[gpfsug-discuss] Adding to an existing GPFS ACL

Chetan R Kulkarni chetkulk at in.ibm.com
Wed Mar 27 18:24:26 GMT 2019


Hi Kevin,

Small script herewith (append.acl.sh <dir>) - appends one group ace
(append.acl) to all the files/dirs under <dir>.
You may try it for small directory first to check it's usefulness in your
case.
(tried along the same lines as discussed by others - mmgetacl, append then
mmputacl).


$ cat append.acl  # add ace as per your setup in this file
group:bgroup1:r-x-:allow
 (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL
(X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (-)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (-)WRITE_ACL
(-)WRITE_ATTR (-)WRITE_NAMED

$ cat append.acl.sh

[[ $# -eq 1 ]] && dir=$1 || { echo "Usage: ./append.acl.sh <dir>"; exit
1; }
appendAclFile="/tmp/append.acl"
newAclFile="/tmp/new.acl"

cd $dir
for filename in $(find -follow | grep -v ^.$)
do
  echo "Applying ACL to $filename..."
  mmgetacl -k nfs4 $filename -o $newAclFile
  cat $appendAclFile >> $newAclFile
  mmputacl $filename -i $newAclFile
done

rm -f $newAclFile

$ chmod +x append.acl.sh

$ ./append.acl.sh
Usage: ./append.acl.sh <dir>

$ time ./append.acl.sh /ibm/fs1/fset2
Applying ACL to ./dir30...
Applying ACL to ./dir30/file10...
Applying ACL to ./dir30/file9...
...
...
$

Thanks,
Chetan.



From:	"Nathan Falk" <nfalk at us.ibm.com>
To:	gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Date:	03/27/2019 10:37 PM
Subject:	Re: [gpfsug-discuss] Adding to an existing GPFS ACL
Sent by:	gpfsug-discuss-bounces at spectrumscale.org



I think I gave an internal link. Try this instead:

http://www.ibm.com/support/docview.wss?uid=ibm10716323


                                                                   
 Nate Falk                                                         
 IBM Spectrum Scale Level 2 Support                                
 Software Defined Infrastructure, IBM Systems                      
                                                                   




                                                                                 
                                                                                 
                                                                                 
                                                                             IBM 
 E-mail:nfalk at us.ibm.com                                                         
 Find me on:LinkedIn:                                                            
 https://www.linkedin.com/in/nathan-falk-078ba5125                               
 Twitter: https://twitter.com/natefalk922                                        
                                                                                 








From:        "Nathan Falk" <nfalk at us.ibm.com>
To:        gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Date:        03/27/2019 01:04 PM
Subject:        Re: [gpfsug-discuss] Adding to an existing GPFS ACL
Sent by:        gpfsug-discuss-bounces at spectrumscale.org



Hello Kevin,

No, you're not missing something. GPFS doesn't provide a means of
recursively modifying ACLs. It's not even all that easy to just modify one
ACL for one file (it's either mmeditacl, or mmgetacl > /tmp/acl.txt;
vi /tmp/acl.txt; mmputacl -i /tmp/acl.txt).

I've had a few queries along these lines over the years and decided to
publish a little bit of a guide here:

https://www-prd-trops.events.ibm.com/node/how-recursively-set-nfsv4-acls-gpfs-filesystem


There's a sample script there for the recursive part, but that would still
have to be tweaked in your case to append just a single ACE to the existing
ACL rather than replace the whole ACL.

Or as others have noted, export the fileset via NFS and go to an NFS client
and use nfs4_setfacl instead.

Thanks,
                                                                   
 Nate Falk                                                         
 IBM Spectrum Scale Level 2 Support                                
 Software Defined Infrastructure, IBM Systems                      
                                                                   

                                                                                 
                                                                                 
                                                                                 
                                                                             IBM 
 E-mail:nfalk at us.ibm.com                                                         
 Find me on:LinkedIn:                                                            
 https://www.linkedin.com/in/nathan-falk-078ba5125                               
 Twitter: https://twitter.com/natefalk922                                        
                                                                                 







From:        "Buterbaugh, Kevin L" <Kevin.Buterbaugh at Vanderbilt.Edu>
To:        gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Date:        03/27/2019 12:53 PM
Subject:        Re: [gpfsug-discuss] Adding to an existing GPFS ACL
Sent by:        gpfsug-discuss-bounces at spectrumscale.org



Hi Jonathan,

Thanks.  We have done a very similar thing when we’re dealing with a
situation where:  1) all files and directories in the fileset are starting
out with the same existing ACL, and 2) all need the same modification made
to them.

Unfortunately, in this situation item 2 is true, but item 1 is _not_.
That’s what’s making this one a bit thorny…

Kevin

—
Kevin Buterbaugh - Senior System Administrator
Vanderbilt University - Advanced Computing Center for Research and
Education
Kevin.Buterbaugh at vanderbilt.edu- (615)875-9633

On Mar 27, 2019, at 11:33 AM, Fosburgh,Jonathan <jfosburg at mdanderson.org>
wrote:
I misunderstood you.
Pretty much what we've been doing is maintaining "ACL template" files based
on how our filesystem hierarchy is set up.  Basically, fileset foo has a
foo.acl file that contains what the ACL is supposed to be.  If we need to
change the ACL, we modify that file with the new ACL and then pass it
through a simple (and expensive, I'm sure) script.  This wouldn't be
necessary if in heritance flowed down on existing files and directories.
If you have CIFS access, you can also use Windows to do this, but it is
MUCH slower.




--
Jonathan Fosburgh
Principal Application Systems Analyst
IT Operations Storage Team
The University of Texas MD Anderson Cancer Center
(713) 745-9346


From: gpfsug-discuss-bounces at spectrumscale.org<
gpfsug-discuss-bounces at spectrumscale.org> on behalf of Buterbaugh, Kevin L
<Kevin.Buterbaugh at Vanderbilt.Edu>
Sent: Wednesday, March 27, 2019 11:19:03 AM
To: gpfsug main discussion list
Subject: [EXT] Re: [gpfsug-discuss] Adding to an existing GPFS ACL

WARNING:This email originated from outside of MD Anderson. Please validate
the sender's email address before clicking on links or attachments as they
may not be safe.
Hi Jonathan,

Thanks for the response.  I did look at mmeditacl, but unless I’m missing
something it’s interactive (kind of like mmedquota is by default).  If I
had only a handful of files / directories to modify that would be fine, but
in this case there are thousands of ACL’s that need modifying.

Am I missing something?  Thanks…

Kevin

—
Kevin Buterbaugh - Senior System Administrator
Vanderbilt University - Advanced Computing Center for Research and
Education
Kevin.Buterbaugh at vanderbilt.edu- (615)875-9633

On Mar 27, 2019, at 11:02 AM, Fosburgh,Jonathan <jfosburg at mdanderson.org>
wrote:
Try mmeditacl.




--
Jonathan Fosburgh
Principal Application Systems Analyst
IT Operations Storage Team
The University of Texas MD Anderson Cancer Center
(713) 745-9346


From: gpfsug-discuss-bounces at spectrumscale.org<
gpfsug-discuss-bounces at spectrumscale.org> on behalf of Buterbaugh, Kevin L
<Kevin.Buterbaugh at Vanderbilt.Edu>
Sent: Wednesday, March 27, 2019 10:59:17 AM
To: gpfsug main discussion list
Subject: [EXT] [gpfsug-discuss] Adding to an existing GPFS ACL

WARNING:This email originated from outside of MD Anderson. Please validate
the sender's email address before clicking on links or attachments as they
may not be safe.
Hi All,

First off, I have very limited experience with GPFS ACL’s, so please
forgive me if I’m missing something obvious here.  AFAIK, this is the first
time we’ve hit something like this…

We have a fileset where all the files / directories have GPFS NFSv4 ACL’s
set on them.  However, unlike most of our filesets where the same ACL is
applied to every file / directory in the share, this one has different
ACL’s on different files / directories.  Now we have the need to add to the
existing ACL’s … another group needs access.  Unlike regular Unix / Linux
ACL’s where setfacl can be used to just add to an ACL (i.e. setfacl -R
g:group_name:rwx), I’m not seeing where GPFS has a similar command … i.e.
mmputacl seems to expect the _entire_ new ACL to be supplied via either
manual entry or an input file.  That’s obviously problematic in this
scenario.

So am I missing something?  Is there an easier solution than writing a
script which recurses over the fileset, gets the existing ACL with mmgetacl
and outputs that to a file, edits that file to add in the new group, and
passes that as input to mmputacl?  That seems very cumbersome and error
prone, especially if I’m the one writing the script!

Thanks…

Kevin
—
Kevin Buterbaugh - Senior System Administrator
Vanderbilt University - Advanced Computing Center for Research and
Education
Kevin.Buterbaugh at vanderbilt.edu- (615)875-9633
The information contained in this e-mail message may be privileged,
confidential, and/or protected from disclosure. This e-mail message may
contain protected health information (PHI); dissemination of PHI should
comply with applicable federal and state laws. If you are not the intended
recipient, or an authorized representative of the intended recipient, any
further review, disclosure, use, dissemination, distribution, or copying of
this message or any attachment (or the information contained therein) is
strictly prohibited. If you think that you have received this e-mail
message in error, please notify the sender by return e-mail and delete all
references to it and its contents from your systems.




_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7CKevin.Buterbaugh%40vanderbilt.edu%7Cb2040f23087c4aac0b4908d6b2cf11ed%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C1%7C636892999763011551&sdata=pXhLlRfQuJ4bKfib4bQBlWY4OP5WoZh1YQ%2Bjne2ycEY%3D&reserved=0
The information contained in this e-mail message may be privileged,
confidential, and/or protected from disclosure. This e-mail message may
contain protected health information (PHI); dissemination of PHI should
comply with applicable federal and state laws. If you are not the intended
recipient, or an authorized representative of the intended recipient, any
further review, disclosure, use, dissemination, distribution, or copying of
this message or any attachment (or the information contained therein) is
strictly prohibited. If you think that you have received this e-mail
message in error, please notify the sender by return e-mail and delete all
references to it and its contents from your systems.




_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7CKevin.Buterbaugh%40vanderbilt.edu%7C06b6070313d74610e17208d6b2d34b57%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C1%7C636893017903174312&sdata=OX51kSL5fs8CqW9u0y7MK1omYGqkx%2F3K%2Bwvn9iKjFM8%3D&reserved=0


_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss



_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss


_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
https://urldefense.proofpoint.com/v2/url?u=http-3A__gpfsug.org_mailman_listinfo_gpfsug-2Ddiscuss&d=DwICAg&c=jf_iaSHvJObTbx-siA1ZOg&r=uic-29lyJ5TCiTRi0FyznYhKJx5I7Vzu80WyYuZ4_iM&m=ivmdoowntUbUm9ifHIf9wdvGUMfmSn_5krX1obsqqkU&s=3VRVobm0YuPyznasor5EQsdASSWQHckCwSfoY6FBg3I&e=







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20190327/ee8afc7f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20190327/ee8afc7f/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 18498113.jpg
Type: image/jpeg
Size: 518 bytes
Desc: not available
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20190327/ee8afc7f/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 18442256.jpg
Type: image/jpeg
Size: 638 bytes
Desc: not available
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20190327/ee8afc7f/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 18963353.gif
Type: image/gif
Size: 1851 bytes
Desc: not available
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20190327/ee8afc7f/attachment-0001.gif>


More information about the gpfsug-discuss mailing list