Authorizing file protocol users

The IBM Spectrum Scale™ system uses ACLs to authorize users who access the system through the file protocols such as NFS and SMB.

The GPFS™ file system supports storing POSIX and NFSv4 ACLs to authorize file protocol users.

SMB service maps the NFSV4 ACL to a security descriptor for SMB clients to form the ACLs. That is, the SMB ACL is derived from the NFSV4 ACL; it is not a separate ACL. Any changes from SMB clients on ACLs are mapped back to the ACLs in the file system.

To get the expected behavior of ACLs, the file system must be configured to use only the NFSV4 ACLs. The default configuration profiles (/usr/lpp/mmfs/profiles) that are included with IBM Spectrum Scale contain the required configuration for NFSV4 ACLs in the file system. When manually creating a file system for protocol usage by using the mmcrfs command, use the -k nfs4 option to establish the correct ACL setting. For more details, see the mmcrfs command and the mmchfs command.

ACLs can be applied at the following levels:

Files
Directories
Exports

The SMB and NFS protocols allow to manage the ACL permissions. ACLs from both protocols are mapped to the same ACL in the file system. The ACL supports inheritance and you can control the inheritance by using the special inheritance flags.

The export-level ACLs authorize access to NFS and SMB exports. The administrator needs to explicitly make a user or a group of users as the owner of a directory that is being exported as an NFS or SMB export. Export-level ACLs can be changed either through the MMC on a Windows client or through the sharesec command.

You can use either chown or chgrp commands to set an owner for a file or directory. When the export is created with an owner, the ACL management must be done by the owner of the export through the protocol. Additionally, for SMB, privileged users can also perform the ACL management tasks through the protocol. Moreover, by using different security flags, the export-level SMB ACLs can provide more authorization capabilities while creating the SMB export.

For example, after creating an SMB or NFS export with an initial owner, this user can connect to the export by using SMB or NFS protocol to see and manage the ACLs associated with the directory over which the export is created. The export-level SMB ACLs can be changed either through the MMC on a Microsoft Windows client or by using the sharesec command. For more information, see the sharesec command.

ACLs and POSIX mode bits

The POSIX bits of a file are another authorization method, different from ACLs. POSIX bits can also be used to specify access permissions for a file. You can use the POSIX bits of a file to configure access control for an owner, a group, and for all users to read, update, or run the file. POSIX bits are less flexible than ACLs.

Changing the POSIX modebits also modifies the ACL of an object. When using ACLs for access control, the system administrators might want to ensure that ACLs are not replaced with permissions from POSIX modebits. This behavior can be configured by using the --allow-permission-change parameter in mmcrfileset and mmchfileset commands.

An ACL extends the base permissions or the standard file access modes such as read, write, and execute. ACLs are compatible with UNIX mode bits. Issuing the chmod command by the NFS clients overwrite the access privileges that are defined in the ACL by the privileges that are derived from UNIX mode bits. By default, the ACLs are replaced by UNIX mode bits if the chmod command is submitted. To allow proper use of ACLs, it is recommended to prevent chmod from overwriting the ACLs by setting this parameter to setAclOnly or chmodAndSetAcl.

NFSV3 clients can set and read the POSIX mode bits; NFSV3 clients who set the UNIX permissions modify the ACL to match the UNIX permissions. In most NFS-only cases, the POSIX permissions are used directly. For NFSV3 clients, file sharing with SMB access protection is done by using NFSV4 ACLs but NFSV3 clients can see only the mapping of ACLs to traditional UNIX access permissions. The full NFSV4 ACLs are enforced on the server.

SMB protocol export-level ACLs

Export-level ACLs only apply to SMB exports and they are completely separate from the file system ACLs. The file system ACLs are stored as NFSV4 ACLs. The SMB protocol also has a separate ACL for each export (export-level ACL). That ACL by default grants access to all users. When using export ACLs, users need to have access in the share-level ACL and in the file system ACL to get access to a file.

Export-level ACLs can be changed either through the MMC on a Windows client or through the sharesec command. For more information, see the sharesec command on any protocol node.