[gpfsug-discuss] Adding to an existing GPFS ACL

Nathan Falk nfalk at us.ibm.com
Wed Mar 27 17:04:23 GMT 2019


Hello Kevin,

No, you're not missing something. GPFS doesn't provide a means of 
recursively modifying ACLs. It's not even all that easy to just modify one 
ACL for one file (it's either mmeditacl, or mmgetacl > /tmp/acl.txt; vi 
/tmp/acl.txt; mmputacl -i /tmp/acl.txt).

I've had a few queries along these lines over the years and decided to 
publish a little bit of a guide here:

https://www-prd-trops.events.ibm.com/node/how-recursively-set-nfsv4-acls-gpfs-filesystem 


There's a sample script there for the recursive part, but that would still 
have to be tweaked in your case to append just a single ACE to the 
existing ACL rather than replace the whole ACL.

Or as others have noted, export the fileset via NFS and go to an NFS 
client and use nfs4_setfacl instead.

Thanks,


Nate Falk
IBM Spectrum Scale Level 2 Support
Software Defined Infrastructure, IBM Systems



E-mail: nfalk at us.ibm.com
Find me on:   





From:   "Buterbaugh, Kevin L" <Kevin.Buterbaugh at Vanderbilt.Edu>
To:     gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Date:   03/27/2019 12:53 PM
Subject:        Re: [gpfsug-discuss] Adding to an existing GPFS ACL
Sent by:        gpfsug-discuss-bounces at spectrumscale.org



Hi Jonathan, 

Thanks.  We have done a very similar thing when we’re dealing with a 
situation where:  1) all files and directories in the fileset are starting 
out with the same existing ACL, and 2) all need the same modification made 
to them.

Unfortunately, in this situation item 2 is true, but item 1 is _not_. 
That’s what’s making this one a bit thorny…

Kevin

—
Kevin Buterbaugh - Senior System Administrator
Vanderbilt University - Advanced Computing Center for Research and 
Education
Kevin.Buterbaugh at vanderbilt.edu - (615)875-9633

On Mar 27, 2019, at 11:33 AM, Fosburgh,Jonathan <jfosburg at mdanderson.org> 
wrote:

I misunderstood you.

Pretty much what we've been doing is maintaining "ACL template" files 
based on how our filesystem hierarchy is set up.  Basically, fileset foo 
has a foo.acl file that contains what the ACL is supposed to be.  If we 
need to change the ACL, we modify that file with the new ACL and then pass 
it through a simple (and expensive, I'm sure) script.  This wouldn't be 
necessary if in heritance flowed down on existing files and directories. 
If you have CIFS access, you can also use Windows to do this, but it is 
MUCH slower.

-- 
Jonathan Fosburgh
Principal Application Systems Analyst
IT Operations Storage Team
The University of Texas MD Anderson Cancer Center
(713) 745-9346


From: gpfsug-discuss-bounces at spectrumscale.org <
gpfsug-discuss-bounces at spectrumscale.org> on behalf of Buterbaugh, Kevin L 
<Kevin.Buterbaugh at Vanderbilt.Edu>
Sent: Wednesday, March 27, 2019 11:19:03 AM
To: gpfsug main discussion list
Subject: [EXT] Re: [gpfsug-discuss] Adding to an existing GPFS ACL 
 
WARNING: This email originated from outside of MD Anderson. Please 
validate the sender's email address before clicking on links or 
attachments as they may not be safe. 
Hi Jonathan, 

Thanks for the response.  I did look at mmeditacl, but unless I’m missing 
something it’s interactive (kind of like mmedquota is by default).  If I 
had only a handful of files / directories to modify that would be fine, 
but in this case there are thousands of ACL’s that need modifying.

Am I missing something?  Thanks…

Kevin

—
Kevin Buterbaugh - Senior System Administrator
Vanderbilt University - Advanced Computing Center for Research and 
Education
Kevin.Buterbaugh at vanderbilt.edu - (615)875-9633

On Mar 27, 2019, at 11:02 AM, Fosburgh,Jonathan <jfosburg at mdanderson.org> 
wrote:

Try mmeditacl.

-- 
Jonathan Fosburgh
Principal Application Systems Analyst
IT Operations Storage Team
The University of Texas MD Anderson Cancer Center
(713) 745-9346


From: gpfsug-discuss-bounces at spectrumscale.org <
gpfsug-discuss-bounces at spectrumscale.org> on behalf of Buterbaugh, Kevin L 
<Kevin.Buterbaugh at Vanderbilt.Edu>
Sent: Wednesday, March 27, 2019 10:59:17 AM
To: gpfsug main discussion list
Subject: [EXT] [gpfsug-discuss] Adding to an existing GPFS ACL 
 
WARNING: This email originated from outside of MD Anderson. Please 
validate the sender's email address before clicking on links or 
attachments as they may not be safe. 
Hi All, 

First off, I have very limited experience with GPFS ACL’s, so please 
forgive me if I’m missing something obvious here.  AFAIK, this is the 
first time we’ve hit something like this…

We have a fileset where all the files / directories have GPFS NFSv4 ACL’s 
set on them.  However, unlike most of our filesets where the same ACL is 
applied to every file / directory in the share, this one has different 
ACL’s on different files / directories.  Now we have the need to add to 
the existing ACL’s … another group needs access.  Unlike regular Unix / 
Linux ACL’s where setfacl can be used to just add to an ACL (i.e. setfacl 
-R g:group_name:rwx), I’m not seeing where GPFS has a similar command … 
i.e. mmputacl seems to expect the _entire_ new ACL to be supplied via 
either manual entry or an input file.  That’s obviously problematic in 
this scenario.

So am I missing something?  Is there an easier solution than writing a 
script which recurses over the fileset, gets the existing ACL with 
mmgetacl and outputs that to a file, edits that file to add in the new 
group, and passes that as input to mmputacl?  That seems very cumbersome 
and error prone, especially if I’m the one writing the script!

Thanks…

Kevin
—
Kevin Buterbaugh - Senior System Administrator
Vanderbilt University - Advanced Computing Center for Research and 
Education
Kevin.Buterbaugh at vanderbilt.edu - (615)875-9633

The information contained in this e-mail message may be privileged, 
confidential, and/or protected from disclosure. This e-mail message may 
contain protected health information (PHI); dissemination of PHI should 
comply with applicable federal and state laws. If you are not the intended 
recipient, or an authorized representative of the intended recipient, any 
further review, disclosure, use, dissemination, distribution, or copying 
of this message or any attachment (or the information contained therein) 
is strictly prohibited. If you think that you have received this e-mail 
message in error, please notify the sender by return e-mail and delete all 
references to it and its contents from your systems.
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7CKevin.Buterbaugh%40vanderbilt.edu%7Cb2040f23087c4aac0b4908d6b2cf11ed%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C1%7C636892999763011551&sdata=pXhLlRfQuJ4bKfib4bQBlWY4OP5WoZh1YQ%2Bjne2ycEY%3D&reserved=0

The information contained in this e-mail message may be privileged, 
confidential, and/or protected from disclosure. This e-mail message may 
contain protected health information (PHI); dissemination of PHI should 
comply with applicable federal and state laws. If you are not the intended 
recipient, or an authorized representative of the intended recipient, any 
further review, disclosure, use, dissemination, distribution, or copying 
of this message or any attachment (or the information contained therein) 
is strictly prohibited. If you think that you have received this e-mail 
message in error, please notify the sender by return e-mail and delete all 
references to it and its contents from your systems.
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7CKevin.Buterbaugh%40vanderbilt.edu%7C06b6070313d74610e17208d6b2d34b57%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C1%7C636893017903174312&sdata=OX51kSL5fs8CqW9u0y7MK1omYGqkx%2F3K%2Bwvn9iKjFM8%3D&reserved=0

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
https://urldefense.proofpoint.com/v2/url?u=http-3A__gpfsug.org_mailman_listinfo_gpfsug-2Ddiscuss&d=DwICAg&c=jf_iaSHvJObTbx-siA1ZOg&r=p3ZFejMgr8nrtvkuBSxsXg&m=tWa7c7_Nu1t7-zUozpFd8c1XSV7N7TShOBelxQS3POM&s=Q_tZmc5wSfixdoNnqTzBUuG9b4iW2vMUOUHy7DZXdRU&e=





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20190327/4ea39b69/attachment.htm>


More information about the gpfsug-discuss mailing list