summaryrefslogtreecommitdiffstats
path: root/doc/admin-guide/en-US/markdown/admin_ACLs.md
diff options
context:
space:
mode:
authorVijay Bellur <vbellur@redhat.com>2013-06-18 11:25:39 +0530
committerAnand Avati <avati@redhat.com>2013-06-25 10:36:45 -0700
commit183546aa2dbfe3371cf155800e2f70057e95e2bc (patch)
tree1ffaa80066b451b47c6861aed34f659b220f834a /doc/admin-guide/en-US/markdown/admin_ACLs.md
parentfb064ec4e302e59aca9ba8a8d97e4cc2d82d31ef (diff)
doc: Move admin-guide to markdown format.
Editing markdown is probably more easier than xml. pandoc can then be used for conversion to html, pdf and any other necessary formats. Note that pandoc has the following input and output formats: Input: markdown and (subsets of) Textile, reStructuredText, HTML, LaTeX, and DocBook XML. Output:plain text, markdown, reStructuredText, XHTML, HTML 5, LaTeX (including beamer slide shows), ConTeXt, RTF, DocBook XML, OpenDocument XML, ODT, Word docx, GNU Texinfo, MediaWiki markup, EPUB, Textile, groff man pages, Emacs Org-Mode, AsciiDoc, and Slidy, Slideous, DZSlides, or S5 HTML slide shows. It can also pro‐ duce PDF output on systems where LaTeX is installed. All documentation changes can be submitted as changes to markdown and we can attempt a periodic documentation refresh on gluster.org. Change-Id: I5dcf7f79184cd6b6d62ce7065d2faa352622f6ac Reviewed-on: http://review.gluster.org/5232 Reviewed-by: Kaleb KEITHLEY <kkeithle@redhat.com> Reviewed-by: Krishnan Parthasarathi <kparthas@redhat.com> Reviewed-by: Anand Avati <avati@redhat.com> Tested-by: Anand Avati <avati@redhat.com>
Diffstat (limited to 'doc/admin-guide/en-US/markdown/admin_ACLs.md')
-rw-r--r--doc/admin-guide/en-US/markdown/admin_ACLs.md197
1 files changed, 197 insertions, 0 deletions
diff --git a/doc/admin-guide/en-US/markdown/admin_ACLs.md b/doc/admin-guide/en-US/markdown/admin_ACLs.md
new file mode 100644
index 00000000000..308e069ca50
--- /dev/null
+++ b/doc/admin-guide/en-US/markdown/admin_ACLs.md
@@ -0,0 +1,197 @@
+POSIX Access Control Lists
+==========================
+
+POSIX Access Control Lists (ACLs) allows you to assign different
+permissions for different users or groups even though they do not
+correspond to the original owner or the owning group.
+
+For example: User john creates a file but does not want to allow anyone
+to do anything with this file, except another user, antony (even though
+there are other users that belong to the group john).
+
+This means, in addition to the file owner, the file group, and others,
+additional users and groups can be granted or denied access by using
+POSIX ACLs.
+
+Activating POSIX ACLs Support
+=============================
+
+To use POSIX ACLs for a file or directory, the partition of the file or
+directory must be mounted with POSIX ACLs support.
+
+Activating POSIX ACLs Support on Sever
+--------------------------------------
+
+To mount the backend export directories for POSIX ACLs support, use the
+following command:
+
+`# mount -o acl `
+
+For example:
+
+`# mount -o acl /dev/sda1 /export1 `
+
+Alternatively, if the partition is listed in the /etc/fstab file, add
+the following entry for the partition to include the POSIX ACLs option:
+
+`LABEL=/work /export1 ext3 rw, acl 14 `
+
+Activating POSIX ACLs Support on Client
+---------------------------------------
+
+To mount the glusterfs volumes for POSIX ACLs support, use the following
+command:
+
+`# mount –t glusterfs -o acl `
+
+For example:
+
+`# mount -t glusterfs -o acl 198.192.198.234:glustervolume /mnt/gluster`
+
+Setting POSIX ACLs
+==================
+
+You can set two types of POSIX ACLs, that is, access ACLs and default
+ACLs. You can use access ACLs to grant permission for a specific file or
+directory. You can use default ACLs only on a directory but if a file
+inside that directory does not have an ACLs, it inherits the permissions
+of the default ACLs of the directory.
+
+You can set ACLs for per user, per group, for users not in the user
+group for the file, and via the effective right mask.
+
+Setting Access ACLs
+-------------------
+
+You can apply access ACLs to grant permission for both files and
+directories.
+
+**To set or modify Access ACLs**
+
+You can set or modify access ACLs use the following command:
+
+`# setfacl –m file `
+
+The ACL entry types are the POSIX ACLs representations of owner, group,
+and other.
+
+Permissions must be a combination of the characters `r` (read), `w`
+(write), and `x` (execute). You must specify the ACL entry in the
+following format and can specify multiple entry types separated by
+commas.
+
+ ACL Entry Description
+ ---------------------- --------------------------------------------------------------------------------------------------------------------------------------------------
+ u:uid:\<permission\> Sets the access ACLs for a user. You can specify user name or UID
+ g:gid:\<permission\> Sets the access ACLs for a group. You can specify group name or GID.
+ m:\<permission\> Sets the effective rights mask. The mask is the combination of all access permissions of the owning group and all of the user and group entries.
+ o:\<permission\> Sets the access ACLs for users other than the ones in the group for the file.
+
+If a file or directory already has an POSIX ACLs, and the setfacl
+command is used, the additional permissions are added to the existing
+POSIX ACLs or the existing rule is modified.
+
+For example, to give read and write permissions to user antony:
+
+`# setfacl -m u:antony:rw /mnt/gluster/data/testfile `
+
+Setting Default ACLs
+--------------------
+
+You can apply default ACLs only to directories. They determine the
+permissions of a file system objects that inherits from its parent
+directory when it is created.
+
+To set default ACLs
+
+You can set default ACLs for files and directories using the following
+command:
+
+`# setfacl –m –-set `
+
+For example, to set the default ACLs for the /data directory to read for
+users not in the user group:
+
+`# setfacl –m --set o::r /mnt/gluster/data `
+
+> **Note**
+>
+> An access ACLs set for an individual file can override the default
+> ACLs permissions.
+
+**Effects of a Default ACLs**
+
+The following are the ways in which the permissions of a directory's
+default ACLs are passed to the files and subdirectories in it:
+
+- A subdirectory inherits the default ACLs of the parent directory
+ both as its default ACLs and as an access ACLs.
+
+- A file inherits the default ACLs as its access ACLs.
+
+Retrieving POSIX ACLs
+=====================
+
+You can view the existing POSIX ACLs for a file or directory.
+
+**To view existing POSIX ACLs**
+
+- View the existing access ACLs of a file using the following command:
+
+ `# getfacl `
+
+ For example, to view the existing POSIX ACLs for sample.jpg
+
+ # getfacl /mnt/gluster/data/test/sample.jpg
+ # owner: antony
+ # group: antony
+ user::rw-
+ group::rw-
+ other::r--
+
+- View the default ACLs of a directory using the following command:
+
+ `# getfacl `
+
+ For example, to view the existing ACLs for /data/doc
+
+ # getfacl /mnt/gluster/data/doc
+ # owner: antony
+ # group: antony
+ user::rw-
+ user:john:r--
+ group::r--
+ mask::r--
+ other::r--
+ default:user::rwx
+ default:user:antony:rwx
+ default:group::r-x
+ default:mask::rwx
+ default:other::r-x
+
+Removing POSIX ACLs
+===================
+
+To remove all the permissions for a user, groups, or others, use the
+following command:
+
+`# setfacl -x `
+
+For example, to remove all permissions from the user antony:
+
+`# setfacl -x u:antony /mnt/gluster/data/test-file`
+
+Samba and ACLs
+==============
+
+If you are using Samba to access GlusterFS FUSE mount, then POSIX ACLs
+are enabled by default. Samba has been compiled with the
+`--with-acl-support` option, so no special flags are required when
+accessing or mounting a Samba share.
+
+NFS and ACLs
+============
+
+Currently we do not support ACLs configuration through NFS, i.e. setfacl
+and getfacl commands do not work. However, ACLs permissions set using
+Gluster Native Client is applicable on NFS mounts.