Permissions management on Xsan

14 Dec 2021

I’m sure there are many ways to manage permissions on an Xsan, but we primarily see 2.   The first is that anyone that can connect to the san can see everything on the san.  Access is handled by keeping the san connected computers physically secure and not allowing network access to the san volume(s).  Then permissions on the volume can be set so that every san connected system logs in as user 501 (for example), so they are all the “same” user.  Or, the volume can be created with the --ignoreOwners flag and then even different local users would have the same access.

The second option is what we will be discussing in more detail.  All users are defined in an ldap server and put into groups.  Then each project gets a group and a folder.  When creating the volume we say to --enableACLs, and then apply the appropriate group permissions to the corresponding folder. This allows users to connect to the san via fibre with mobile accounts or via a file server and they will have the same access either way.

Lets say we have 3 users: Susan, Paul, and Lucy.  Susan and Paul are working on Project Alpha, Lucy is working on Project Beta, and all 3 are working on Project Gamma.  In our directory server, we have accounts for each user and then we create groups for each project:

  • Project Alpha (ProjectAlpha)
    • Susan
    • Paul
  • Project Beta (ProjectBeta)
    • Lucy
  • Project Gamma (ProjectGamma)
    • Susan
    • Paul
    • Lucy
  • SAN Access (SANAccess)
    • Project Alpha
    • Project Beta
    • Project Gamma
  • SAN Admin (SANAdmin)
    • Eric

We also created a SAN Access group to grant access to the base Projects folder and a SAN Admin group that will have the ability to delete the project folders.

Now we can create the root Projects folder and protect it 

sudo mkdir /Volumes/SAN/Projects
sudo chmod -R 700 /Volumes/SAN/Projects

We need the users in the groups to be able to get into these folders and create files and sub folder, but we don’t want them to be able to delete the root level project folders. We do want the admin group to have full control on the project folders. The chmod command can add Access Control Entries (ACEs) to the Access Control List (ACL) for each folder. The man page for chmod explains all the options for an ACE. We are going to focus on these 2:

Read-only: "read,readattr,readextattr,readsecurity,list,search"
Read-Write-Inherit: "read,write,append,readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit"

First we need to let the users into the Projects folder. To apply the ACE to the folder’s ACL, we use chmod in this form chmod +a "group:<groupname> allow <permissions>" /path/to/folder. In our example we will run
sudo chmod +a "group:SANAccess allow read,readattr,readextattr,readsecurity,list,search" /Volumes/SAN/Projects
Then we give the admin group full control
sudo chmod +a "group:SANAdmin allow read,write,append,readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /Volumes/SAN/Projects

The inherit entries mean that this set of access will apply to everything that gets created (or copied) inside this folder and subsequent sub folders.  We want to get this ACE created before anything is added to the folder.
Now we can create the project specific folders and remove the group and everyone POSIX access to them:

% sudo mkdir /Volumes/SAN/Projects/Project\ Alpha
% sudo mkdir /Volumes/SAN/Projects/Project\ Beta
% sudo mkdir /Volumes/SAN/Projects/Project\ Gamma
% sudo chmod -R 700 /Volumes/SAN/Projects

And now give the project group full control to their folder:

% sudo chmod +a "group:ProjectAlpha allow read,write,append,readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /Volumes/SAN/Projects/Project\ Alpha

% sudo chmod +a "group:ProjectBeta allow read,write,append,readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /Volumes/SAN/Projects/Project\ Beta

% sudo chmod +a "group:ProjectGamma allow read,write,append,readattr,writeattr,readextattr,writeextattr,readsecurity,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" /Volumes/SAN/Projects/Project\ Gamma

Our Projects folder should now look like this:

% ls -led /Volumes/SAN/Projects
drwx------+ 5 root wheel - 160B Dec 14 12:25 Projects/
0: group:SANAdmin allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
1: group:SANAccess allow list,search,readattr,readextattr,readsecurity

Inside the Project directory we should see:

% ls -le /Volumes/SAN/Projects
total 0
drwx------+ 2 root wheel 64 Dec 14 14:04 Project Alpha
0: group:ProjectAlpha allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
1: group:SANAdmin inherited allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
drwx------+ 2 root wheel 64 Dec 14 14:04 Project Beta
0: group:ProjectBeta allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
1: group:SANAdmin inherited allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
drwx------+ 2 root wheel 64 Dec 14 14:04 Project Gamma
0: group:ProjectGamma allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
1: group:SANAdmin inherited allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit

Whenever a new project is started, we need to follow these steps:

  1. Create the group in our directory service
  2. Add the appropriate users to that group
  3. Add the group to the SAN Access group
  4. Create the project folder
  5. Add the ACE for the group to the new folder (the SAN Admin ACE should be inherited)

If new users are hired and need to be added to a project, once they are in the group, they will get all the right access.

It is pretty much inevitable that some content will end up in a folder before the correct inheriting ACE is put on.  In that case, if you can’t 1) move the data, 2)apply the ACE, and 3) copy the data back (it has to be created or copied into the folder to inherit; moving doesn’t work), you can use chmod -R to make chmod recursive and apply the ACE to the folder and everything inside.  This is also called making the ACE explicit instead of inherited.

Once everything is setup, we can use a san connected system as a file server. We would share at the Project level.  Then anyone in the SAN Access or SAN Admin group would be able to connect, but no one else.  

Share

Eric Hemmeter