wiki:ExamplesACL
Last modified 12 years ago Last modified on 04/06/09 18:45:31

How to set ACLs. Examples.

ACL in dCache. Examples.

Example 1.

Set ACL to a new directory TestDir? so that:
1) ui_users1 (UID 60076, GID 5063), ui_users2 (UID 18118,GID 7777) and all users from these both groups (GID 5063, GID 7777) are allowed to create files in this directory;
2) it is allowed for a member of the group (GID) to read files created by other members of the same group;
3) user is allowed to delete only own files.

setfacl /pnfs/dcache.org/data/TestDir GROUP:5063:+fD GROUP:7777:+fD GROUP@:+r:f OWNER@:+d:f

[hal9000.dcache.org] (acladmin) admin > setfacl /pnfs/dcache.org/data/TestDir GROUP:5063:+fD GROUP:7777:+fD GROUP@:+r:f OWNER@:+d:f
Done
[hal9000.dcache.org] (acladmin) admin > 
[hal9000.dcache.org] (acladmin) admin > getfacl /pnfs/dcache.org/data/TestDir
000062D672D6F693417AABEF42308CF69D85:DIR
GROUP:5063:+fD
GROUP:7777:+fD
GROUP@:+l:f
OWNER@:+d:f
[hal9000.dcache.org] (acladmin) admin >

1) Check, that users from both groups are allowed to create new files in this directory:

[ui_users1@hal9000 ~]$ globus-url-copy file://///home/ui_users1/TestDir/File1 gsiftp://hal9000:2811/pnfs/dcache.org/data/TestDir/File1
[ui_users2@hal9000 ~]$ globus-url-copy file://///home/ui_users2/TestDir/File2 gsiftp://hal9000:2811/pnfs/dcache.org/data/TestDir/File2

ACLs inherited by these new files:

[hal9000.dcache.org] (acladmin) admin > getfacl /pnfs/dcache.org/data/TestDir/File1
00002E5085B0E333409EADF894029E5248B3:FILE
GROUP@:+r
OWNER@:+d
[hal9000.dcache.org] (acladmin) admin > getfacl /pnfs/dcache.org/data/TestDir/File2
0000317A495EBA0B49E2B6E01F71540A59A4:FILE
GROUP@:+r
OWNER@:+d

List directory:
'ui_users1'

[ui_users1@hal9000 ~]$ edg-gridftp-ls -v gsiftp://hal9000:2811/pnfs/dcache.org/data/TestDir
-r--------  1 user01     user01               33 Feb 24 15:00 File1
----------  1 user01     user01               14 Feb 24 15:03 File2
[ui_users1@hal9000 ~]$

'ui_users2'

[ui_users2@hal9000 ~]$ edg-gridftp-ls -v gsiftp://hal9000:2811/pnfs/dcache.org/data/TestDir
----------  1 user02    user02              33 Feb 24 15:00 File1
-r--------  1 user02    user02              14 Feb 24 15:03 File2
[ui_users2@hal9000 ~]$

2) Check, that user is not allowed to read files owned by other group, that is, 'ui_users1' (GID 5063) is not allowed to read files owned by other group (GID 7777):

[ui_users1@hal9000 ~]$ globus-url-copy gsiftp://hal9000:2811/pnfs/dcache.org/data/TestDir/File2 file://///home/ui_users1/MyTestDir/File2

error: globus_ftp_client: the server responded with an error
550 Permission denied

[ui_users1@hal9000 ~]$ 

3) Check, that 'ui_users1' is not allowed to delete file created by 'ui_users2':

[ui_users1@hal9000 ~]$ edg-gridftp-rm gsiftp://hal9000:2811/pnfs/dcache.org/data/TestDir/File2
error globus_ftp_client: the server responded with an error
[ui_users1@hal9000 ~]$

Check, that user can delete only his own files:

[ui_users1@hal9000 ~]$ edg-gridftp-rm gsiftp://hal9000:2811/pnfs/dcache.org/data/TestDir/File1
[ui_users1@hal9000 ~]$

Back to 'ACL in dCache'