. The command mmgetacl -k posix always produces a traditional ACL.
  4. The command mmgetacl -k native always shows the ACL in its true form, regardless of the file system setting.

In general, users must continue to use the mmgetacl and mmeditacl commands without the -k flag, allowing the ACL to be presented in a form appropriate for the file system setting. The NFS V4 ACLs are more complicated and hence harder to construct initially. Therefore, users who want to assign an NFS V4 ACL must use the command mmeditacl -k nfs4 to start with a translation of the current ACL. They can then modify the NFS V4 ACL that is returned.

Start of changeStarting from IBM Storage Scale 5.1.7, IBM Storage Scale supports setting the extended system.nfs4_acl attribute as another method for manipulating NFSv4 ACLs. This enhancement is added to support the Linux NFSv4 ACL command-line tools. The nfs4_getfacl and nfs4_setfacl commands can be used directly in IBM Storage Scale to get and set NFSv4 ACLs. For requirements and limitations, see Q.2.41 in IBM Storage Scale FAQ.End of change