The ANF May release introduced Access Control List support for NFSv4.1 volumes. NFS ACLs have more in common with NTFS style permissions than they have with typical Unix style permissions (i.e. rw-r–r–).
An ACL contains one or more ACEs (Access Control Entries) which define a specific allow or deny rule for a user or group. Let’s look at an example and it will all make sense.
In this example we’ve deployed a vanilla Ubuntu 18.04 LTS Azure virtual machine and provisioned an ANF NFSv4.1 volume. Please note, these steps are not described below.
Step 1
Login to the VM and switch to root.sudo -i
Step 2
Get the latest packages.apt-get update
Step 3
Install the NFS client.apt-get install nfs-common
Step 4
Install the ACL tools. This package contains the nfs4_getfacl and nfs4_setfacl binaries.apt install nfs4-acl-tools
Step 5
Create the local mount folder, in this example /nfs4.mkdir /nfs4
Step 6
Mount the ANF volume to /nfs4. Make sure to replace 12.0.1.8:/volume01-rutger with the correct value.mount -t nfs -o rw,hard,rsize=1048576,wsize=1048576,sec=sys,vers=4.1,tcp 12.0.1.8:/volume01-rutger /nfs4
Step 7
Set permission to 777 so that all users can access the mount point.chmod 777 /nfs4
Step 8
Create a test file.touch /nfs4/file01.txt
We now have /nfs4 (so the folder itself) which is accessible by other users (rwx) and file01.txt which is read-only for other users (r–).
Step 9
Create a new user called user01.adduser user01
Note the user ID (1001) which we need later on.
Step 10
Switch to user01 and confirm the user can access the share, but cannot write to file01.txt.su user01cd /nfs4echo 'test' >> file01.txt
Step 11
Switch back to root. We’ll now have a look at the default ACL for file01.txt.exitnfs4_getfacl /nfs4/file01.txt
In the example above, the ACL for file01.txt contains 3 allow entries (ACEs).
Step 12
We’ll now add an entry for user01.nfs4_setfacl -a A::1001:rwatTnNcCy /nfs4/file01.txt
Let’s deconstruct this nfs4_setfacl command.
-a adds the entry (-x removes an entry)
A defines the access type (A for Allow, D for Deny)
1001 so called principal, in this case the user ID
rwatTnNcCy permission alias (r=read, w=write, a=append etc.)
/nfs4/file01.txt target file
Since we want to write to an existing file, we need the append permission (write is not sufficient).
Step 13
Switch back to user01. Confirm you are now able to write to file01.txt.su user01echo 'test' >> /nfs4/file01.txtcat /nfs4/file01.txt
More tips & tricks
Needless to say there are a lot more options to explore. Here are some more tips.
Use -R to apply entry recursively to all files and folders.nfs4_setfacl -R -a A::1001:rwatTnNcCy /nfs4
Every time your run nfs4_setfacl -a it adds a new entry. To edit an existing entry use -e. This will open the ACL in your default editor.nfs4_setfacl -e /nfs4
Resources
https://man7.org/linux/man-pages/man1/nfs4_setfacl.1.html
https://help.eecs.utk.edu/knowledge-base/linux-topics/nfsv4-acls