- Notes, cautions, and warnings
- Overview
- Getting Started with ECS
- Storage Pools, VDCs, and Replication Groups
- Authentication Providers
- Namespaces
- Users and Roles
- Identity and Access Management (S3)
- Buckets
- Introduction to buckets
- Working with buckets in the ECS Portal
- Create a bucket using the S3 API (with s3curl)
- Bucket, object, and namespace naming conventions
- Disable unused services
- File Access
- Introduction to file access
- ECS multi-protocol access
- Working with NFS exports in the ECS Portal
- Working with user/group mappings in the ECS Portal
- ECS NFS configuration tasks
- Mount an NFS export example
- NFS access using the ECS Management REST API
- NFS WORM (Write Once, Read Many)
- S3A support
- Geo-replication status
- Maintenance
- Certificates
- ECS Settings
- ECS Outage and Recovery
- Advanced Monitoring
- Advanced Monitoring
- View Advanced Monitoring Dashboards
- View mode
- Export CSV
- Data Access Performance - Overview
- Data Access Performance - by Namespaces
- Data Access Performance - by Nodes
- Data Access Performance - by Protocols
- Disk Bandwidth - by Nodes
- Disk Bandwidth - Overview
- Node Rebalancing
- Process Health - by Nodes
- Process Health - Overview
- Process Health - Process List by Node
- Recovery Status
- SSD Read Cache
- Tech Refresh: Data Migration
- Top Buckets
- Automatic Metering Reconstruction
- Share Advanced Monitoring Dashboards
- View Advanced Monitoring Dashboards
- Flux API
- Dashboard APIs
- Advanced Monitoring
- Document feedback
ECS 3.6.1 Administration Guide
Multi-protocol access permissions
Objects can be accessed using NFS and using the object service. Each access method has a way of storing permissions: Object Access Control List (ACL) permissions and File System permissions.
When an object is created or modified using the object protocol, the permissions associated with the object owner are mapped to NFS permissions and the corresponding permissions are stored. Similarly, when an object is created or modified using NFS, ECS maps the NFS permissions of the owner to object permissions and stores them.
The S3 object protocol does not have the concept of groups. Changes to group ownership or permissions from NFS do not need to be mapped to corresponding object permissions. When you create a bucket or an object within a bucket (the equivalent of a directory and a file), ECS can assign Unix group permissions, and they can be accessed by NFS users.
For NFS, the following ACL attributes are stored:
- Owner
- Group
- Other
For object access, the following ACLs are stored:
- Users
- Custom Groups
- Groups (Pre-defined)
- Owner (a specific user from Users)
- Primary Group (a specific group from Custom Groups)
For more information on ACLs, see Set ACLs.
The following table shows the mapping between NFS ACL attributes and object ACL attributes.
| NFS ACL attribute | Object ACL attribute |
|---|---|
| Owner | User who is also Owner |
| Group | Custom Group that is also Primary Group |
| Others | Pre-Defined Group |
Examples of this mapping are discussed later in this topic.
The following Access Control Entries (ACE) can be assigned to each ACL attribute.
NFS ACEs:
- Read (R)
- Write (W)
- Execute (X)
Object ACEs:
- Read (R)
- Write (W)
- Execute (X)
- ReadAcl (RA)
- WriteAcl (WA)
- Full Control (FC)
Creating and modifying an object using NFS and accessing using the object service
When an NFS user creates an object using the NFS protocol, the owner permissions are mirrored to the ACL of the object user who is designated as the owner of the bucket. If the NFS user has RWX permissions, Full Control is assigned to the object owner through the object ACL.
The permissions that are assigned to the group that the NFS file or directory belongs to are reflected onto a custom group of the same name, if it exists. ECS reflects the permissions associated with Others onto pre-defined groups permissions.
The following example illustrates the mapping of NFS permissions to object permissions.
NFS ACL Setting Object ACL Setting
Owner John : RWX Users John : Full Control
Group ecsgroup : R-X ---> Custom Groups ecsgroup : R-X
Other RWX Groups All_Users : R, RA
Owner John
Primary Group ecsgroup
When a user accesses ECS using NFS and changes the ownership of an object, the new owner inherits the owner ACL permissions and is given Read_ACL and Write_ACL. The previous owner permissions are kept in the object user's ACL.
When a chmod operation is performed, the ECS reflects the permissions in the same way as when creating an object. Write_ACL is preserved in Group and Other permissions if it already exists in the object user's ACL.
Creating and modifying objects using the object service and accessing using NFS
When an object user creates an object using the object service, the user is the object owner and is automatically granted Full Control of the object. The file owner is granted RWX permissions. If the owner permissions are set to other than Full Control, ECS reflects the object RWX permissions onto the file RWX permissions. An object owner with RX permissions results in an NFS file owner with RX permissions. The object primary group, which is set using the Default Group on the bucket, becomes the Custom Group that the object belongs to and the object permissions are set based on the default permissions that have been set. These permissions are reflected onto the NFS.group permissions. If the object Custom Group has Full Control, these permissions become the RWX permissions for the NFS group. If pre-defined groups are specified on the bucket, these are applied to the object and are reflected as Others permissions for the NFS ACLs.
The following example illustrates the mapping of object permissions onto NFS permissions.
Object ACL Setting NFS ACL Setting Users John : Full Control Owner John : RWX Custom Groups ecsgroup : R-X ----> Group ecsgroup : R-X Groups All_Users : R, RA Other RWX Owner John Primary Group ecsgroup
If the object owner is changed, the permissions associated with the new owner applied to the object and reflected onto the file RWX permissions .
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\