Inheritance of ACE at newly created objects.
1) New non-directory file created
Table 1.| flag | placed on ACE of parent directory | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| FILE_INHERIT (f) | x | x | x | x | - | - | - | - | |||
| DIRECTORY_INHERIT (d) | x | x | - | - | x | x | - | - | |||
| INHERIT_ONLY (o) | x | - | x | - | x | - | - | x | |||
| flags placed on ACE of child file |
0 (*) |
- nothing to inherit |
failure (**) |
||||||||
2) New directory created
Table 2.| flag | placed on ACE of parent directory | |||||||
|---|---|---|---|---|---|---|---|---|
| FILE_INHERIT (f) | x | x | x | x | - | - | - | - |
| DIRECTORY_INHERIT (d) | x | x | - | - | x | x | - | - |
| INHERIT_ONLY (o) | x | - | x | - | x | - | - | x |
| flags placed on ACE of child directory |
FILE_INHERIT + DIRECTORY_INHERIT (*), (***) |
FILE_INHERIT (*) |
DIRECTORY_INHERIT (***) |
- nothing to inherit |
failure (**) |
|||
(*) Any non-directory file in any sub-directory will get parent ACE inherited (with all bits in flags cleared).
() If INHERIT_ONLY flag is present on an ACE, but neither DIRECTORY_INHERIT nor FILE_INHERIT is present, then an operation attempting to set such an attribute SHOULD fail with NFS4ERR_ATTRNOTSUPP.
(*) An ACE should be added to each new directory created. If INHERIT_ONLY flag is present on an ACE, then such ACEs only take effect once they are applied (with this bit cleared) to newly created files and directories as specified by the FILE_INHERIT and DIRECTORY_INHERIT flags. If DIRECTORY_INHERIT flag is set in an ACE in an ACL attribute to be set on a non-directory file system object, the operation attempting to set the ACL SHOULD fail with NFS4ERR_ATTRNOTSUPP.
Remark:
In the examples provided below, the screenshots of the commands setfacl and getfacl are represented in a special self-explanatory format (for better understanding), which differs from the real-life format. For example, command setfacl ends with "Done" in the real-life format in case of success:
[sample.org] (acladmin) admin > setfacl /pnfs/example.org/data/dteam/TESTDIR USER:18118:+fslD Done [sample.org] (acladmin) admin >
1. If an ACE of parent directory has any of these flags : fdo, fd, fo, f , then this ACE will be inherited for a new file created in this directory.
Let us set ACL for directory TESTDIR (using acladmin from Admin Interface) as follows :
[reagan.desy.de] (acladmin) admin > setfacl /pnfs/example.org/data/dteam/TESTDIR USER:18118:+fslD USER:22222:+rwnNtTdcCo:fdo USER:33333:+rwnNtcCo:fd USER:44444:+rwnTdcCo:fo USER:55555:+rwnNtCo:f Newly set ACL: rsId = 000029B2981B90174DDA8DC16D8CEEDDAB87, rsType = DIR order = 0, type = A, accessMsk = lfsD, who = USER, whoID = 18118 order = 1, type = A, flags = fdo, accessMsk = lfnNtTdcCo, who = USER, whoID = 22222 order = 2, type = A, flags = fd, accessMsk = lfnNtcCo, who = USER, whoID = 33333 order = 3, type = A, flags = fo, accessMsk = lfnTdcCo, who = USER, whoID = 44444 order = 4, type = A, flags = f, accessMsk = lfnNtCo, who = USER, whoID = 55555 [reagan.desy.de] (acladmin) admin >
Then for any file copied to this directory the following ACL will be created:
[reagan.desy.de] (acladmin) admin > getfacl /pnfs/example.org/data/dteam/TESTDIR/newTestFile ACL: rsId = 0000107DACE50B4E49F59BC007F06F8382F7, rsType = FILE order = 0, type = A, accessMsk = rwnNtTdcCo, who = USER, whoID = 22222 order = 1, type = A, accessMsk = rwnNtcCo, who = USER, whoID = 33333 order = 2, type = A, accessMsk = rwnTdcCo, who = USER, whoID = 44444 order = 3, type = A, accessMsk = rwnNtCo, who = USER, whoID = 55555 [reagan.desy.de] (acladmin) admin >
2. If an ACE of parent directory has any of these flags : do, d , then this ACE will NOT be inherited for a new file created in this directory.
[reagan.desy.de] (acladmin) admin > setfacl /pnfs/example.org/data/dteam/TESTDIR2 USER:18118:+fslD USER:77777:+NtTdco:do USER:88888:+rwTdco:d Newly set ACL: rsId = 000029B2981B90174DDA8DC16D8CEEDDAB87, rsType = DIR order = 0, type = A, accessMsk = lfsD, who = USER, whoID = 18118 order = 1, type = A, flags = do, accessMsk = NtTdco, who = USER, whoID = 77777 order = 2, type = A, flags = d, accessMsk = lfTdco, who = USER, whoID = 88888 [reagan.desy.de] (acladmin) admin >
No ACEs were inherited, so no ACL exists for newly created file:
[reagan.desy.de] (acladmin) admin > getfacl /pnfs/example.org/data/dteam/TESTDIR2/TestFile ACL for the object rsId = 0000A4654394C2CF43729CD4560A136366DF does not exist. [reagan.desy.de] (acladmin) admin >
Obviously, if an ACE of parent directory has no flags, then there is no inheritance of this ACE.
3. If an ACE of parent directory has flag o, this is actually a failure as described in (), but for now for more convenience it is treated in the same way as do or d flags or no flags. That is, no ACE inheritance (no ACL is created for a new file in this directory).
Examples for Table 2.
1. If an ACE of parent directory has flags: fdo or fd, then a newly created subdirectory will inherit this ACE and flag fd will be set.
Let's set ACL for directory TESTDIR3 as follows :
(acladmin) admin > setfacl pnfs/example.org/data/dteam/TESTDIR3 USER:18118:+fslDd:fdo USER:11111:+rwnNtTdcCo:fd USER:22222:-nNtTc:fd Newly set ACL: rsId = 0000C44AE2EB99004200BE0A6AE74E29BDB1, rsType = DIR order = 0, type = A, flags = fdo, accessMsk = lfsDd, who = USER, whoID = 18118 order = 1, type = A, flags = fd, accessMsk = lfnNtTdcCo, who = USER, whoID = 11111 order = 2, type = D, flags = fd, accessMsk = nNtTc, who = USER, whoID = 22222 (acladmin) admin >
Then for any subdirectory created in this directory the following ACL will be created:
(acladmin) admin > getfacl /pnfs/example.org/data/dteam/TESTDIR3/SubDir1 ACL: rsId = 0000569FDDA3103F435295C69C3E51AB3557, rsType = DIR order = 0, type = A, flags = fd, accessMsk = lfsDd, who = USER, whoID = 18118 order = 1, type = A, flags = fd, accessMsk = lfnNtTdcCo, who = USER, whoID = 11111 order = 2, type = D, flags = fd, accessMsk = nNtTc, who = USER, whoID = 22222 (acladmin) admin >
2. If an ACE of parent directory has flags: fo or f, then a newly created subdirectory will inherit this ACE and flag f will be set. ACL of parent directory TESTDIR2 is set to:
(acladmin) admin > setfacl /pnfs/example.org/data/dteam/TESTDIR2 USER:18118:+rwxd:fo USER:11111:-wxd:f Newly set ACL: rsId = 0000C44AE2EB99004200BE0A6AE74E29BDB1, rsType = DIR order = 0, type = A, flags = fo, accessMsk = lfxd, who = USER, whoID = 18118 order = 1, type = D, flags = f, accessMsk = fxd, who = USER, whoID = 11111 (acladmin) admin >
All created subdirectories will inherit these ACEs with flags set to f:
(acladmin) admin > getfacl /pnfs/example.org/data/dteam/TESTDIR2/SubDir3 ACL: rsId = 0000B23B1827657247EEB128F7684251E8E7, rsType = DIR order = 0, type = A, flags = f, accessMsk = lfxd, who = USER, whoID = 18118 order = 1, type = D, flags = f, accessMsk = fxd, who = USER, whoID = 11111 (acladmin) admin >
3. If an ACE of parent directory has flags: do or d, then a newly created subdirectory will inherit this ACE and flag d will be set. ACL of parent directory TESTDIR2 is set to:
(acladmin) admin > setfacl /pnfs/example.org/data/dteam/TESTDIR2 USER:18118:+lsfdD:do USER:11111:+lsf:d Newly set ACL: rsId = 0000C44AE2EB99004200BE0A6AE74E29BDB1, rsType = DIR order = 0, type = A, flags = do, accessMsk = lfsDd, who = USER, whoID = 18118 order = 1, type = A, flags = d, accessMsk = lfs, who = USER, whoID = 11111 (acladmin) admin >
All created subdirectories will inherit these ACEs with flags set to d:
(acladmin) admin > getfacl /pnfs/example.org/data/dteam/TESTDIR2/SubDir4 ACL: rsId = 0000285BD119D8254BAA82069A22097A46D6, rsType = DIR order = 0, type = A, flags = d, accessMsk = lfsDd, who = USER, whoID = 18118 order = 1, type = A, flags = d, accessMsk = lfs, who = USER, whoID = 11111 (acladmin) admin >
4. Obviously, if an ACE of parent directory has no flags, then there is no inheritance of this ACE.
5. If an ACE of parent directory has flag o, this is actually a failure as described in (), but for now for more convenience it is treated in the same way as no flags. That is, no ACE inheritance (no ACL is created for a new subdirectory in this directory).
Back to Start Page ACL in dCache.
Last Modified by Irina @ Wed Mar 3 07:02:25 2021
