ACL¶

An Acl object represents a collection of ACL Entries on a file. An ACL specifies the file access permissions - read, write - for a given set of users and groups.

Depending on the filesystem configuration, ACLs may be of type PosixAclEntry or NfsAclEntry

Description¶

arcapix.fs.gpfs.acl.setAclFormat(acl_format)¶

Set the format that ACLs should be read as.

‘system’ (default): produce ACLs in a format consistent with the filesystem setting
‘nfs4’: Always produce NFS ACLs.
‘posix’: Always produce a Posix ACLs.
‘native’: Always shows the ACLs in their ‘true’ form regardless of the filesystem setting.

Note

If the ACL format doesn’t match the format configured for the filesystem you will not be able to save any changes made to the ACLs

For example, if the filesystem is configured as nfs4, you will not be able to save posix format ACLs

arcapix.fs.gpfs.acl.setDefaultedAcls(defaulted=True)¶

NFSv4 Only.

Sets whether the “special” return values (ownerAcl, nonOwnerAcl, groupAcl) will return “None” if no entry for them exists (and be missing from the collection)

If this pragma is set, then when an ACL is loaded, it will return an equivalent zero permissions entry, rather than None if no entry for them exists.

Code can therefore assume that those functions will always return a legal value, otherwise usage must always check for an (unusual) None value

NB. With this pragma set, any modifications to a files ACL will cause those default entries to be added to it. This will not have any effect on the security of the files concerned, but will mean the ACL may be less clean than previously.

class arcapix.fs.gpfs.acl.Acl(path)¶

A collection of the ACLs on a file.

An Access Control List (ACL) specifies the permissions on a file. ACLs may specify different premissions for different users or groups.

>>> assert file.acls.ownerAcl.read

toString()¶: Dump the ACLs as a string.

new(**kwargs)¶

Add a new ACL Entry to the ACL.

>>> acl = file.acl.new(type='group', name='domain users', read=True, write=True)

The newly created ACL will be immediately applied to the target file.

The created ACL Entry must be of the same type as this ACLs collection i.e. if the collection has type NFS, the new ACL must also be NFS.

Returns:	the newly created acl

destroy(id)¶

Remove an ACL Entry from the ACL.

>>> acl = file.acls.users()['nobody']
>>> file.acl.destroy(acl.id)

This change is immediately applied to the target file.

replace_from_file(otherfile)¶

Replace all existing ACLs on this file (or directory) with those from another file (or directory if this file is a directory).

>>> target.acls.replace_from_file(source.acls)

The source ACLs must be the same format as the target ACLs.

Note

This change is immediately applied to the target file, even if lazy writes are enabled.

This doesn’t replace the file owner/group from the other file

path¶

Returns the path of the file the ACLs apply to.

Return type:	str

type¶

Returns the type of the ACLs.

Either nfs4 or posix

Return type:	str

owner¶

Returns the name of the user who owns the file.

Return type:	str

group¶

Returns the name of the group which owners the file.

Return type:	str

ownerAclEntry¶

Returns the ACL corresponding to the file owner.

NB. This may return None, which indicates that there is no ACL entry, which whilst unusual is legitimate in NFSv4. See setDefaultedAcls

ownerGroupAclEntry¶

Returns the ACL corresponding the file owner’s group.

NB. This may return None, which indicates that there is no ACL entry, which whilst unusual is legitimate in NFSv4. See setDefaultedAcls

nonOwnerAclEntry¶

Returns the default ACL for non-owner users.

Non-owner users are those who aren’t the file owner and don’t belong to the file owner’s group.

This corresponds to POSIX ‘other’ or NFSv4 ‘everyone’

There may be other ACLs which apply to a specific non-owner user/group.

NB. This may return None, which indicates that there is no ACL entry, which whilst unusual is legitimate in NFSv4. See setDefaultedAcls

filtered(**kwargs)¶

Finds arbitrary ACL entries which match criteria specified. The entries are returned as a dictionary of an opaque ID and AclEntry.

e.g.

Acl(…).find(allow=True,name=’wheel’)

fileInherit()¶

Convenience method for only returning ACL entries tagged with FileInherit (i.e. which will apply to files created within the folder)

Only applicable to NFSv4 ACLs. If using POSIX, {} will be returned

Return type:	dict

dirInherit()¶

Convenience method for only returning ACL entries tagged with DirInherit (i.e. which will apply to directories created within the folder)

Only applicable to NFSv4 ACLs. If using POSIX, {} will be returned

Return type:	dict

allow()¶

Return ACL Entries which ‘allow’ access (i.e. which increase the access a user has)

POSIX ACL’s only support this type, so all entries are returned

Return type:	dict

deny()¶

Return ACL Entries which ‘deny’ access (i.e. which reduce the access a user has)

POSIX ACL’s do not support this type, so all entries are returned

Return type:	dict

users()¶

Convenience method for only returning user ACLs

>>> file.acls.users()

Return type:	dict

groups()¶

Convenience method for only returning group based ACL entries

Return type:	dict

Examples¶

Check owner permissions on a file¶

>>> from arcapix.fs.gpfs.file import File
>>>
>>> # create a File object
... f = File('/mmfs1/data/sample_data/cats/cats-01.jpg')
>>>
>>> # get the ACL for the file owner
... entry = f.acl.ownerAclEntry
>>>
>>> print("read: {}, write: {}, exec: {}".format(entry.read, entry.write, entry.execute)
read: True, write: True, exec: False

Check which groups have read permission for a file¶

>>> f = File('/mmfs1/data/accounts/audit.doc')
>>>
>>> # iterate over groups with acls
... for group, entry in f.acl.groups().items():
...     print("{0}: {1}".format(group, 'yes' if entry.read else 'no'))
...
admin: yes
sales: yes
vfx: no

Note

This doesn’t necessarily mean users in those groups can read the file, as there may be restrictive permissions on the file’s parent directories

Add a new inheriting group ACL to a directory¶

Inheriting ACLs get applied to any files or directories created within the directory.

Note - this is only supported if the filesystem is configured for nfs4 ACLs

>>> from arcapix.fs.gpfs import Filesystem
>>>
>>> # check if the filesystem supports nfs4 acls
... fs = Filesystem('mmfs1')
>>> assert fs.ACLSemantics == 'nfs4'
>>>
>>> f = File('/mmfs1/data/vfx')
>>>
>>> f.acl.new(
...     type='group', name='artists',
...     read=True, write=True,
...     fileInherit=True, dirInherit=True
... )

Replace the acls for all files in a directory tree¶

Warning

This is very dangerous!

>>> import os
>>> from arcapix.fs.gpfs.clib.utils import walk
>>>
>>> # get the ACL reference file
... source = '/mmfs1/.aclref'
>>>
>>> # walk the directory tree
... for root, dirs, files in walk('/mmfs1/data/sample_data'):
...     for name in files:
...         path = os.path.join(root, name)
...         # update the acls from the reference file
...         File(path).acls.replace_from_file(source)
...