Access Control Lists (ACLs)


HPSS Access Control Lists (ACLs) were based on the Access Control Lists for the Distributed Computing Environment (DCE).  A good source of detailed information about DCE ACLs is at http://publib.boulder.ibm.com/infocenter/zos/v1r12/index.jsp?topic=%2Fcom.ibm.zos.r12.euvma00%2Feuva2a00510.htm


HSI added support for HPSS ACLs in version 4.0.1.3.  There are two new commands to support this feature:

     chacl - creates, deletes and modifies ACL entries

     lsacl - lists ACL entries


The purpose of ACLs is to define who can use an object, and what kinds of access are allowed for the object. All HPSS files and directories have ACLs that are mapped into the standard Unix permissions (read, write, execute for owner, group and other). In addition, there may be "Extended ACLS" that allow specific users, groups or other principals in the local realm (DCE "cell") and in foreign realms to access an object. 


As currently implemented in HPSS, adding, changing or deleting an ACL requires either owner permissions, or group write permission to the object.  


An ACL contains one or more "ACL Entries", each of the form:


           type:key:perms


where:

type is one of the following:

    user_obj, group_obj, other_obj, 

    user, group,   

    foreign_user, foreign_group, foreign_other, any_other, mask_obj,

    unauthenticated, user_obj_delegate, group_obj_delegate,

    other_obj_delegate, user_delegate, group_delegate,

    foreign_user_delegate, foreign_group_delegate

    foreign_other_delete, and any_other_delegate


    The most commonly used types in HPSS are user_obj, group_obj, other_obj,

    and the perms for these types are mapped to the standard Unix "owner", "group" 

    and "other" perms.

  

    mask_obj ACL entries are used to calculate the effective permissions for an object, similar to the umask that is used for Unix permissions.  The reference above contains some examples that illustrate the use of the mask_obj entry.  


key is of the form:

    principal@realm

      

    Different types of ACLs may not require the principal or the realm.  Where a realm is 

    required, it can be either a name, such as ibcg.gov or an ID such as 77233323.

 

    User and group principals can be specified as either a name, such as 'rheinlein" or a numeric ID, such as 40149.  Internally in HSI, principals are translated to binary values by means of the HPSS registry, but are displayed as names in the 'lsacl' command.


perms is a string representing the permissions, from the set "rwxcid".  These are, respectively, "read", "write", "execute", "control", "insert" and "delete".  In the chacl command, the permission string characters can be omitted or represented as a hyphen '-' in the permission string, when not wanted.  For example, the following are equivalent:

       "r--c" and "rc".


As an example, consider this command:


? lsacl *

 a_drive

    user_obj:gleicher:rwxc--

    group_obj:gleicher:r-x---

    other_obj:r-x--


All HPSS objects contain an ACL that contains user_obj, group_obj and other_obj ACL entries.  Directories also contain special "Initial Object" and "Initial Container" ACL entries that specify the default permissions to be placed on newly created objects (such as files) or subdirectories.  These automatically propagate downward in the tree as new leafs and branches are added; this is called "ACL Inheritance".


Here's an example of the object entry, and the Initial Object and Initial Container entries on a directory:


? ls -ld bpf

drwxr-x---    3 gleicher  gleicher         512 Mar 15  2011 bpf

? lsacl bpf

 bpf

    user_obj:gleicher:rwxcid

    group_obj:gleicher:r-x---

    other_obj:------

? lsacl -ic -io bpf

[IC] bpf

    user_obj:gleicher:rwxcid

    group_obj:gleicher:rwx-id

    other_obj:rwx-id

[IO] bpf

    user_obj:gleicher:rwxc--

    group_obj:gleicher:rwx---

    other_obj:rwx---