Changing NFS permissions#
This guide describes how to share a subdirectory of $HPCVAULT
or $WORK
.
NFS ACLs and POSIX file permissions are used to grant read or read/write access to this
subdirectory for a specific user or group in a two step process. NFS ACLs provide more specific options than typical POSIX read/write/execute permissions.
- NFS ACLs are used to make the
$HPCVAULT
or$WORK
traversable for the specific user/group. - POSIX file permissions are used to open a subdirectory of
$HPCVAULT
or$WORK
to members of your group or anybody else.
Be careful when changing permissions as others can accidentally get access
This guide should not be mixed with sharing a directory by changing POSIX file permissions.
Ensure POSIX permission group others does not have read, write, or execute permission for
$HPCVAULT
or $WORK
when following this guide.
You can check the POSIX file permissions for $HPCVAULT
or $WORK
with:
Ensure the last three characters in the first block, here drwx------
, are ---
and
do not contain rwx
.
For working with NFS ACLs we will use:
nfs4_setfacl
to change permissionsnfs4_getfacl
to review permissions.- For a general overview over NFS permissions, see
nfs4_acl
.
For POSIX file permissions we use the chmod
command.
Grant a specific user read or read/write access#
In the following example you, the OWNER
, will grant read or read/write access to a specific user <OTHER-USER>
to directory $WORK/<SUBDIR>
. <OTHER-USER>
denotes the user's HPC account name.
-
Make
$WORK
(top level) traversable for<OTHER-USER>
:-a
: add an ACL entryA
: allow the following user/group with the respective permissions::
: empty colons denote the principal is a user<OTHER-USER>@rrze.uni-erlangen.de
: the principalX
: makes the following directory traversable$WORK
: the directory the ACLs are applied to
-
Grant read or read/write access to
$WORK/<SUBDIR>
:<OTHER-USER>
is ...access command to execute member of your group read chmod -R g=rx $WORK/<SUBDIR>
member of your group read/write chmod -R g=rwx $WORK/<SUBDIR>
not member of your group read chmod -R o=rx $WORK/<SUBDIR>
not member of your group read/write chmod -R o=rwx $WORK/<SUBDIR>
-R
: apply permissions recursivelyg=rx
: read permission for members of your groupg=rwx
: read/write permission for members of your groupo=rx
: read permission for all HPC users, except members of your groupo=rwx
: read/write permission for all HPC users, except members of your group
-
Optional: check resulting permissions.
Grant a specific group read or read/write access#
In the following example you, the OWNER
, will grant read or read/write access to a group <OTHER-GROUP>
to directory $WORK/<SUBDIR>
. Here <OTHER-GROUP>
denotes the group's HPC group name.
-
Make
$WORK
(top level) traversable for<OTHER-GROUP>
:-a
: add an ACL entryA
: allow the following user/group with the respective permissions:g:
: the principal is a group<OTHER-GROUP>@rrze.uni-erlangen.de
: the principalX
: makes the following directory traversable$WORK
: the directory the ACLs are applied to
-
Grant read or read/write access to
$WORK/<SUBDIR>
:you are ... access command to execute member of <OTHER-GROUP>
read chmod -R g=rx $WORK/<SUBDIR>
member of <OTHER-GROUP>
read/write chmod -R g=rwx $WORK/<SUBDIR>
not member of <OTHER-GROUP>
read chmod -R o=rx $WORK/<SUBDIR>
not member of <OTHER-GROUP>
read/write chmod -R o=rwx $WORK/<SUBDIR>
-R
: apply permissions recursivelyg=rx
: read permission for members of your groupg=rwx
: read/write permission for members of your groupo=rx
: read permission for all HPC users, except members of your groupo=rwx
: read/write permission for all HPC users, except members of your group
-
Optional: check resulting permissions.
Checking resulting permissions#
You can check the permissions you granted and they should look like the following:
-
for
$WORK
:-
If access was granted to a user:
Here$ nfs4_getfacl $WORK # file: /home/.../GROUP/USER A::OWNER@:rwaDxtTcCy A::<OTHER-USER-ID>:xtcy A::GROUP@:tcy A::EVERYONE@:tcy
<OTHER-USER-ID>
is the user id the commandid <OTHER-USER>
returns. -
If access was granted to a group:
Here$ nfs4_getfacl $WORK # file: /home/.../GROUP/USER A::OWNER@:rwaDxtTcCy A::GROUP@:tcy A:g:<OTHER-GROUP-ID>:xtcy A::EVERYONE@:tcy
<OTHER-GROUP-ID>
is the group id the commandgetent group <OTHER-GROUP>
returns. -
In case access was granted to user and group or multiple users and groups you will see a mix of both examples.
-
-
for
$WORK/<SUBDIR>
:- If
<OTHER-USER>
is a group member or you are member of<OTHER-GROUP>
: - If
<OTHER-USER>
is not a group member or you are not member of<OTHER-GROUP>
:
- If