DPM Filesystem Access Control Lists
From GridPP Wiki
DPM Access Control Lists
DPM supports (and, indeed, requires) access control lists on its namespace. These are POSIXy, and can be read, and set, by the commands
dpns-getacl /dpm/domain.name/path/to/directory
and
dpns-setacl some-acl[,some-more-acl] /dpm/domain.name/path/to/directory
For example, YAIM autoconfigures the ACLs for supported VOs with the following commands:
dpns-chmod 775 /dpm dpns-chmod 775 /dpm/domain.name dpns-chmod 775 /dpm/domain.name/home dpns-chmod 775 /dpm/domain.name/home/VO
dpns-entergrpmap --group VO dpns-chown root:VO /dpm/domain.name/home/VO
dpns-setacl -m d:u::7,d:g::7,d:o:5 /dpm dpns-setacl -m d:u::7,d:g::7,d:o:5 /dpm/domain.name dpns-setacl -m d:u::7,d:g::7,d:o:5 /dpm/domain.name/home dpns-setacl -m d:u::7,d:g::7,d:o:5 /dpm/domain.name/home/VO
which sets both the default user access mode (with dpns-chmod) to rwxrwxr-x, and also the default access control lists to rwxrwxr-x (with dpns-setacl).
Of course, ACLs are more flexible than chmod-based access control, so, for example, we could allow only users jbloggs and ppecker to have full permissions on a branch of the filesystem with
dpns-setacl -m d:u::5,u:jbloggs:7,u:ppecker:7 /dpm/domain.name/home/VO/stuff/jbloggs-special-area/
where the "d" sets the default ACL for the default user.
The dpns-setacl manpage can be useful.