ACL¶
An Acl object represents a collection of ACL Entries on a file. An ACL specifies the file access permissions - read, write - for a given set of users and groups.
Depending on the filesystem configuration, ACLs may be of type PosixAclEntry
or NfsAclEntry
Description¶
-
arcapix.fs.gpfs.acl.
setAclFormat
(acl_format)¶ Set the format that ACLs should be read as.
- ‘system’ (default): produce ACLs in a format consistent with the filesystem setting
- ‘nfs4’: Always produce NFS ACLs.
- ‘posix’: Always produce a Posix ACLs.
- ‘native’: Always shows the ACLs in their ‘true’ form regardless of the filesystem setting.
Note
If the ACL format doesn’t match the format configured for the filesystem you will not be able to save any changes made to the ACLs
For example, if the filesystem is configured as nfs4, you will not be able to save posix format ACLs
-
arcapix.fs.gpfs.acl.
setDefaultedAcls
(defaulted=True)¶ NFSv4 Only.
Sets whether the “special” return values (ownerAcl, nonOwnerAcl, groupAcl) will return “None” if no entry for them exists (and be missing from the collection)
If this pragma is set, then when an ACL is loaded, it will return an equivalent zero permissions entry, rather than None if no entry for them exists.
Code can therefore assume that those functions will always return a legal value, otherwise usage must always check for an (unusual) None value
NB. With this pragma set, any modifications to a files ACL will cause those default entries to be added to it. This will not have any effect on the security of the files concerned, but will mean the ACL may be less clean than previously.
-
class
arcapix.fs.gpfs.acl.
Acl
(path)¶ A collection of the ACLs on a file.
An Access Control List (ACL) specifies the permissions on a file. ACLs may specify different premissions for different users or groups.
>>> assert file.acls.ownerAcl.read
-
toString
()¶ Dump the ACLs as a string.
-
new
(**kwargs)¶ Add a new ACL Entry to the ACL.
>>> acl = file.acl.new(type='group', name='domain users', read=True, write=True)
The newly created ACL will be immediately applied to the target file.
The created ACL Entry must be of the same type as this ACLs collection i.e. if the collection has type NFS, the new ACL must also be NFS.
Returns: the newly created acl
-
destroy
(id)¶ Remove an ACL Entry from the ACL.
>>> acl = file.acls.users()['nobody'] >>> file.acl.destroy(acl.id)
This change is immediately applied to the target file.
-
replace_from_file
(otherfile)¶ Replace all existing ACLs on this file (or directory) with those from another file (or directory if this file is a directory).
>>> target.acls.replace_from_file(source.acls)
The source ACLs must be the same format as the target ACLs.
Note
This change is immediately applied to the target file, even if lazy writes are enabled.
This doesn’t replace the file owner/group from the other file
-
ownerAclEntry
¶ Returns the ACL corresponding to the file owner.
NB. This may return None, which indicates that there is no ACL entry, which whilst unusual is legitimate in NFSv4. See setDefaultedAcls
-
ownerGroupAclEntry
¶ Returns the ACL corresponding the file owner’s group.
NB. This may return None, which indicates that there is no ACL entry, which whilst unusual is legitimate in NFSv4. See setDefaultedAcls
-
nonOwnerAclEntry
¶ Returns the default ACL for non-owner users.
Non-owner users are those who aren’t the file owner and don’t belong to the file owner’s group.
This corresponds to POSIX ‘other’ or NFSv4 ‘everyone’
There may be other ACLs which apply to a specific non-owner user/group.
NB. This may return None, which indicates that there is no ACL entry, which whilst unusual is legitimate in NFSv4. See setDefaultedAcls
-
filtered
(**kwargs)¶ Finds arbitrary ACL entries which match criteria specified. The entries are returned as a dictionary of an opaque ID and AclEntry.
e.g.
Acl(…).find(allow=True,name=’wheel’)
-
fileInherit
()¶ Convenience method for only returning ACL entries tagged with FileInherit (i.e. which will apply to files created within the folder)
Only applicable to NFSv4 ACLs. If using POSIX, {} will be returned
Return type: dict
-
dirInherit
()¶ Convenience method for only returning ACL entries tagged with DirInherit (i.e. which will apply to directories created within the folder)
Only applicable to NFSv4 ACLs. If using POSIX, {} will be returned
Return type: dict
-
allow
()¶ Return ACL Entries which ‘allow’ access (i.e. which increase the access a user has)
POSIX ACL’s only support this type, so all entries are returned
Return type: dict
-
Examples¶
Check owner permissions on a file¶
>>> from arcapix.fs.gpfs.file import File
>>>
>>> # create a File object
... f = File('/mmfs1/data/sample_data/cats/cats-01.jpg')
>>>
>>> # get the ACL for the file owner
... entry = f.acl.ownerAclEntry
>>>
>>> print("read: {}, write: {}, exec: {}".format(entry.read, entry.write, entry.execute)
read: True, write: True, exec: False
Check which groups have read permission for a file¶
>>> f = File('/mmfs1/data/accounts/audit.doc')
>>>
>>> # iterate over groups with acls
... for group, entry in f.acl.groups().items():
... print("{0}: {1}".format(group, 'yes' if entry.read else 'no'))
...
admin: yes
sales: yes
vfx: no
Note
This doesn’t necessarily mean users in those groups can read the file, as there may be restrictive permissions on the file’s parent directories
Add a new inheriting group ACL to a directory¶
Inheriting ACLs get applied to any files or directories created within the directory.
Note - this is only supported if the filesystem is configured for nfs4 ACLs
>>> from arcapix.fs.gpfs import Filesystem
>>>
>>> # check if the filesystem supports nfs4 acls
... fs = Filesystem('mmfs1')
>>> assert fs.ACLSemantics == 'nfs4'
>>>
>>> f = File('/mmfs1/data/vfx')
>>>
>>> f.acl.new(
... type='group', name='artists',
... read=True, write=True,
... fileInherit=True, dirInherit=True
... )
Replace the acls for all files in a directory tree¶
Warning
This is very dangerous!
>>> import os
>>> from arcapix.fs.gpfs.clib.utils import walk
>>>
>>> # get the ACL reference file
... source = '/mmfs1/.aclref'
>>>
>>> # walk the directory tree
... for root, dirs, files in walk('/mmfs1/data/sample_data'):
... for name in files:
... path = os.path.join(root, name)
... # update the acls from the reference file
... File(path).acls.replace_from_file(source)
...