Most users are familiar with traditional Linux file permissions (also known as POSIX permissions). But the simple structure of POSIX permissions can make it difficult to manage shared folders across different groups of users with different privileges. In addition to POSIX permissions, Nova also supports NFS4 access control list (ACLs) on group work folders. NFS4 ACLs allow you create different access rules for different groups, and allow permissions to be inherited from the parent directory. For this article, the term ACLs will refer to NFS4 ACLs. The following will describe how to set ACLs on Nova shared storage to support some common workflows.
Advantages of ACLs over POSIX Permissions
- POSIX permissions only allow you to set permissions for the file owner and the group owner. ACLs, however, allow you to create a list of access rules allowing you to tailor the access privileges for specific users or groups.
- ACLs can be inherited from the parent directory which helps ensure that access rules will remain in place even as new files are directories are created.
POSIX Permissions Co-Exist with ACLs
It is important to understand that with NFS 4, you can have both POSIX permissions and ACLs in effect at the same time. POSIX Permissions are always present. But you can add ACLs allow to give finer grain access rules than you would be able to achieve with POSIX permissions alone.
Let's say you are a Principal Investigator (PI) with three research assistants. A common scenario is that you would like each assistant to have their own work folder, but as the PI, you would like to be able to access the files in each assistant's work folder when necessary. In this example we will show how you can use ACLs to make this possible.
Assume the PI username is 'jsmith' and the three assistants have the usernames: ajohnson, bford, and tcheung.