DPM Filesystem Access Control Lists

From GridPP Wiki
Revision as of 15:43, 26 October 2009 by Samuel skipsey (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

DPM Access Control Lists

DPM supports (and, indeed, requires) access control lists on its namespace. These are POSIXy, and can be read, and set, by the commands 

dpns-getacl /dpm/domain.name/path/to/directory

and 

dpns-setacl some-acl[,some-more-acl] /dpm/domain.name/path/to/directory


For example, YAIM autoconfigures the ACLs for supported VOs with the following commands: 

dpns-chmod 775 /dpm
dpns-chmod 775 /dpm/domain.name
dpns-chmod 775 /dpm/domain.name/home
dpns-chmod 775 /dpm/domain.name/home/VO

dpns-entergrpmap --group VO
dpns-chown root:VO /dpm/domain.name/home/VO

dpns-setacl -m d:u::7,d:g::7,d:o:5 /dpm
dpns-setacl -m d:u::7,d:g::7,d:o:5 /dpm/domain.name
dpns-setacl -m d:u::7,d:g::7,d:o:5 /dpm/domain.name/home
dpns-setacl -m d:u::7,d:g::7,d:o:5 /dpm/domain.name/home/VO

which sets both the default user access mode (with dpns-chmod) to rwxrwxr-x, and also the default access control lists to rwxrwxr-x (with dpns-setacl).

Of course, ACLs are more flexible than chmod-based access control, so, for example, we could allow only users jbloggs and ppecker to have full permissions on a branch of the filesystem with 

dpns-setacl -m d:u::5,u:jbloggs:7,u:ppecker:7 /dpm/domain.name/home/VO/stuff/jbloggs-special-area/

where the "d" sets the default ACL for the default user.

The dpns-setacl manpage can be useful.

Retrieved from "https://www.gridpp.ac.uk/w/index.php?title=DPM_Filesystem_Access_Control_Lists&oldid=2245"