diff --git a/docs.it4i/storage/nfs4-file-acl.md b/docs.it4i/storage/nfs4-file-acl.md index 886e9724e7c5e75547b40ff78a398fbf5ee5a52c..3114dc55a6b2463cd46b5ab9fa5bcd48e9340a3b 100644 --- a/docs.it4i/storage/nfs4-file-acl.md +++ b/docs.it4i/storage/nfs4-file-acl.md @@ -1,16 +1,57 @@ # NFSv4 ACL -At the first - knowledge of ACL is necessary +An NFSv4 ACL consists of one or more NFSv4 ACEs (Access Control Entry), each delimited by a comma or whitespace. -ACL - access control list -ACE - access control entry - -An NFSv4 ACL consists of one or more NFSv4 ACEs, each delimited by commas or whitespace. An NFSv4 ACE is written as a colon-delimited, 4-field string in the following format: ``` code <type>:<flags>:<principal>:<permissions> ``` +## ACE Elements + +* <type> - one of: + +| Flag | Name | +| ---- | ----- | +| A | allow | +| D | deny | +| U | audit | +| L | alarm | + +* <flags> - zero or more (depending on <type>) of: + +| Flag | Name | +| ---- | ------------------------------------------- | +| f | file-inherit | +| d | directory-inherit | +| p | no-propagate-inherit | +| i | inherit-only | +| S | successful-access | +| F | failed-access | +| g | group (denotes that <principal> is a group) | + +* <principal> - named user or group, or one of: "OWNER@", "GROUP@", "EVERYONE@" + +* <permissions> - one or more of: + +| Flag | Name | +| ---- | --------------------------------- | +| r | read-data / list-directory | +| w | write-data / create-file | +| a | append-data / create-subdirectory | +| x | execute | +| d | delete | +| D | delete-child (directories only) | +| t | read-attrs | +| T | write-attrs | +| n | read-named-attrs | +| N | write-named-attrs | +| c | read-ACL | +| C | write-ACL | +| o | write-owner | +| y | synchronize | + +## Example ``` code [root@login2.salomon proj1]# nfs4_getfacl open-20-11 @@ -25,45 +66,3 @@ A:fdi:GROUP@:rxtcy A:fdig:open-20-11@it4i.cz:rwaDxtcy A:fdi:EVERYONE@:tcy ``` - -* <type> - one of: - -| Flag || Name | -| ---- || ----- | -| A || allow | -| D || deny | -| U || audit | -| L || alarm | - -* <flags> - zero or more (depending on <type>) of: - -| Flag || Name | -| ---- || ------------------------------------------- | -| f || file-inherit | -| d || directory-inherit | -| p || no-propagate-inherit | -| i || inherit-only | -| S || successful-access | -| F || failed-access | -| g || group (denotes that <principal> is a group) | - -* <principal> - named user or group, or one of: "OWNER@", "GROUP@", "EVERYONE@" - -* <permissions> - one or more of: - -| Flag || Name | -| ---- || --------------------------------- | -| r || read-data / list-directory | -| w || write-data / create-file | -| a || append-data / create-subdirectory | -| x || execute | -| d || delete | -| D || delete-child (directories only) | -| t || read-attrs | -| T || write-attrs | -| n || read-named-attrs | -| N || write-named-attrs | -| c || read-ACL | -| C || write-ACL | -| o || write-owner | -| y || synchronize |