Access Control Lists
The Logical File Catalogue (LFC) allows you to attach to a file or directory an access control list (ACL). This is a list of permissions which specify who is allowed to access or modify it. The permissions are very much like those of a UNIX file system: read (r), write (w) and execute (x). A combination of these permissions can be associated to these entities:
* a user (user); * a group of users (group); * any other user (other); * the maximum permissions granted to specific users or groups (mask).
Permissions for multiple users and groups can be defined.
A directory in the LFC has also a default ACL, which is the ACL associated to any file or directory being created under that directory. After creation, the ACLs can be freely changed. When creating a sub-directory, its default ACL is inherited from the parent directory's default ACL. A user can be in more than one group. For example, it might be possible for a user to be allowed to delete an LFC file when his VOMS proxy has a FQAN /lsgrid and also when he has a FQAN/lsgrid/Role=production, as expected.
In the following example, the ACL for a given directory is displayed:
$ lfc-getacl /grid/lsgrid/UserGuide # file: /grid/lsgrid/UserGuide # owner: /C=NL/O=SARA/OU=GRID/CN=John Doe # group: lsgrid user::rwx group::rwx #effective:rwx other::r-x default:user::rwx default:group::rwx default:other::r-x
The output prints the DN (in this case /C=NL/O=SARA/OU=GRID/CN=John Doe) and the group of the owner of the directory (lsgrid), followed by the ACL and the default ACL. In this example, the owner and all users in the lsgrid group have full privileges to the directory, while other users cannot write into it.
By using lfc-setacl -m the ACL can be modified. For example, let's remove the rwx rights for both group and other:
$ lfc-setacl -m user::rwx,group::,other:: /grid/lsgrid/UserGuide $ lfc-getacl /grid/lsgrid/UserGuide # file: /grid/atlas/UserGuide # owner: /C=NL/O=SARA/OU=GRID/CN=John Doe # group: lsgrid user::rwx group::--- #effective:--- other::--- default:user::rwx default:group::rwx default:other::r-x
Notice that default:user, default:group and default:other have the permissions rwx, rwx and rx respectively. This means than when a new directory is created in /grid/lsgrid/UserGuide these permissions will be set. This is shown below.
$ lfc-mkdir /grid/lsgrid/UserGuise/new $ lfc-getacl /grid/lsgrid/UserGuise/new # file: /grid/lsgrid/UserGuise/new # owner: /C=NL/O=SARA/OU=GRID/CN=John Doe # group: lsgrid user::rwx group::rwx #effective:rwx other::r-x default:user::rwx default:group::rwx default:other::r-x
If you do not want this it is possible to change the permissions of default:user, default:group and default:other permissies.
$ lfc-setacl -m default:user::rwx,default:group::,default:other:: /grid/lsgrid/UserGuide $ lfc-mkdir /grid/lsgrid/UserGuide/new2 $ lfc-getacl /grid/lsgrid/UserGuide/new2 # file: /grid/lsgrid/UserGuide/new2 # owner: /C=NL/O=SARA/OU=GRID/CN=John Doe # group: pvier user::rwx group::--- #effective:--- other::--- default:user::rwx default:group::--- default:other::---
Other options of lfc-setacl are -d to remove ACL entries, and -s to replace the complete set of ACL entries.