Print Email PDF

Managing File Creation Permissions and Owner Rights in Qumulo-Hosted NFSv3 Exports

IN THIS ARTICLE

This article explains how you can manage new file creation permissions and owner rights in Qumulo-hosted NFSv3 exports by using Qumulo's cross-protocol permissions (XPP). You can apply this configuration by using a Windows client or the qq CLI.

COMMON NFSv3 EXPORT MANAGEMENT ISSUES

Storage administrators often face two scenarios when managing NFSv3 exports in shared environments: having to enforce a global umask setting for all users and having to control the file owner rights of NFSv3 users. This section gives an overview of these scenarios.

Enforcing a Global umask Setting for All Users

In POSIX systems, the user's local umask setting determines the permissions that the system applies to new files. umask applies a mask to a standard, octal 0777 mode. This mode represents the permissions equivalent to Read, Write, and Execute for User, Group Owner, and Others.

0777 = rwxrwxrwx

The system subtracts the user's local umask value from 0777 and applies the final, octal permissions mode to the new file.

In the following example, the user's umask value is 0022:

0777 - 0022 = 0755 rwxr-xr-x

In the following example, the user's umask value is 0002:

0777 - 0002 = 0775 rwxrwxr-x   

The umask setting can vary across different systems and a local user can change this setting without requiring privilege escalation. This can lead to the potentially undesirable state in which NFSv3 users can create files with incorrect permissions in shared environments.

Controlling the File Owner Rights of NFSv3 Users

In POSIX systems, the file owner has certain implicit rights that include the ability to set any permission mode on the files she owns.

The following example shows how you can apply a new permission mode by using the chmod command that strips all rights from all users while allowing the application of a more permissive mode later.

ls -l
-rwxrwxr-x 1 user group file 
  
chmod 000 file

ls -l
---------  1 user group file

chmod 0700 file

ls -l
-rwx------ 1 user group file

Because this is an implicit POSIX user right, and elevated privileges aren't required to perform this operation, this configuration often causes difficulties for storage administrators, for example if a local user uses the chmod command to remove group rights in shared access environments. This can break access for other users.

USING QUMULO'S CROSS-PROTOCOL PERMISSIONS (XPP)

This section explains how you can use Qumulo's cross-protocol permissions (XPP) to manage global umask settings and file owner rights issues.

XPP allows the storage administrator to take advantage of both POSIX and NTFS (Windows ACL) permission management tools across all protocols that the Qumulo File System supports. The system stores these permissions in a single unified QACL format which you can apply at any point in the file system in a per-file or per-directory basis without setting any special state on the cluster.

Note: After you apply the NTFS ACL, the following conditions take place.

  • The system applies a specific set of permissions for every newly created file or directory regardless of a user’s local umask settings.
  • File owners cannot change permissions of files they own, for example, by using chmod.
  • The system writes the user’s primary group as the group owner of newly created files and directories.
  • You can apply setgid to directories to enforce a specific group owner.

Special NTFS Security Identifiers (SIDs)

You can manage client behavior by using four special SIDs.

  • Owner Rights: (S-1-3-4) This SID allows the administrator to set the most permissive future rights that a file owner has on her files. This SID also allows the administrator to selectively Deny any of the 14 individual rights available in the ACL.
    For example, you can use Owner Rights to deny the file owner the WRITE_ACL right, which is equal to the Change Permission right.
    Important: If the NFSv3 user makes a chmod or setattr request for files which she owns and which a Deny Change Permission in the Owner Rights ACL entry controls, the XPP returns a false positive. The requested operation appears to succeed, allowing tools that can modify permissions (such as cp, rsync,  and vi) to continue to work. However, the system takes no action.
  • Creator Owner: (S-1-3-0) This SID determines the future rights that a user has for files that she creates in a directory where this SID is present.
  • Creator Group: (S-1-3-1) This SID determines the future rights that members of the user’s primary group have to any files created in a directory where this SID is present.
  • Everyone: (S-1-1-0) This SID determines the rights of any user not covered under the other special SIDs and any user that has access to this point in the file system. This SID is equivalent to the POSIX Others group.

APPLYING THE CONFIGURATION BY USING A WINDOWS CLIENT

This section explain how you can apply the configuration by using a Windows client, including applying the Owner Rights, Creator Owner, Creator Group, Everyone or POSIX Others entries to your access control list (ACL) and adding the baseline rights to your managed directory.

Step 1: Clear Out Your ACL

  1. Mount your Qumulo cluster by using an account that has administrator or data-administrator privileges.
  2. Navigate to a directory in your file system to which you want to apply rights.
  3. Right-click the directory and then click Properties > Security.
  4. Click Advanced.
  5. To clear all of the entries in the access control list (ACL), select each entry and then click Remove, until the ACL is empty.

Step 2: Apply the Owner Rights Entry

The owner rights entry is the portion of the ACL that prevents NFS file owners from changing permissions on their own files.

  1. In the ACL, click Add > Select Principal.
  2. In the Select User window, type owner and then click Check Names.
  3. When OWNER_RIGHTS appears in the window, click OK.
  4. To remove all rights, click Show Advanced Permissions > Clear all.
  5. Check the correct Change permissions.
  6. From the Type: list, choose Deny.
  7. Ensure that Applies to: is set to This folder, subfolders and files.
  8. Click OK.
    Important: Don't click Apply.

Step 3: Apply the Creator Owner Entry

The creator owner entry is the portion of the ACL that determines the future rights that a file owner will have. This entry corresponds to the User section of the POSIX file permissions.

  1. In the ACL, click Add > Select Principal.
  2. Into the search field, type Creator Owner, click Check Names, and then click OK.
  3. Click Show advanced permissions.
    1. Ensure that Type: is set to Allow.
    2. Ensure that Applies to: is set to This folder, subfolders and files.
    3. Enable all rights, except for the following:
      • Delete
      • Change Permissions
      • Take Ownership
  4. Click OK.
    Important: Don't click Apply.

Step 4: Apply the Creator Group Entry

The creator group entry is the portion of the ACL that determines the future rights of members of the file creator’s primary group. This section corresponds to the group owner section of the POSIX file permissions.

  1. In the ACL, click Add > Select Principal.
  2. Into the search field, type Creator Group and then click Check Names.
  3. Click OK.
  4. Click Show advanced permissions.
    1. Ensure that Type: is set to Allow.
    2. Ensure that Applies to: is set to This folder, subfolders and files.
    3. Enable all rights except for the following:
      • Delete
      • Change Permissions
      • Take Ownership
  5. Click OK.
    Important: Don't
     click Apply.

Step 5: Apply the Everyone or POSIX Others Entry

You can use the special security identifier (SID) Everyone to determine the rights of users that aren't covered by the entries that we discuss above. For example, if the  Others umask position is set to 0 or no rights (770), you can omit the Everyone entry from the ACL.

If you need to use a different mode for the Others entry, follow the steps above by specifying Creator Group instead of Everyone and modifying the rights selection as necessary.

Step 6: Apply Baseline Rights to the Start of Your Managed Directory

For any groups or users whom you expect to use this portion of the file system through NFSv3, you must add a set of starter rights. These rights need to exist only at the very start of the directory. A non-inheritable entry manages these rights.

In the following example, we use the Active Directory (AD) group Domain Users.

  1. In the ACL, click Add > Select Principal.
  2. Into the search field, type Domain Users and then click Check Names.
  3. Click OK.
  4. Click Show advanced permissions.
    1. Ensure that Type: is set to Allow.
    2. Ensure that Applies to: is set to This folder only.
    3. Enable all rights except for the following:
      • Delete
      • Change Permissions
      • Take ownership
  5. Click OK.
  6. Click Apply.
    A dialog box warns that you are about to apply a Deny entry.
  7. Click OK.

You have now set the umask equivalent mode. You can begin using the owner permissions controls.

APPLYING THE CONFIGURATION BY USING THE QQ CLI

This section explain how you can apply the configuration by using twoqq CLI commands.

  • The qq fs_set_acl command lets you replace a QACL with a new QACL completely by using a JSON file. We recommend using this command to create a clean copy of an ACL which you can then export to JSON for future use or apply to multiple directories.
  • The qq fs_modify_acl command lets you edit individual QACLs, including adding or removing entries. We recommend using this command to looking up user identities in AD or if you create a new QACL by using the qq CLI.

Notes:

  • If your paths have spaces in their names, place the paths in quotation marks.
  • Use absolute file paths with all qq CLI commands (relative to the Qumulo file system root).

To Set ACL Configuration by Using the qq fs_set_acl Command

In the following example, after we used a Windows client to apply a configuration, we want to apply the QACL to other places in the file system.

  1. Run the qq fs_set_acl command. Specify the path to the source directory (relative to the Qumulo file system root) and output umask to a JSON file, for example:
    qq fs_get_acl --path "/path/to/source" \
    --json > /some/local/path/umask.json
  2. Run the qq fs_set_acl command. Specify the path to the target directory (relative to the Qumulo file system root) and output umask to a JSON file, for example:
    qq fs_set_acl --path "/path/to/target" \
    --file /some/local/path/umask.json
    This command replaces the QACL in the target with the QACL stored in umask.json. You have now set the umask equivalent mode. You can begin using the owner permissions controls.

To Modify ACL Configuration by Using the qq fs_modify_acl Command

In the following example, we create a new QACL.

  1. To clear an existing QACL in the target directory, run the qq fs_modify_acl command and use the remove_entry to clear the rights, for example:
    qq fs_modify_acl --path /path/to/target remove_entry -a
  2. To add the Creator Owner entry, run the qq fs_modify_acl command, specify the path to the target directory and use the add_entry to specify the rights, for example:
    qq fs_modify_acl --path "/path/to/target" add_entry \
    -t "Creator Owner"
    -y Allowed
    -r "Read, Write directory, Write file, Add file, Add subdir, \
    Delete child, Execute, Execute/Traverse, Extend file, \
    Read ACL, Read EA, Read attr, Read contents, Synchronize, \
    Traverse, Write EA, Write attr, Write data"
    -f "Container inherit" "Object inherit" "Inherit Only"
  3. To add the Creator Group entry, run the qq fs_modify_acl command, specify the path to the target directory and use add_entry to specify the rights, for example:
    qq fs_modify_acl --path "/path/to/target" add_entry \
    -t "Creator Group"
    -y Allowed
    -r "Read, Write directory, Write file, Add file, Add subdir, \
    Delete child, Execute, Execute/Traverse, Extend file, \
    Read ACL, Read EA,Read attr, Read contents, Synchronize, \
    Traverse, Write EA, Write attr, Write data"
    -f "Container inherit" "Object inherit" "Inherit Only"
  4. To add the Owner Rights Deny Write entry, run the qq fs_modify_acl command, specify the path to the target directory and use add_entry to specify the rights, for example:
    qq fs_modify_acl --path "/path/to/target" add_entry \
    -t "Owner Rights" \
    -y Denied \
    -r "Write ACL" \
    -f "Container inherit" "Object inherit"
  5. To add the baseline rights for domain users, run the qq fs_modify_acl command, specify the path to the target directory and use add_entry to specify the rights, for example:
    qq fs_modify_acl --path "/path/to/target" add_entry \
    -t "Domain Users" \
    -y Allowed \
    -r "Read, Write directory, Write file, Add file, Add subdir, \
    Delete child, Execute, Execute/Traverse, Extend file, \
    Read ACL, Read EA, Read attr, Read contents, Synchronize, \
    Traverse, Write EA, Write attr, Write data"
    You have now set the umask equivalent mode. You can begin using the owner permissions controls.
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Have more questions?
Open a Case
Share it, if you like it.