How to set ACLs. Examples.
Example 1.
Set ACL to a new directory TestDir? so that:
1) ui_users1 (UID 60076, GID 5063), ui_users2 (UID 18118,GID 7777) and all users from these both groups (GID 5063, GID 7777)
are allowed to create files in this directory;
2) it is allowed for a member of the group (GID) to read files created by other members of the same group;
3) user is allowed to delete only own files.
setfacl /pnfs/dcache.org/data/TestDir GROUP:5063:+fD GROUP:7777:+fD GROUP@:+r:f OWNER@:+d:f
[hal9000.dcache.org] (acladmin) admin > setfacl /pnfs/dcache.org/data/TestDir GROUP:5063:+fD GROUP:7777:+fD GROUP@:+r:f OWNER@:+d:f Done [hal9000.dcache.org] (acladmin) admin >
[hal9000.dcache.org] (acladmin) admin > getfacl /pnfs/dcache.org/data/TestDir 000062D672D6F693417AABEF42308CF69D85:DIR GROUP:5063:+fD GROUP:7777:+fD GROUP@:+l:f OWNER@:+d:f [hal9000.dcache.org] (acladmin) admin >
1) Check, that users from both groups are allowed to create new files in this directory:
[ui_users1@hal9000 ~]$ globus-url-copy file://///home/ui_users1/TestDir/File1 gsiftp://hal9000:2811/pnfs/dcache.org/data/TestDir/File1 [ui_users2@hal9000 ~]$ globus-url-copy file://///home/ui_users2/TestDir/File2 gsiftp://hal9000:2811/pnfs/dcache.org/data/TestDir/File2
ACLs inherited by these new files:
[hal9000.dcache.org] (acladmin) admin > getfacl /pnfs/dcache.org/data/TestDir/File1 00002E5085B0E333409EADF894029E5248B3:FILE GROUP@:+r OWNER@:+d [hal9000.dcache.org] (acladmin) admin > getfacl /pnfs/dcache.org/data/TestDir/File2 0000317A495EBA0B49E2B6E01F71540A59A4:FILE GROUP@:+r OWNER@:+d
List directory:
'ui_users1'
[ui_users1@hal9000 ~]$ edg-gridftp-ls -v gsiftp://hal9000:2811/pnfs/dcache.org/data/TestDir -r-------- 1 user01 user01 33 Feb 24 15:00 File1 ---------- 1 user01 user01 14 Feb 24 15:03 File2 [ui_users1@hal9000 ~]$
'ui_users2'
[ui_users2@hal9000 ~]$ edg-gridftp-ls -v gsiftp://hal9000:2811/pnfs/dcache.org/data/TestDir ---------- 1 user02 user02 33 Feb 24 15:00 File1 -r-------- 1 user02 user02 14 Feb 24 15:03 File2 [ui_users2@hal9000 ~]$
2) Check, that user is not allowed to read files owned by other group, that is, 'ui_users1' (GID 5063) is not allowed to read files owned by other group (GID 7777):
[ui_users1@hal9000 ~]$ globus-url-copy gsiftp://hal9000:2811/pnfs/dcache.org/data/TestDir/File2 file://///home/ui_users1/MyTestDir/File2 error: globus_ftp_client: the server responded with an error 550 Permission denied [ui_users1@hal9000 ~]$
3) Check, that 'ui_users1' is not allowed to delete file created by 'ui_users2':
[ui_users1@hal9000 ~]$ edg-gridftp-rm gsiftp://hal9000:2811/pnfs/dcache.org/data/TestDir/File2 error globus_ftp_client: the server responded with an error [ui_users1@hal9000 ~]$
Check, that user can delete only his own files:
[ui_users1@hal9000 ~]$ edg-gridftp-rm gsiftp://hal9000:2811/pnfs/dcache.org/data/TestDir/File1 [ui_users1@hal9000 ~]$
