[gpfsug-discuss] Adding to an existing GPFS ACL
Nathan Falk
nfalk at us.ibm.com
Wed Mar 27 17:07:29 GMT 2019
I think I gave an internal link. Try this instead:
http://www.ibm.com/support/docview.wss?uid=ibm10716323
Nate Falk
IBM Spectrum Scale Level 2 Support
Software Defined Infrastructure, IBM Systems
E-mail: nfalk at us.ibm.com
Find me on:
From: "Nathan Falk" <nfalk at us.ibm.com>
To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Date: 03/27/2019 01:04 PM
Subject: Re: [gpfsug-discuss] Adding to an existing GPFS ACL
Sent by: gpfsug-discuss-bounces at spectrumscale.org
Hello Kevin,
No, you're not missing something. GPFS doesn't provide a means of
recursively modifying ACLs. It's not even all that easy to just modify one
ACL for one file (it's either mmeditacl, or mmgetacl > /tmp/acl.txt; vi
/tmp/acl.txt; mmputacl -i /tmp/acl.txt).
I've had a few queries along these lines over the years and decided to
publish a little bit of a guide here:
https://www-prd-trops.events.ibm.com/node/how-recursively-set-nfsv4-acls-gpfs-filesystem
There's a sample script there for the recursive part, but that would still
have to be tweaked in your case to append just a single ACE to the
existing ACL rather than replace the whole ACL.
Or as others have noted, export the fileset via NFS and go to an NFS
client and use nfs4_setfacl instead.
Thanks,
Nate Falk
IBM Spectrum Scale Level 2 Support
Software Defined Infrastructure, IBM Systems
E-mail:nfalk at us.ibm.com
Find me on:
From: "Buterbaugh, Kevin L" <Kevin.Buterbaugh at Vanderbilt.Edu>
To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Date: 03/27/2019 12:53 PM
Subject: Re: [gpfsug-discuss] Adding to an existing GPFS ACL
Sent by: gpfsug-discuss-bounces at spectrumscale.org
Hi Jonathan,
Thanks. We have done a very similar thing when we’re dealing with a
situation where: 1) all files and directories in the fileset are starting
out with the same existing ACL, and 2) all need the same modification made
to them.
Unfortunately, in this situation item 2 is true, but item 1 is _not_.
That’s what’s making this one a bit thorny…
Kevin
—
Kevin Buterbaugh - Senior System Administrator
Vanderbilt University - Advanced Computing Center for Research and
Education
Kevin.Buterbaugh at vanderbilt.edu- (615)875-9633
On Mar 27, 2019, at 11:33 AM, Fosburgh,Jonathan <jfosburg at mdanderson.org>
wrote:
I misunderstood you.
Pretty much what we've been doing is maintaining "ACL template" files
based on how our filesystem hierarchy is set up. Basically, fileset foo
has a foo.acl file that contains what the ACL is supposed to be. If we
need to change the ACL, we modify that file with the new ACL and then pass
it through a simple (and expensive, I'm sure) script. This wouldn't be
necessary if in heritance flowed down on existing files and directories.
If you have CIFS access, you can also use Windows to do this, but it is
MUCH slower.
--
Jonathan Fosburgh
Principal Application Systems Analyst
IT Operations Storage Team
The University of Texas MD Anderson Cancer Center
(713) 745-9346
From: gpfsug-discuss-bounces at spectrumscale.org<
gpfsug-discuss-bounces at spectrumscale.org> on behalf of Buterbaugh, Kevin L
<Kevin.Buterbaugh at Vanderbilt.Edu>
Sent: Wednesday, March 27, 2019 11:19:03 AM
To: gpfsug main discussion list
Subject: [EXT] Re: [gpfsug-discuss] Adding to an existing GPFS ACL
WARNING:This email originated from outside of MD Anderson. Please validate
the sender's email address before clicking on links or attachments as they
may not be safe.
Hi Jonathan,
Thanks for the response. I did look at mmeditacl, but unless I’m missing
something it’s interactive (kind of like mmedquota is by default). If I
had only a handful of files / directories to modify that would be fine,
but in this case there are thousands of ACL’s that need modifying.
Am I missing something? Thanks…
Kevin
—
Kevin Buterbaugh - Senior System Administrator
Vanderbilt University - Advanced Computing Center for Research and
Education
Kevin.Buterbaugh at vanderbilt.edu- (615)875-9633
On Mar 27, 2019, at 11:02 AM, Fosburgh,Jonathan <jfosburg at mdanderson.org>
wrote:
Try mmeditacl.
--
Jonathan Fosburgh
Principal Application Systems Analyst
IT Operations Storage Team
The University of Texas MD Anderson Cancer Center
(713) 745-9346
From: gpfsug-discuss-bounces at spectrumscale.org<
gpfsug-discuss-bounces at spectrumscale.org> on behalf of Buterbaugh, Kevin L
<Kevin.Buterbaugh at Vanderbilt.Edu>
Sent: Wednesday, March 27, 2019 10:59:17 AM
To: gpfsug main discussion list
Subject: [EXT] [gpfsug-discuss] Adding to an existing GPFS ACL
WARNING:This email originated from outside of MD Anderson. Please validate
the sender's email address before clicking on links or attachments as they
may not be safe.
Hi All,
First off, I have very limited experience with GPFS ACL’s, so please
forgive me if I’m missing something obvious here. AFAIK, this is the
first time we’ve hit something like this…
We have a fileset where all the files / directories have GPFS NFSv4 ACL’s
set on them. However, unlike most of our filesets where the same ACL is
applied to every file / directory in the share, this one has different
ACL’s on different files / directories. Now we have the need to add to
the existing ACL’s … another group needs access. Unlike regular Unix /
Linux ACL’s where setfacl can be used to just add to an ACL (i.e. setfacl
-R g:group_name:rwx), I’m not seeing where GPFS has a similar command …
i.e. mmputacl seems to expect the _entire_ new ACL to be supplied via
either manual entry or an input file. That’s obviously problematic in
this scenario.
So am I missing something? Is there an easier solution than writing a
script which recurses over the fileset, gets the existing ACL with
mmgetacl and outputs that to a file, edits that file to add in the new
group, and passes that as input to mmputacl? That seems very cumbersome
and error prone, especially if I’m the one writing the script!
Thanks…
Kevin
—
Kevin Buterbaugh - Senior System Administrator
Vanderbilt University - Advanced Computing Center for Research and
Education
Kevin.Buterbaugh at vanderbilt.edu- (615)875-9633
The information contained in this e-mail message may be privileged,
confidential, and/or protected from disclosure. This e-mail message may
contain protected health information (PHI); dissemination of PHI should
comply with applicable federal and state laws. If you are not the intended
recipient, or an authorized representative of the intended recipient, any
further review, disclosure, use, dissemination, distribution, or copying
of this message or any attachment (or the information contained therein)
is strictly prohibited. If you think that you have received this e-mail
message in error, please notify the sender by return e-mail and delete all
references to it and its contents from your systems.
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7CKevin.Buterbaugh%40vanderbilt.edu%7Cb2040f23087c4aac0b4908d6b2cf11ed%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C1%7C636892999763011551&sdata=pXhLlRfQuJ4bKfib4bQBlWY4OP5WoZh1YQ%2Bjne2ycEY%3D&reserved=0
The information contained in this e-mail message may be privileged,
confidential, and/or protected from disclosure. This e-mail message may
contain protected health information (PHI); dissemination of PHI should
comply with applicable federal and state laws. If you are not the intended
recipient, or an authorized representative of the intended recipient, any
further review, disclosure, use, dissemination, distribution, or copying
of this message or any attachment (or the information contained therein)
is strictly prohibited. If you think that you have received this e-mail
message in error, please notify the sender by return e-mail and delete all
references to it and its contents from your systems.
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7CKevin.Buterbaugh%40vanderbilt.edu%7C06b6070313d74610e17208d6b2d34b57%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C1%7C636893017903174312&sdata=OX51kSL5fs8CqW9u0y7MK1omYGqkx%2F3K%2Bwvn9iKjFM8%3D&reserved=0
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
https://urldefense.proofpoint.com/v2/url?u=http-3A__gpfsug.org_mailman_listinfo_gpfsug-2Ddiscuss&d=DwICAg&c=jf_iaSHvJObTbx-siA1ZOg&r=p3ZFejMgr8nrtvkuBSxsXg&m=3civslLJ9p1g1obgFb08ZEV5pKUtHmsZfA1sB23rrOA&s=jEVB15lqgaHC0sRH4P3BNVs0PlGUHVPDWML3oS_xZBo&e=
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20190327/76475c10/attachment.htm>
More information about the gpfsug-discuss
mailing list