Managing File and Directory ACEs
Describes the implications of setting access control expressions on files and directories.
A file Access Control Expression (ACE) allows you to define access (allowlist and denylist) to files and directories for a combination of users, groups, and roles. If access control expression (ACE)s are not set, POSIX mode bits for the file or directory are used to grant or deny access to the file or directory.
When you set access control expression (ACE)s, Data Fabric sets or resets the corresponding POSIX mode bits to match the permissions granted through access control expression (ACE)s.
- If both access control expression (ACE)s and POSIX mode bits are set, access is granted if access is allowed through access control expression (ACE)s or POSIX mode bits.
- If access control expression (ACE)s are not set, POSIX mode bits are used to grant access.
- If neither access control expression (ACE)s nor POSIX mode bits are set, access is denied.
File ACEs
| Access Type | Description | |
|---|---|---|
| Command Line | Java API (Enum) | |
-readfile |
READFILE |
Read a file. |
-writefile |
WRITEFILE |
Write to a file. |
-executefile |
EXECUTEFILE |
Execute a file. |
Directory ACEs
=| Access Type | Description | |
|---|---|---|
| Command Line | Java API (Enum) | |
-readfile |
READFILE |
Read a file. |
-writefile |
WRITEFILE |
Write to a file. |
-executefile |
EXECUTEFILE |
Execute a file. |
-readdir |
READDIR |
List the contents of a directory. This access is required to write and/or execute files in the directory. |
-lookupdir |
LOOKUPDIR |
Lookup a file in a directory. This access is required to find, read, write, and/or execute files in the directory. |
-addchild |
ADDCHILD |
Add a file or subdirectory. |
-deletechild |
DELETECHILD |
Delete a file or subdirectory. |
Although you can set both file and directory access control expression (ACE)s on directories, only the directory access control expression (ACE)s are used for determining access to the directory. The file access control expression (ACE) on the directory is used as the default access control expression (ACE) setting for new files under that directory.
By default, when you set access control expression (ACE)s on a parent directory:
- Permissions for existing files and subdirectories under that parent remain unchanged.
- New files under that parent inherit the file access control expression (ACE)s and corresponding POSIX mode bits of the parent directory, if available. Otherwise, new files get the default access control expression (ACE), the empty string (""), which indicates that no one has permissions to read, write, or execute the file. POSIX mode bits are set on the file in the traditional way.
- New subdirectories under the parent inherit both the directory and file access control expression (ACE)s and corresponding POSIX mode bits from the parent directory.
Workaround for Execute Operation when ACES are set on an executable file
When access control expression (ACE)s are set on any file, mode bits are cleared. For a binary to execute, the kernel checks whether the execute bit is set or not, and restricts execution if it is not set. To run an executable file with access control expression (ACE)s set on it, use one of the following workarounds:
-
Set owner mode exec bit on binaries/shell scripts.
-
Set group mode exec bit on binaries/shell scripts.
-
Change owning group for the files to the group used in MapRAces, and set the executable group mode bit.