Does FreeIPA support ACL's, as in getfacl, setfacl? entry_type:[uid|gid]:perms
On pe, 17 touko 2019, Jim Rice via FreeIPA-users wrote:
Does FreeIPA support ACL's, as in getfacl, setfacl? entry_type:[uid|gid]:perms
You mean POSIX ACLs, not UNIX ACLs (there is not such thing)?
POSIX ACLs are stored on disk with uid/gid as numbers. As such, Linux kernel does not care what they resolve to by the user space processes, so any provider that resolves them consistently is supporting them.
To answer directly: yes, using POSIX ACLs on file systems that support them will work on IPA-enrolled clients.
Thank you Alexander. I just wanted to differentiate between user/group ownership/permissions ACL's and CA ACL and certificates. Yes, POSIX.
Can ACL's be managed through FreeIPA? Assigning them to users and groups, establishing defaults, making changes on a per user, per host, or via group settings basis?
Or does this have to happen with CLI commands issued on individual hosts? On Saturday, May 18, 2019, 1:33:04 AM PDT, Alexander Bokovoy abokovoy@redhat.com wrote:
On pe, 17 touko 2019, Jim Rice via FreeIPA-users wrote:
Does FreeIPA support ACL's, as in getfacl, setfacl? entry_type:[uid|gid]:perms
You mean POSIX ACLs, not UNIX ACLs (there is not such thing)?
POSIX ACLs are stored on disk with uid/gid as numbers. As such, Linux kernel does not care what they resolve to by the user space processes, so any provider that resolves them consistently is supporting them.
To answer directly: yes, using POSIX ACLs on file systems that support them will work on IPA-enrolled clients.
On la, 18 touko 2019, jmrice6640@yahoo.com wrote:
Thank you Alexander. I just wanted to differentiate between user/group ownership/permissions ACL's and CA ACL and certificates. Yes, POSIX.
Can ACL's be managed through FreeIPA? Assigning them to users and groups, establishing defaults, making changes on a per user, per host, or via group settings basis?
No, POSIX ACLs don't work this (centralized) way.
Or does this have to happen with CLI commands issued on individual hosts?
POSIX ACLs are properties of each mounted file system that supports them. They are associated with a particular file or folder and have nothing to do with actual users or groups. So yes, it has to be done on each individual host.
You can backup/restore POSIX ACLs with the help of utilities that support it.
For GNU tar the support for POSIX ACLs exists since 1.27 (~2013), see this info page: info tar 'extended file attributes'
For rsync, use -X and -A (POSIX xattrs and POSIX ACLs) options
Again, on IPA clients this will work fine as long as the client is capable to resolve user and group names in a normal way (through SSSD).
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Jim Rice -
jmrice6640@yahoo.com