Data / Storage Security

NFSv4.1 ACLs on Azure NetApp Files

The ANF May release introduced Access Control List support for NFSv4.1 volumes. NFS ACLs have more in common with NTFS style permissions than they have with typical Unix style permissions (i.e. rw-r–r–).

An ACL contains one or more ACEs (Access Control Entries) which define a specific allow or deny rule for a user or group. Let’s look at an example and it will all make sense.

In this example we’ve deployed a vanilla Ubuntu 18.04 LTS Azure virtual machine and provisioned an ANF NFSv4.1 volume. Please note, these steps are not described below.

Step 1
Login to the VM and switch to root.
sudo -i

Step 2
Get the latest packages.
apt-get update

Step 3
Install the NFS client.
apt-get install nfs-common

Step 4
Install the ACL tools. This package contains the nfs4_getfacl and nfs4_setfacl binaries.
apt install nfs4-acl-tools

Step 5
Create the local mount folder, in this example /nfs4.
mkdir /nfs4

Step 6
Mount the ANF volume to /nfs4. Make sure to replace 12.0.1.8:/volume01-rutger with the correct value.
mount -t nfs -o rw,hard,rsize=1048576,wsize=1048576,sec=sys,vers=4.1,tcp 12.0.1.8:/volume01-rutger /nfs4

Step 7
Set permission to 777 so that all users can access the mount point.
chmod 777 /nfs4

Step 8
Create a test file.
touch /nfs4/file01.txt

We now have /nfs4 (so the folder itself) which is accessible by other users (rwx) and file01.txt which is read-only for other users (r–).

Step 9
Create a new user called user01.
adduser user01

Note the user ID (1001) which we need later on.

Step 10
Switch to user01 and confirm the user can access the share, but cannot write to file01.txt.
su user01
cd /nfs4
echo 'test' >> file01.txt

Step 11
Switch back to root. We’ll now have a look at the default ACL for file01.txt.
exit
nfs4_getfacl /nfs4/file01.txt

In the example above, the ACL for file01.txt contains 3 allow entries (ACEs).

Step 12
We’ll now add an entry for user01.
nfs4_setfacl -a A::1001:rwatTnNcCy /nfs4/file01.txt

Let’s deconstruct this nfs4_setfacl command.
-a adds the entry (-x removes an entry)
A defines the access type (A for Allow, D for Deny)
1001 so called principal, in this case the user ID
rwatTnNcCy permission alias (r=read, w=write, a=append etc.)
/nfs4/file01.txt target file

Since we want to write to an existing file, we need the append permission (write is not sufficient).

Step 13
Switch back to user01. Confirm you are now able to write to file01.txt.
su user01
echo 'test' >> /nfs4/file01.txt
cat /nfs4/file01.txt

More tips & tricks
Needless to say there are a lot more options to explore. Here are some more tips.

Use -R to apply entry recursively to all files and folders.
nfs4_setfacl -R -a A::1001:rwatTnNcCy /nfs4

Every time your run nfs4_setfacl -a it adds a new entry. To edit an existing entry use -e. This will open the ACL in your default editor.
nfs4_setfacl -e /nfs4

Resources
https://man7.org/linux/man-pages/man1/nfs4_setfacl.1.html
https://help.eecs.utk.edu/knowledge-base/linux-topics/nfsv4-acls

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: