wiki:ACLInheritance
Last modified 12 years ago Last modified on 01/07/09 17:33:13

Inheritance of ACE at newly created objects.

1) New non-directory file created

Table 1.
flag placed on ACE of parent directory
FILE_INHERIT (f) x x x x - - - -
DIRECTORY_INHERIT (d) x x - - x x - -
INHERIT_ONLY (o) x - x - x - - x
flags placed on ACE of
child file
0
(*)
-
nothing to inherit
failure
(**)

2) New directory created

Table 2.
flag placed on ACE of parent directory
FILE_INHERIT (f) x x x x - - - -
DIRECTORY_INHERIT (d) x x - - x x - -
INHERIT_ONLY (o) x - x - x - - x
flags placed on ACE of
child directory
FILE_INHERIT +
DIRECTORY_INHERIT
(*), (***)
FILE_INHERIT
(*)
DIRECTORY_INHERIT
(***)
-
nothing to inherit
failure
(**)

(*) Any non-directory file in any sub-directory will get parent ACE inherited (with all bits in flags cleared).

() If INHERIT_ONLY flag is present on an ACE, but neither DIRECTORY_INHERIT nor FILE_INHERIT is present, then an operation attempting to set such an attribute SHOULD fail with NFS4ERR_ATTRNOTSUPP.

(*) An ACE should be added to each new directory created. If INHERIT_ONLY flag is present on an ACE, then such ACEs only take effect once they are applied (with this bit cleared) to newly created files and directories as specified by the FILE_INHERIT and DIRECTORY_INHERIT flags. If DIRECTORY_INHERIT flag is set in an ACE in an ACL attribute to be set on a non-directory file system object, the operation attempting to set the ACL SHOULD fail with NFS4ERR_ATTRNOTSUPP.

Examples for Table 1.
Remark:

In the examples provided below, the screenshots of the commands setfacl and getfacl are represented in a special self-explanatory format (for better understanding), which differs from the real-life format. For example, command setfacl ends with "Done" in the real-life format in case of success:

[sample.org] (acladmin) admin > setfacl /pnfs/example.org/data/dteam/TESTDIR USER:18118:+fslD
Done
[sample.org] (acladmin) admin > 

1. If an ACE of parent directory has any of these flags : fdo, fd, fo, f , then this ACE will be inherited for a new file created in this directory.
Let us set ACL for directory TESTDIR (using acladmin from Admin Interface) as follows :

[reagan.desy.de] (acladmin) admin > setfacl /pnfs/example.org/data/dteam/TESTDIR USER:18118:+fslD USER:22222:+rwnNtTdcCo:fdo USER:33333:+rwnNtcCo:fd USER:44444:+rwnTdcCo:fo USER:55555:+rwnNtCo:f
Newly set ACL: rsId = 000029B2981B90174DDA8DC16D8CEEDDAB87, rsType = DIR
order = 0, type = A, accessMsk = lfsD, who = USER, whoID = 18118
order = 1, type = A, flags = fdo, accessMsk = lfnNtTdcCo, who = USER, whoID = 22222
order = 2, type = A, flags = fd, accessMsk = lfnNtcCo, who = USER, whoID = 33333
order = 3, type = A, flags = fo, accessMsk = lfnTdcCo, who = USER, whoID = 44444
order = 4, type = A, flags = f, accessMsk = lfnNtCo, who = USER, whoID = 55555
[reagan.desy.de] (acladmin) admin >

Then for any file copied to this directory the following ACL will be created:

[reagan.desy.de] (acladmin) admin > getfacl  /pnfs/example.org/data/dteam/TESTDIR/newTestFile
ACL: rsId = 0000107DACE50B4E49F59BC007F06F8382F7, rsType = FILE
order = 0, type = A, accessMsk = rwnNtTdcCo, who = USER, whoID = 22222
order = 1, type = A, accessMsk = rwnNtcCo, who = USER, whoID = 33333
order = 2, type = A, accessMsk = rwnTdcCo, who = USER, whoID = 44444
order = 3, type = A, accessMsk = rwnNtCo, who = USER, whoID = 55555
[reagan.desy.de] (acladmin) admin >

2. If an ACE of parent directory has any of these flags : do, d , then this ACE will NOT be inherited for a new file created in this directory.

[reagan.desy.de] (acladmin) admin > setfacl /pnfs/example.org/data/dteam/TESTDIR2 USER:18118:+fslD USER:77777:+NtTdco:do USER:88888:+rwTdco:d
Newly set ACL: rsId = 000029B2981B90174DDA8DC16D8CEEDDAB87, rsType = DIR
order = 0, type = A, accessMsk = lfsD, who = USER, whoID = 18118
order = 1, type = A, flags = do, accessMsk = NtTdco, who = USER, whoID = 77777
order = 2, type = A, flags = d, accessMsk = lfTdco, who = USER, whoID = 88888
[reagan.desy.de] (acladmin) admin >

No ACEs were inherited, so no ACL exists for newly created file:

[reagan.desy.de] (acladmin) admin > getfacl  /pnfs/example.org/data/dteam/TESTDIR2/TestFile
ACL for the object rsId = 0000A4654394C2CF43729CD4560A136366DF  does not exist.
[reagan.desy.de] (acladmin) admin >

Obviously, if an ACE of parent directory has no flags, then there is no inheritance of this ACE.

3. If an ACE of parent directory has flag o, this is actually a failure as described in (), but for now for more convenience it is treated in the same way as do or d flags or no flags. That is, no ACE inheritance (no ACL is created for a new file in this directory).

Examples for Table 2.

1. If an ACE of parent directory has flags: fdo or fd, then a newly created subdirectory will inherit this ACE and flag fd will be set.
Let's set ACL for directory TESTDIR3 as follows :

(acladmin) admin > setfacl pnfs/example.org/data/dteam/TESTDIR3 USER:18118:+fslDd:fdo USER:11111:+rwnNtTdcCo:fd USER:22222:-nNtTc:fd
Newly set ACL: rsId = 0000C44AE2EB99004200BE0A6AE74E29BDB1, rsType = DIR
order = 0, type = A, flags = fdo, accessMsk = lfsDd, who = USER, whoID = 18118
order = 1, type = A, flags = fd, accessMsk = lfnNtTdcCo, who = USER, whoID = 11111
order = 2, type = D, flags = fd, accessMsk = nNtTc, who = USER, whoID = 22222
(acladmin) admin >

Then for any subdirectory created in this directory the following ACL will be created:

(acladmin) admin > getfacl /pnfs/example.org/data/dteam/TESTDIR3/SubDir1
ACL: rsId = 0000569FDDA3103F435295C69C3E51AB3557, rsType = DIR
order = 0, type = A, flags = fd, accessMsk = lfsDd, who = USER, whoID = 18118
order = 1, type = A, flags = fd, accessMsk = lfnNtTdcCo, who = USER, whoID = 11111
order = 2, type = D, flags = fd, accessMsk = nNtTc, who = USER, whoID = 22222
(acladmin) admin >

2. If an ACE of parent directory has flags: fo or f, then a newly created subdirectory will inherit this ACE and flag f will be set. ACL of parent directory TESTDIR2 is set to:

(acladmin) admin > setfacl /pnfs/example.org/data/dteam/TESTDIR2 USER:18118:+rwxd:fo USER:11111:-wxd:f
Newly set ACL: rsId = 0000C44AE2EB99004200BE0A6AE74E29BDB1, rsType = DIR
order = 0, type = A, flags = fo, accessMsk = lfxd, who = USER, whoID = 18118
order = 1, type = D, flags = f, accessMsk = fxd, who = USER, whoID = 11111
(acladmin) admin >

All created subdirectories will inherit these ACEs with flags set to f:

(acladmin) admin > getfacl /pnfs/example.org/data/dteam/TESTDIR2/SubDir3
ACL: rsId = 0000B23B1827657247EEB128F7684251E8E7, rsType = DIR
order = 0, type = A, flags = f, accessMsk = lfxd, who = USER, whoID = 18118
order = 1, type = D, flags = f, accessMsk = fxd, who = USER, whoID = 11111
(acladmin) admin >

3. If an ACE of parent directory has flags: do or d, then a newly created subdirectory will inherit this ACE and flag d will be set. ACL of parent directory TESTDIR2 is set to:

(acladmin) admin > setfacl /pnfs/example.org/data/dteam/TESTDIR2 USER:18118:+lsfdD:do USER:11111:+lsf:d
Newly set ACL: rsId = 0000C44AE2EB99004200BE0A6AE74E29BDB1, rsType = DIR
order = 0, type = A, flags = do, accessMsk = lfsDd, who = USER, whoID = 18118
order = 1, type = A, flags = d, accessMsk = lfs, who = USER, whoID = 11111
(acladmin) admin >

All created subdirectories will inherit these ACEs with flags set to d:

(acladmin) admin > getfacl /pnfs/example.org/data/dteam/TESTDIR2/SubDir4
ACL: rsId = 0000285BD119D8254BAA82069A22097A46D6, rsType = DIR
order = 0, type = A, flags = d, accessMsk = lfsDd, who = USER, whoID = 18118
order = 1, type = A, flags = d, accessMsk = lfs, who = USER, whoID = 11111
(acladmin) admin >

4. Obviously, if an ACE of parent directory has no flags, then there is no inheritance of this ACE.

5. If an ACE of parent directory has flag o, this is actually a failure as described in (), but for now for more convenience it is treated in the same way as no flags. That is, no ACE inheritance (no ACL is created for a new subdirectory in this directory).

Back to Start Page ACL in dCache.

Last Modified by Irina @ Wed Mar 3 07:02:25 2021