Unified Permissions For All Protocols
Each protocol has its own definition and a defined list of permissions that can be set:
POSIX mode bits: https://wiki.archlinux.org/index.php/File_permissions_and_attributes
NFS4 ACLs: https://linux.die.net/man/5/nfs4_acl
Windows:
S3: https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html
VAST Permissions
VAST maintains a unified set of permissions for each object. Rather than storing multiple permission sets on a per-protocol basis and maintaining them separately, permissions are stored in a protocol-independent format and then mapped to each protocol as required. VAST Permissions are a superset of the permission sets associated with each supported protocol. This allows for not only the ability to quickly and easily support multi-protocol sharing and the ability to add new protocols to existing views, but also maintains consistent enforcement of permissions for users to objects regardless of the protocol being used.
Displayed Permissions vs. Actual Permissions
Permissions shown for a specific object are dependent upon the protocol used to view them. NFSv3, NFSv4, SMB, and S3 have varying granularity and ability to view and set permissions. In many cases, there is no direct method to display certain permissions because a particular protocol may not have as fine-grained permission settings or may lack certain concepts. Here are a few examples:
S3 has no notion of group permissions (user-defined groups, not pre-defined groups), but the object may have group permissions that may be shown when running 'ls -l' from NFS.
For an object created via S3, we may have an object ACL that sets permissions for the object owner and for other specific users. If we run 'ls -l' from NFS, we will not be able to see the permissions for the users other than the owner.
For SMB, the ACL for a directory may have multiple users and groups listed with inheritance rules. When viewing from NFSv3, these will not be visible.
In all cases, permissions are evaluated and enforced consistently across all protocols for user access to objects, even in situations where they may not be directly visible to a coarse-grained protocol. (ie. Viewing permissions via NFSv3 for an SMB Flavor view will not show the ACLs).
Note Regarding S3 and Groups
S3 has no concept for group ownership similar to NFS or SMB, only pre-defined groups (which are more or less equivalent to the 'all user' group in NFS/SMB). In cases where an object created via S3 is to allow NFS / SMB group members to read it, adding metadata to the S3 PUT object (or initiate multi-part upload) requests with key = "vast-group" and value = "<gid>,<group permissions>". The S3 server will identify this metadata as internal metadata and store it as group information for NFS/SMB access.
VAST Permission Mappings
Below is a table listing mappings from VAST Permissions to each protocol. Note that there are many cases where multiple VAST Permissions may map to a single permission for a protocol.
POSIX mode bits | NFSv4 ACE | S3 | Windows / SMB | VAST permission representation |
|---|---|---|---|---|
d-w- | w (create-file) | bucket WRITE | FILE_ADD_FILE | DIR_ADD_FILE |
d-w- | a (create-subdirectory) | N/A | FILE_ADD_SUBDIRECTORY | DIR_ADD_SUBDIR |
-rwx | all file ACE permissions | object FULL_CONTROL | Full Control (FILE_ALL_ACCESS - file) | FILE_ALL |
drwx | all dir ACE permissions | bucket FULL_CONTROL | Full Control (FILE_ALL_ACCESS - directory) | DIR_ALL |
--w- | a (append-data) | N/A | FILE_APPEND_DATA | FILE_APPEND |
d-w- | D (delete-child) | bucket WRITE | FILE_DELETE_CHILD | DIR_DEL_CHILD |
---x | x (execute) | N/A | FILE_EXECUTE | FILE_EXEC |
dr-- | r (list-directory) | bucket READ | FILE_LIST_DIRECTORY | DIR_READ |
-r-- | t (read-attributes) | object READ | FILE_READ_ATTRIBUTES | FILE_READ_ATTR |
-r-- | r (read-data) | object READ | FILE_READ_DATA | FILE_READ |
-r-- | N/A | object READ | FILE_READ_EA | FILE_READ_EXT_ATTR |
d--x |
x (change-directory) | N/A | FILE_TRAVERSE | DIR_TRAVERSE |
--w- | T (write-attributes) | object WRITE | FILE_WRITE_ATTRIBUTES | FILE_WRITE_ATTR |
--w- | w (write-data) | object WRITE | FILE_WRITE_DATA | FILE_WRITE_DATA |
--w- | N/A | object WRITE | FILE_WRITE_EA | FILE_WRITE_EXT_ATTR |
--w- | d (delete) | N/A | DELETE (file or directory) | FILE_DELETE |
d-w- | d (delete) | TBD | DELETE_CHILD (directory) | DIR_DELETE |
-r-- | r (read-data) | N/A | N/A | FILE_READ_CTRL |
dr- | r (list-directory) | N/A | N/A | DIR_READ_CTRL |
N/A | y (synchronize) | N/A | SYNCHRONIZE | FILE_SYNC |
N/A | n (read-named-attributes) | N/A | N/A | READ_NAMED_ATTR |
N/A | N (write-named-attributes) | N/A | N/A | WRITE_NAMED_ATTR |
N/A | c (read ACL) | object/bucket READ_ACP | READ_CONTROL | READ_ACL (a.k.a. read control) |
N/A | C (write ACL) | object/bucket WRITE_ACP | WRITE_DAC | WRITE_ACL (write only DACL, not SACL) |
N/A | o (write-owner) | N/A | WRITE_OWNER | WRITE_OWNER |
NFSv4 ACLs and SMB ACLs
Specific NFSv4 Permissions can be directly mapped to and from specific SMB ACLs. The permission chart above can be used for those mappings.
Resulting Mappings When Set From Windows (Files)
Windows groups permissions together as a permission set. The table below represents permissions set via the Security Tab from Windows File Explorer.
POSIX Mode Bits | NFSv4 ACE | Windows | VAST |
|---|---|---|---|
rwx | rwadxtTnNcCoy | Full Control | FILE_ALL |
r-- | rtncy | Read | FILE_READ_ATTR,FILE_READ,FILE_READ_EXT_ATTR,FILE_READ_CTRL |
r-x | rxtncy | Read & Execute | FILE_READ_ATTR,FILE_READ,FILE_READ_EXT_ATTR,FILE_READ_CTRL |
-w- | waTNy | Write | FILE_APPEND,FILE_WRITE_ATTR,FILE_WRITE_DATA,FILE_WRITE_EXT_ATTR |
rwx | rwadxtTnNcy | Modify | FILE_APPEND,FILE_READ_ATTR,FILE_READ,FILE_READ_EXT_ATTR,FILE_WRITE_ATTR,FILE_WRITE_DATA,FILE_WRITE_EXT_ATTR,FILE_DELETE,FILE_READ_CTRL |
Resulting Mappings When Set From Windows (Directories)
Windows groups permissions together as a permission set. The table below represents permissions set via the Security Tab from Windows File Explorer.
POSIX Mode Bits | NFSv4 ACE | Windows | VAST |
|---|---|---|---|
drwx | rwaDdxtTnNcCoy | Full Control | FILE_ALL |
dr-x | rxtncy | List Folder Contents | DIR_READ,FILE_READ_ATTR,FILE_READ,FILE_READ_EXT_ATTR,DIR_TRAVERSE,FILE_READ_CTRL,DIR_READ_CTRL |
dr-- | rtncy | Read | DIR_READ,FILE_READ_ATTR,FILE_READ,FILE_READ_EXT_ATTR,FILE_READ_CTRL,DIR_READ_CTRL |
dr-x | rxtncy | Read and Execute | DIR_READ,FILE_READ_ATTR,FILE_READ,FILE_READ_EXT_ATTR,DIR_TRAVERSE,FILE_READ_CTRL,DIR_READ_CTRL |
d-w- | waTNy | Write | DIR_ADD_FILE,DIR_ADD_SUBDIR,FILE_APPEND,FILE_EXEC,FILE_WRITE_ATTR,FILE_WRITE_DATA,FILE_WRITE_EXT_ATTR |
drwx | rwadxtTnNcy | Modify | DIR_ADD_FILE,DIR_ADD_SUBDIR,FILE_APPEND,FILE_EXEC,DIR_READ,FILE_READ_ATTR,FILE_READ,FILE_READ_EXT_ATTR,DIR_TRAVERSE,FILE_WRITE_ATTR,FILE_WRITE_DATA,FILE_WRITE_EXT_ATTR,FILE_DELETE,DIR_DELETE,FILE_READ_CTRL,DIR_READ_CTRL |
Resulting Mappings When Set As POSIX Mode Bits via NFS (Directories)
Permissions set via chmod.
POSIX Mode Bits | NFSv4 ACE | Windows | VAST |
|---|---|---|---|
drwx | rwaDxtTnNcy | FILE_ADD_FILE,FILE_ADD_SUBDIRECTORY,FILE_DELETE_CHILD,FILE_EXECUTE,FILE_LIST_DIRECTORY,FILE_READ_ATTRIBUTES,FILE_READ_EA,FILE_TRAVERSE,FILE_WRITE_ATTRIBUTES,FILE_WRITE_EA,SYNCHRONIZE | DIR_ADD_FILE,DIR_ADD_SUBDIR,DIR_DEL_CHILD,FILE_EXEC,DIR_READ,FILE_READ_ATTR,FILE_READ_EXT_ATTR,DIR_TRAVERSE,FILE_WRITE_ATTR,FILE_WRITE_EXT_ATTR,DIR_READ_CTRL,READ_NAMED_ATTR,WRITE_NAMED_ATTR,READ_ACL |
dr-- | rtncy | FILE_LIST_DIRECTORY,FILE_READ_ATTRIBUTES,FILE_READ_EA,SYNCHRONIZE | DIR_READ,FILE_READ_ATTR,FILE_READ_EXT_ATTR,DIR_READ_CTRL,READ_NAMED_ATTR,READ_ACL |
d-w- | waDTNy | FILE_ADD_FILE,FILE_ADD_SUBDIRECTORY,FILE_DELETE_CHILD,FILE_EXECUTE,FILE_WRITE_ATTRIBUTES,FILE_WRITE_EA,SYNCHRONIZE | DIR_ADD_FILE,DIR_ADD_SUBDIR,DIR_DEL_CHILD,FILE_EXEC,FILE_WRITE_ATTR,FILE_WRITE_EXT_ATTR,WRITE_NAMED_ATTR |
d--x | xy | FILE_TRAVERSE,SYNCHRONIZE | DIR_TRAVERSE |
drw- | rwaDtTnNcy | FILE_ADD_FILE,FILE_ADD_SUBDIRECTORY,FILE_DELETE_CHILD,FILE_EXECUTE,FILE_LIST_DIRECTORY,FILE_READ_ATTRIBUTES,FILE_READ_EA,FILE_WRITE_ATTRIBUTES,FILE_WRITE_EA,SYNCHRONIZE | DIR_ADD_FILE,DIR_ADD_SUBDIR,DIR_DEL_CHILD,FILE_EXEC,DIR_READ,FILE_READ_ATTR,FILE_READ_EXT_ATTR,FILE_WRITE_ATTR,FILE_WRITE_EXT_ATTR,DIR_READ_CTRL,READ_NAMED_ATTR,WRITE_NAMED_ATTR,READ_ACL |
dr-x | rxtncy | FILE_LIST_DIRECTORY,FILE_READ_ATTRIBUTES,FILE_READ_EA,FILE_TRAVERSE,SYNCHRONIZE | DIR_READ,FILE_READ_ATTR,FILE_READ_EXT_ATTR,DIR_TRAVERSE,DIR_READ_CTRL,READ_NAMED_ATTR,READ_ACL |
d-wx | waDxTNy | FILE_ADD_FILE,FILE_ADD_SUBDIRECTORY,FILE_DELETE_CHILD,FILE_EXECUTE,FILE_TRAVERSE,FILE_WRITE_ATTRIBUTES,FILE_WRITE_EA,SYNCHRONIZE | DIR_ADD_FILE,DIR_ADD_SUBDIR,DIR_DEL_CHILD,FILE_EXEC,DIR_TRAVERSE,FILE_WRITE_ATTR,FILE_WRITE_EXT_ATTR,WRITE_NAMED_ATTR |
d--- | - | - |
Resulting Mappings When Set As POSIX Mode Bits via NFS (Files)
Permissions set via chmod.
POSIX Mode Bits | NFSv4 ACE | Windows | VAST |
|---|---|---|---|
rwx | rwaxtTnNcy | FILE_APPEND_DATA,FILE_READ_ATTRIBUTES,FILE_READ_DATA,FILE_READ_EA,FILE_WRITE_ATTRIBUTES,FILE_WRITE_DATA,FILE_WRITE_EA,READ_CONTROL,SYNCHRONIZE | FILE_APPEND,FILE_READ_ATTR,FILE_READ,FILE_READ_EXT_ATTR,FILE_WRITE_ATTR,FILE_WRITE_DATA,FILE_WRITE_EXT_ATTR,FILE_READ_CTRL,READ_NAMED_ATTR,WRITE_NAMED_ATTR,READ_ACL |
r-- | rtncy | FILE_READ_ATTRIBUTES,FILE_READ_DATA,FILE_READ_EA,READ_CONTROL,SYNCHRONIZE | FILE_READ_ATTR,FILE_READ,FILE_READ_EXT_ATTR,FILE_READ_CTRL,READ_NAMED_ATTR,READ_ACL |
-w- | waTNy | FILE_APPEND_DATA,FILE_WRITE_ATTRIBUTES,FILE_WRITE_DATA,FILE_WRITE_EA,SYNCHRONIZE | FILE_APPEND,FILE_WRITE_ATTR,FILE_WRITE_DATA,FILE_WRITE_EXT_ATTR,WRITE_NAMED_ATTR |
--x | xy | - | - |
rw- | rwatTnNcy | FILE_APPEND_DATA,FILE_READ_ATTRIBUTES,FILE_READ_DATA,FILE_READ_EA,FILE_WRITE_ATTRIBUTES,FILE_WRITE_DATA,FILE_WRITE_EA,READ_CONTROL,SYNCHRONIZE | FILE_APPEND,FILE_READ_ATTR,FILE_READ,FILE_READ_EXT_ATTR,FILE_WRITE_ATTR,FILE_WRITE_DATA,FILE_WRITE_EXT_ATTR,FILE_READ_CTRL,READ_NAMED_ATTR,WRITE_NAMED_ATTR,READ_ACL |
r-x | rxtncy | FILE_READ_ATTRIBUTES,FILE_READ_DATA,FILE_READ_EA,READ_CONTROL,SYNCHRONIZE | FILE_READ_ATTR,FILE_READ,FILE_READ_EXT_ATTR,FILE_READ_CTRL,READ_NAMED_ATTR,READ_ACL |
-wx | waxTNy | FILE_APPEND_DATA,FILE_WRITE_ATTRIBUTES,FILE_WRITE_DATA,FILE_WRITE_EA,SYNCHRONIZE | FILE_APPEND,FILE_WRITE_ATTR,FILE_WRITE_DATA,FILE_WRITE_EXT_ATTR,WRITE_NAMED_ATTR |
--- | - | - | - |
Note Regarding Security Flavors
While access permissions for a user to an object will be granted consistently regardless of protocol, the Security Flavor set on the View Policy in use governs how those individual permissions are determined.
For instance, the handling DIR_TRAVERSE ("x" on directory), which controls if a user is able to traverse a directory to access a subdirectory that they may have permissions to, is different depending on the Security Flavor.
With the NFS Security Flavor, DIR_TRAVERSE is enforced for both NFS and SMB as this is the native behavior of NFS.
With the SMB Security Flavor, DIR_TRAVERSE is ignored (unenforced) for both NFS and SMB as this is the native behavior of SMB.
With the Mixed Last Wins Security Flavor, DIR_TRAVERSE is enforced both NFS and SMB.