Traditional GPFS ACL administration
Support for NFS V4 access control lists (ACLs) is added to traditional ACL support. NFS V4 ACLs are different than the traditional ones.
If you are using NFS V4 ACLs, see NFS V4 ACL administration. Both ACL types can coexist in a single GPFS file system.
Traditional GPFS ACLs are based on the POSIX model. Traditional GPFS access control lists (ACLs) extend the base permissions, or standard file access modes of read (r), write (w), and execute (x). The permissions are extended beyond the three categories of file owner, file group, and other users. This extension of permissions allows the definition of more users and user groups. In addition, GPFS introduces a fourth access mode, control (c), which can be used to govern who can manage the ACL itself.
#owner:jesmith
#group:team_A
user::rwxc
group::rwx-
other::--x-
mask::rwxc
user:alpha:r-xc
group:audit:r-x-
group:system:rwx-- The first two lines are comments that show the file's owner, jesmith, and group name, team_A.
- The next three lines contain the base permissions for the file.
These three entries are the minimum necessary for a GPFS ACL:
- The permissions set for the file owner (user), jesmith
- The permissions set for the owner's group, team_A
- The permissions set for other groups or users outside the owner's group and not belonging to any named entry
- The next line, with an entry type of mask, contains the maximum permissions that are allowed for any entries other than the owner (the user entry) and those that are covered by other in the ACL.
- The last three lines contain additional entries for specific users and groups. These permissions are limited by those specified in the mask entry, but you can specify any number of additional entries up to a memory page (approximately 4 K) in size.
Traditional GPFS ACLs are fully compatible with the base operating system permission set. Any change to the base permissions by using the chmod command, for example, modifies the corresponding GPFS ACL as well. Similarly, any change to the GPFS ACL is reflected in the output of commands such as ls -l. The control (c) permission is GPFS-specific. There is no comparable support in the base operating system commands. As a result, the (c) permission is visible only with the GPFS ACL commands.
Each GPFS file or directory has an access ACL that determines its access privileges. These ACLs control who is allowed to read or write at the file or directory level. The ACLs also control who can change the ACL itself.
In addition to an access ACL, a directory might also have a default ACL. If present, the default ACL is used as a base for the access ACL of every object that is created in that directory. This allows a user to protect all files in a directory without explicitly setting an ACL for each one.
When a new object is created, and the parent directory has a default ACL, the entries of the default ACL are copied to the new object's access ACL. Then, the base permissions for user, mask (or group if mask is not defined), and other, are changed to their intersection. This change takes place with the corresponding permissions from the mode parameter in the function that creates the object.
If the new object is a directory, its default ACL is set to the default ACL of the parent directory. If the parent directory does not have a default ACL, the initial access ACL of newly created objects consists only of the three required entries (user, group, other). The values of these entries are based on the mode parameter in the function that creates the object and the umask currently in effect for the process.