ACL allows to set more finer permissions on a file or directory apart from the standard permissions(uog)
POSIX ACL's use setfacl and getfacl functions to set ACL permissions. POSIX style ACL doesn't work on ZFS filesystem.
NFSv4 style ACL is an upgrade over the old model and use chmod to set permissions. getfacl and setfacl are obsolete in ZFS. This provides more finer permissions including permission only to append on a file.
NFSv4 style ACL's are set on the directories
==============================
zone1:/root# ls -lv /opt/slw/bea/app/ines/bulk
total 161
drwxrwxrwx+ 2 myuser slw 108 Oct 21 17:07 error
0:everyone@:delete_child/
1:group@:delete_child/write_
2:group@:read_attributes/read_
3:group@:write_attributes/
4:user:slw9:write_attributes/
5:user:slw9::deny
6:user:slw9:list_directory/
/add_subdirectory/append_data/
/read_acl/synchronize:allow
7:user:slw9:write_attributes/
8:user:slw:write_attributes/
9:user:slw::deny
10:user:slw:list_directory/
/append_data/execute/delete_
/synchronize:allow
11:user:slw:write_attributes/
12:owner@::deny
13:owner@:delete_child/read_
/write_acl/synchronize:allow
14:everyone@:read_attributes/
15:owner@::deny
16:owner@:list_directory/read_
/append_data/write_xattr/
/write_owner:allow
17:group@::deny
18:group@:list_directory/read_
/append_data/execute:allow
19:everyone@:write_xattr/
20:everyone@:list_directory/
/add_subdirectory/append_data/
/read_acl/synchronize:allow
drwxrwxrwx+ 2 myuser slw 8 Jan 25 13:39 input
0:group:slw:list_directory/
/add_subdirectory/append_data:
1:everyone@:delete_child/
2:group@:delete_child/write_
3:group@:read_attributes/read_
4:group@:write_attributes/
5:user:slw9:write_attributes/
6:user:slw9::deny
7:user:slw9:list_directory/
/add_subdirectory/append_data/
/read_acl/synchronize:allow
8:user:slw9:write_attributes/
9:user:slw:write_attributes/
10:user:slw::deny
11:user:slw:list_directory/
/append_data/execute/delete_
/synchronize:allow
12:user:slw:write_attributes/
13:owner@::deny
14:owner@:delete_child/read_
/write_acl/synchronize:allow
15:everyone@:read_
16:owner@::deny
17:owner@:list_directory/read_
/append_data/write_xattr/
/write_owner:allow
18:group@::deny
19:group@:list_directory/read_
/append_data/execute:allow
20:everyone@:write_xattr/
21:everyone@:list_directory/
/add_subdirectory/append_data/
/read_acl/synchronize:allow
drwxrwxr-x+ 2 myuser slw 3 Jan 26 11:00 processing
<..........>
As with standard ACL, the '+' sign implies that ACL permissions are set on the directories
==============================================================================
zone1:/root# cd /opt/slw/bea/app/ines/bulk
zone1:/opt/slw/bea/app/ines/
total 161
drwxrwxrwx+ 2 myuser slw 108 Oct 21 17:07 error
drwxrwxrwx+ 2 myuser slw 8 Jan 25 13:39 input
drwxrwxr-x+ 2 myuser slw 3 Jan 26 11:00 processing
drwxrwxrwx+ 2 myuser slw 2 Jul 20 2010 retry
drwxrwxrwx+ 2 myuser slw 145 Oct 21 17:02 success
Adding an ACL entry onto a directory
============================================================
zone1:/opt/slw/bea/app/ines/
zone1:/opt/slw/bea/app/ines/
zone1:/opt/slw/bea/app/ines/
zone1:/opt/slw/bea/app/ines/
zone1:/opt/slw/bea/app/ines/
zone1:/opt/slw/bea/app/ines/
total 164
drwxr-xr-x 2 myuser slw 2 Jan 26 11:32 TEST
zone1:/opt/slw/bea/app/ines/
A02=owner@:list_directory/
zone1:/opt/slw/bea/app/ines/
drwxr-xr-x+ 2 myuser slw 2 Jan 26 11:32 TEST
0:owner@::deny
1:owner@:list_directory/read_
/append_data/write_xattr/
/write_owner:allow
2:owner@:list_directory/read_
/append_data/write_xattr/
/write_owner:allow
3:group@:list_directory/read_
4:everyone@:add_file/write_
/write_attributes/write_acl/
5:everyone@:list_directory/
/read_acl/synchronize:allow
zone1:/opt/slw/bea/app/ines/
A6=user:slw9:list_directory/
zone1:/opt/slw/bea/app/ines/
zone1:/opt/slw/bea/app/ines/
zone1:/opt/slw/bea/app/ines/
zone1:/opt/slw/bea/app/ines/
zone1:/opt/slw/bea/app/ines/
dr-xr-xr-x+ 2 myuser slw 2 Jan 26 11:32 TEST
0:everyone@:delete_child/
1:group@:delete_child/write_
2:group@:read_attributes/read_
3:group@:write_attributes/
4:user:slw9:write_attributes/
5:user:slw9::deny
6:user:slw9:list_directory/
/add_subdirectory/append_data/
/read_acl/synchronize:allow
7:user:slw9:write_attributes/
8:user:slw:write_attributes/
9:user:slw::deny
10:everyone@:add_file/write_
/write_attributes/write_acl/
11:everyone@:list_directory/
/read_acl/synchronize:allow
Removing the ACL entry set on a directory
=====================================================
zone1:/opt/slw/bea/app/ines/
zone1:/opt/slw/bea/app/ines/
zone1:/opt/slw/bea/app/ines/
zone1:/opt/slw/bea/app/ines/
zone1:/opt/slw/bea/app/ines/
zone1:/opt/slw/bea/app/ines/
drwxrwxr-x 2 myuser slw 2 Jan 26 11:32 TEST
0:owner@::deny
1:owner@:list_directory/read_
/append_data/write_xattr/
/write_owner:allow
2:group@::deny
3:group@:list_directory/read_
/append_data/execute:allow
4:everyone@:add_file/write_
/write_attributes/write_acl/
5:everyone@:list_directory/
/read_acl/synchronize:allow
=====================================================
Removing the ACL's one by one
=====================================================
zone2:/opt/slw/bea/app/ines/
drwxrwxrwx+ 2 myuser slw 2 Jul 8 2010 retry
0:group:slw:list_directory/
/add_subdirectory/append_data:
1:everyone@:delete_child/
2:everyone@:read_attributes/
3:group@:delete_child/write_
4:group@:read_attributes/read_
5:group@:write_attributes/
6:user:slw9:write_attributes/
7:user:slw9::deny
8:user:slw9:list_directory/
/add_subdirectory/append_data/
/read_acl/synchronize:allow
9:user:slw9:write_attributes/
10:user:slw:write_attributes/
11:user:slw::deny
12:user:slw:list_directory/
/append_data/execute/delete_
/synchronize:allow
13:user:slw:write_attributes/
14:owner@::deny
15:owner@:delete_child/read_
/write_acl/synchronize:allow
16:owner@::deny
17:owner@:list_directory/read_
/append_data/write_xattr/
/write_owner:allow
18:group@::deny
19:group@:list_directory/read_
/append_data/execute:allow
20:everyone@:write_xattr/
21:everyone@:list_directory/
/add_subdirectory/append_data/
/read_acl/synchronize:allow
zone2:/opt/slw/bea/app/ines/
zone2:/opt/slw/bea/app/ines/
zone2:/opt/slw/bea/app/ines/
zone2:/opt/slw/bea/app/ines/
zone2:/opt/slw/bea/app/ines/
zone2:/opt/slw/bea/app/ines/
zone2:/opt/slw/bea/app/ines/
zone2:/opt/slw/bea/app/ines/
zone2:/opt/slw/bea/app/ines/
zone2:/opt/slw/bea/app/ines/
zone2:/opt/slw/bea/app/ines/
zone2:/opt/slw/bea/app/ines/
zone2:/opt/slw/bea/app/ines/
zone2:/opt/slw/bea/app/ines/
zone2:/opt/slw/bea/app/ines/
zone2:/opt/slw/bea/app/ines/
zone2:/opt/slw/bea/app/ines/
zone2:/opt/slw/bea/app/ines/
drwxrwxrwx 2 myuser slw 2 Jul 8 2010 retry
0:owner@::deny
1:owner@:list_directory/read_
/append_data/write_xattr/
/write_owner:allow
2:group@::deny
3:group@:list_directory/read_
/append_data/execute:allow
4:everyone@:write_xattr/write_
5:everyone@:list_directory/
/add_subdirectory/append_data/
/read_acl/synchronize:allow
zone2:/opt/slw/bea/app/ines/
zone2:/opt/slw/bea/app/ines/
drwxrwxr-x 2 myuser slw 2 Jul 8 2010 retry
0:owner@::deny
1:owner@:list_directory/read_
/append_data/write_xattr/
/write_owner:allow
2:group@::deny
3:group@:list_directory/read_
/append_data/execute:allow
4:everyone@:add_file/write_
/write_attributes/write_acl/
5:everyone@:list_directory/
/read_acl/synchronize:allow
zone2:/opt/slw/bea/app/ines/
total 251
drwxrwxr-x 2 myuser slw 152 Jan 21 09:30 error
drwxrwxrwx+ 2 myuser slw 152 Jan 21 09:30 error.old
drwxrwxr-x 2 myuser slw 2 Jan 21 09:30 input
drwxrwxr-x+ 2 myuser slw 2 Jan 21 09:30 input.old
drwxrwxrwx+ 2 myuser slw 2 Jan 21 09:30 processing
drwxrwxr-x 2 myuser slw 2 Jul 8 2010 retry
drwxrwxrwx+ 2 myuser slw 200 Jan 20 16:08 success
No comments:
Post a Comment