The ANF May release introduced Access Control List support for NFSv4.1 volumes. NFS ACLs have more in common with NTFS style permissions than they have with typical Unix style permissions (i.e. rw-r–r–).
An ACL contains one or more ACEs (Access Control Entries) which define a specific allow or deny rule for a user or group. Let’s look at an example and it will all make sense.
In this example we’ve deployed a vanilla Ubuntu 18.04 LTS Azure virtual machine and provisioned an ANF NFSv4.1 volume. Please note, these steps are not described below.
Login to the VM and switch to root.
Get the latest packages.
Install the NFS client.
apt-get install nfs-common
Install the ACL tools. This package contains the nfs4_getfacl and nfs4_setfacl binaries.
apt install nfs4-acl-tools
Create the local mount folder, in this example /nfs4.
Mount the ANF volume to /nfs4. Make sure to replace 18.104.22.168:/volume01-rutger with the correct value.
mount -t nfs -o rw,hard,rsize=1048576,wsize=1048576,sec=sys,vers=4.1,tcp 22.214.171.124:/volume01-rutger /nfs4
Set permission to 777 so that all users can access the mount point.
chmod 777 /nfs4
Create a test file.
We now have /nfs4 (so the folder itself) which is accessible by other users (rwx) and file01.txt which is read-only for other users (r–).
Create a new user called user01.
Note the user ID (1001) which we need later on.
Switch to user01 and confirm the user can access the share, but cannot write to file01.txt.
echo 'test' >> file01.txt
Switch back to root. We’ll now have a look at the default ACL for file01.txt.
In the example above, the ACL for file01.txt contains 3 allow entries (ACEs).
We’ll now add an entry for user01.
nfs4_setfacl -a A::1001:rwatTnNcCy /nfs4/file01.txt
Let’s deconstruct this nfs4_setfacl command.
-a adds the entry (-x removes an entry)
A defines the access type (A for Allow, D for Deny)
1001 so called principal, in this case the user ID
rwatTnNcCy permission alias (r=read, w=write, a=append etc.)
/nfs4/file01.txt target file
Since we want to write to an existing file, we need the append permission (write is not sufficient).
Switch back to user01. Confirm you are now able to write to file01.txt.
echo 'test' >> /nfs4/file01.txt
More tips & tricks
Needless to say there are a lot more options to explore. Here are some more tips.
Use -R to apply entry recursively to all files and folders.
nfs4_setfacl -R -a A::1001:rwatTnNcCy /nfs4
Every time your run nfs4_setfacl -a it adds a new entry. To edit an existing entry use -e. This will open the ACL in your default editor.
nfs4_setfacl -e /nfs4