Working with ACLs

The IBM Storage Scale system applies default ACLs for newly created IBM Storage Scale file system components such as file system, filesets, file, directories, and exports.

The file system must be created with native ACL type as NFS V4. It is recommended that you use the default configuration profiles (/usr/lpp/mmfs/profiles) that are included with IBM Storage Scale. It contains the required configuration for NFSV4 ACLs in the file system.

Applying default ACLs

Perform the following steps to apply default ACLs on SMB and NFS exports:
  1. Create a fileset or directory in the file system as shown in the following example: 
    mkdir -p /ibm/gpfs0/testsmbexport
  2. Change the owner and group of the fileset or directory using chown and chgrp respectively. For example: 
    chown -R "DOMAIN\\username":"DOMAIN\\groupname" /ibm/gpfs0/testsmbexport
  3. Use the mmputacl or mmeditacl commands to set the wanted ACE along with specific ACE for owner user and owner group and inheritance flags for the fileset or directory.
  4. Check the ACL setting for the fileset or directory by using the mmgetacl command.
  5. Create the desired SMB or NFS export by using the mmnfs or mmsmb commands over the fileset or directory.
  6. For data exported for SMB clients, it is recommended that you manage the ACLs from a Windows clients, since there is already a GUI interface available and the ACL is set according to the requirements of Windows clients. Modifying the ACL directly with mmputacl and mmeditacl are not advised.

Viewing the owner of the SMB share

Perform the following steps to create an SMB share and view the owner of the export:
  1. Submit the mmsmb export add command to create an SMB share as shown in the following example: 
    mmsmb export add testsmbexport /ibm/gpfs0/testsmbexport
  2. Issue either the ls -la command or the mmgetacl command to view the owner of the export. For example: 
    ls -la /ibm/gpfs0/testsmbexport
    Or 
    mmgetacl /ibm/gpfs0/testsmbexport

Apart from the tasks that are listed earlier in this section, the following table provides a quick overview of the tasks that can be performed to manage ACLs and the corresponding IBM Storage Scale command.

Table 1. Commands and reference to manage ACL tasks
Tasks that can be performed to manage ACLs Command Reference topic
Applying ACL at file system, fileset, and export level mmeditacl Applying an existing NFS V4 access control list
Inserting ACEs in existing ACLs mmeditacl Changing NFS V4 access control lists
Modifying ACLs mmeditacl Changing NFS V4 access control lists
Copying Access control list entries mmeditacl Changing NFS V4 access control lists
Replacing a complete ACL mmputacl or mmeditacl Changing NFS V4 access control lists
Replacing all entries for a specific user inside an ACL mmeditacl Changing NFS V4 access control lists
Controlling inheritance of entries inside an ACL mmputacl or mmeditacl  
Deleting complete ACL mmdelacl Deleting NFS V4 access control lists
Deleting specific ACL entries mmeditacl Changing NFS V4 access control lists
Deleting ACL entry for a user mmeditacl Changing NFS V4 access control lists
Displaying an ACL mmgetacl Displaying NFS V4 access control lists
Changing file system directory’s owner and group chown or chgroup  
Displaying file system directory’s owner and group ls –l or mmgetacl  
Important: The mmgetacl, mmputacl, and mmeditacl commands are available to change the ACLs directly. As the SMB clients might depend on the order of entries in the ACL, it is not recommended that you change the ACLs directly on GPFS while using the SMB protocol. Changing an ACL directly in GPFS also does not account for inherited entries. So, it is recommended that you change the ACLs from a windows client.

Managing ACLs from Windows clients

For SMB shares, it is recommended that you manage the ACLs from a Windows client. The following operations are included in creating an SMB share:
  1. Create the folder to export in the file system with the mkdir command.
  2. Change the owner of the exported folder to a user who configures the initial ACLs.
  3. Create the export using the mmsmb export add command.
  4. Using a Windows client machine, access the newly created share as the user specified in step 2.
  5. Right-click on the shared folder, and select Properties.
  6. Select the Security tab and then select Advanced to navigate to the more detailed view of permissions.
  7. Add and remove permissions as required.