GPFS exceptions and limitations to NFS V4 ACLs

GPFS™ has some exceptions and limitations for the NFS V4 ACLs.

Those exceptions and limitations include:
  1. Alarm type ACL entries are not supported.
  2. Audit type ACL entries are not supported.
  3. Some types of access for which NFS V4 defines controls do not currently exist in GPFS. For these, ACL entries will be accepted and saved, but since there is no corresponding operation they will have no effect. These include READ_NAMED, WRITE_NAMED, and SYNCHRONIZE.
    Note: Even if GPFS ignores these bits, the SMB service will enforce them on the protocol level.
  4. AIX® requires that READ_ACL and WRITE_ACL always be granted to the object owner. Although this contradicts NFS Version 4 Protocol, it is viewed that this is an area where users would otherwise erroneously leave an ACL that only privileged users could change. Since ACLs are themselves file attributes, READ_ATTR and WRITE_ATTR are similarly granted to the owner. Since it would not make sense to then prevent the owner from accessing the ACL from a non-AIX node, GPFS has implemented this exception everywhere.
  5. AIX does not support the use of special name values other than owner@, group@, and everyone@. Therefore, these are the only valid special name values for use in GPFS NFS V4 ACLs as well.
  6. NFS V4 allows ACL entries that grant users (or groups) permission to change the owner or owning group of the file (for example, with the chown command). For security reasons, GPFS now restricts this so that non-privileged users may only chown such a file to themselves (becoming the owner) or to a group that they are a member of.
  7. Windows does not support NFS V4 ACLs.
  8. If a file system is to be exported over NFS V4/Linux, then it must be configured to support POSIX ACLs (with the -k all or -k posix option of the mmcrfs command). This is because NFS V4 Linux servers only handle ACLs properly if they are stored in GPFS as POSIX ACLs. For more information, see Linux ACLs and extended attributes.
  9. Concurrent Samba, AIX NFS servers, and GPFS Windows nodes in the cluster are allowed. NFS V4 ACLs can be stored in GPFS file systems using Samba exports, NFS V4 AIX servers, GPFS Windows nodes, aclput, and mmputacl. However, clients of Linux V4 servers will not be able to see these ACLs, just the permissions from the mode.

For more information about GPFS ACLs and NFS export, see Managing GPFS access control lists.

Parent topic: Considerations for GPFS applications