Access control on GPFS file systems

GPFS provides support for the Windows access control model for file system objects.

Each GPFS file or directory has a Security Descriptor (SD) object associated with it and you can use the standard Windows interfaces for viewing and changing access permissions and object ownership (for example, Windows Explorer Security dialog panel). Internally, a Windows SD is converted to an NFS V4 access control list (ACL) object, which ensures that access control is performed consistently on other supported operating systems. GPFS supports all discretionary access control list (DACL) operations, including inheritance. GPFS is capable of storing system access control list (SACL) objects, but generation of AUDIT and ALARM events specified in SACL contents is not supported.

An important distinction between GPFS and Microsoft Windows NT File Systems (NTFS) is the default set of permissions for the root (top-level) directory on the file system. On a typical NTFS volume, the DACL for the top-level folder has several inheritable entries that grant full access to certain special accounts, as well as some level of access to nonprivileged users. For example, on a typical NTFS volume, the members of the local group Users would be able to create folders and files in the top-level folder. This approach differs substantially from the traditional UNIX convention where the root directory on any file system is only writable by the local root superuser by default. GPFS adheres to the latter convention; the root directory on a new file system is only writable by the UNIX user root, and does not have an extended ACL when the file system is created. This is to avoid impacting performance in UNIX-only environments, where the use of extended ACLs is not common.

When a new GPFS file system is accessed from a Windows client for the first time, an immutable security descriptor object is created for the root directory automatically. This immutable security descriptor for the root directory contains a non-inheritable DACL that grants full access to the local Administrators group and read-only access to the Everyone group. This allows only privileged Windows users (members of the local Administrators group) to create new files and folders immediately under the root directory. Because the root directory DACL has no inheritable entries, new top-level objects under the root directory are created with a default non-inheritable DACL that only grants local Administrators and SYSTEM accounts full access. Therefore, as a best practice, privileged Windows users must create top-level objects under the root directory and then explicitly set inheritable DACLs on these top-level directories as appropriate (granting the necessary level of access to non-privileged users).

Note: Some applications expect to find NTFS-style permissions on all file systems and they might not function properly when that is not the case. Running such an application in a GPFS folder where permissions have been set similar to NTFS defaults might correct this.