Adding, modifying and viewing an ACL in the Isilon OneFS CLI

This is an overview and reference for the commands and syntax needed for adding and modifying an ACL on Isilon OneFS files and directories from the CLI.

Access Control Entries for the ACL

Note that a complete ACE list can be viewed by running “man chmod” from the CLI.  This is a list of the entries I used.

dir_gen_all Read,write and execute access(dir_gen_read,dir_gen_write,dir_gen_execute,delete_child and std_write_owner)
object_inherit Only files in this directory and its descendants inherit the ACE
container_inherit Only directories in this directory and its descendants inherit the ACE
delete_child The right to delete children, including read-only files
file_gen_all file_gen_read, file_gen_write, file_gen_execute,delete, std_write_dac, and std_write_owner
add_file The right to create a file in the directory
add_subdir The right to create a sub-directory

Sample commands for addding ACLs to a folder

The chmod +a command is used to specify an AD group and set ACLs explicitly on directories and files.  Setting directory permissions automatically sets all of the files within that directory to the same set.

chmod -R +a group "<Domain Name>\<Group Name>" allow dir_gen_all,delete_child,object_inherit,container_inherit,file_gen_all,add_file,add_subdir </absolute_path>
chmod -R +a user "<Domain Name>\<User Name>" allow dir_gen_all,delete_child,object_inherit,container_inherit,file_gen_all,add_file,add_subdir </absolute_path>

For the equivalent of Full Control I added the following groups:

dir_gen_all,delete_child,object_inherit,container_inherit,file_gen_all,add_file,add_subdir

For the equivalent of Read\Execute I added the following groups:

dir_gen_read,dir_gen_execute,file_gen_read,file_gen_execute,object_inherit,container_inherit

Making Changes

If you need to alter an ACL, the most commonly used chmod command line switches would be a, b and D, described below.

-a The -a mode is used to delete ACL entries.
-b Removes the ACL and replaces with the specified mode.
-D Removes all ACEs in the security descriptor's DACL for all named files. This results in implicitly denying everything.

If you attempt to add a well known windows group such as “Authenticated Users” or “Power Users” to a file or directory Access Control List (ACL) from the command line interface you’ll get the error “illegal group name: Invalid argument”.  You’ll need to use the well known SID in ofder to add the ACL entry rather than the name. You can view a complete list of the well known SIDs on Microsoft’s website here: https://support.microsoft.com/en-us/kb/243330.

Syntax examples using well-known SIDs

(S-1-5-11 is “Authenticated Users”)

chmod +a sid S-1-5-11 allow traverse,list

(S-1-1-0 is “Everyone”)

chmod +a sid S-1-1-0 allow traverse,list

Viewing AD permissions on a OneFS folder

Once you’ve added your ACL’s, you can list and confirm permissions on the folder with the “ls -led” command. Below is some sample output.

ISILON-NODE-1# ls -led
drwxrwx--- + 34 AD_DOMAIN_NAME\account_name AD_DOMAIN_NAME\domain users 1630 May 11 13:26 .
OWNER: user:AD_DOMAIN_NAME\account_name
GROUP: group:AD_DOMAIN_NAME\domain users
CONTROL:dacl_auto_inherited,sacl_auto_inherited
0: group:AD_DOMAIN_NAME\folder-admin allow dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit
1: user:AD_DOMAIN_NAME\service_file_transfer allow dir_gen_all,object_inherit,container_inherit
2: SID:S-1-5-21-2127695773-1422393826-955202855-634017 allow dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit
3: SID:S-1-5-21-2127695773-1422393826-955202855-634018 allow dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit
4: group:AD_DOMAIN_NAME\desktop_corpaccess allow dir_gen_read,dir_gen_execute,object_inherit,container_inherit
5: group:AD_DOMAIN_NAME\desktop_corpaccess_dev allow dir_gen_read,dir_gen_execute,object_inherit,container_inherit
6: group:AD_DOMAIN_NAME\desktop_svaccess allow dir_gen_read,dir_gen_execute,object_inherit,container_inherit
7: group:AD_DOMAIN_NAME\desktop_svaccess_dev allow dir_gen_read,dir_gen_execute,object_inherit,container_inherit
8: group:AD_DOMAIN_NAME\folder-admin-auth allow dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit
9: group:AD_DOMAIN_NAME\fileadmin allow inherited dir_gen_all,object_inherit,container_inherit,inherited_ace
10: group:AD_DOMAIN_NAME\ADadmins allow inherited dir_gen_all,object_inherit,container_inherit,inherited_ace
11: group:AD_DOMAIN_NAME\domain admins allow inherited dir_gen_all,object_inherit,container_inherit,inherited_ace
12: group:AD_DOMAIN_NAME\domain users allow inherited dir_gen_read,dir_gen_execute,container_inherit,inherited_ace

To verify the permissions on the files within that folder, run “ls -la”.

ISILON-NODE-1# ls -la
total 6611740
drwxrwx--- + 34 AD_DOMAIN_NAME\account1 AD_DOMAIN_NAME\domain users 1630 May 16 13:26 .
drwxrwx--- + 4 root wheel 51 Feb 19 20:31 ..
drwxrwx--- + 2 AD_DOMAIN_NAME\filetrans AD_DOMAIN_NAME\domain users 245 Apr 26 07:06 File1
drwxrwx--- + 2 AD_DOMAIN_NAME\filetrans AD_DOMAIN_NAME\domain users 253 Apr 25 17:15 File2
drwxrwx--- + 2 AD_DOMAIN_NAME\filetrans AD_DOMAIN_NAME\domain users 249 Apr 25 13:59 File3
drwxrwx--- + 2 AD_DOMAIN_NAME\filetransr AD_DOMAIN_NAME\domain users 253 Apr 25 17:16 File4
...
Advertisements

2 thoughts on “Adding, modifying and viewing an ACL in the Isilon OneFS CLI”

  1. The update is very helpful, however it missed one important syntax while adding domain user or groups.

    We need to use “\\” after the domain name <Domain Name>\\<Group Name>”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.