Difference between revisions of "DPM Filesystem Access Control Lists"
From GridPP Wiki
(No difference)
|
Latest revision as of 15:43, 26 October 2009
DPM Access Control Lists
DPM supports (and, indeed, requires) access control lists on its namespace. These are POSIXy, and can be read, and set, by the commands
dpns-getacl /dpm/domain.name/path/to/directory
and
dpns-setacl some-acl[,some-more-acl] /dpm/domain.name/path/to/directory
For example, YAIM autoconfigures the ACLs for supported VOs with the following commands:
dpns-chmod 775 /dpm dpns-chmod 775 /dpm/domain.name dpns-chmod 775 /dpm/domain.name/home dpns-chmod 775 /dpm/domain.name/home/VO
dpns-entergrpmap --group VO dpns-chown root:VO /dpm/domain.name/home/VO
dpns-setacl -m d:u::7,d:g::7,d:o:5 /dpm dpns-setacl -m d:u::7,d:g::7,d:o:5 /dpm/domain.name dpns-setacl -m d:u::7,d:g::7,d:o:5 /dpm/domain.name/home dpns-setacl -m d:u::7,d:g::7,d:o:5 /dpm/domain.name/home/VO
which sets both the default user access mode (with dpns-chmod) to rwxrwxr-x, and also the default access control lists to rwxrwxr-x (with dpns-setacl).
Of course, ACLs are more flexible than chmod-based access control, so, for example, we could allow only users jbloggs and ppecker to have full permissions on a branch of the filesystem with
dpns-setacl -m d:u::5,u:jbloggs:7,u:ppecker:7 /dpm/domain.name/home/VO/stuff/jbloggs-special-area/
where the "d" sets the default ACL for the default user.
The dpns-setacl manpage can be useful.