Skip to main content
Manage access rights in file storage at the file system level
Last update:

Manage access rights in file storage at the file system level

In file storage with NFSv4 protocol, you can manage access rights to files and folders at the file system level.

Principle of operation

Files and folders in file storage with NFSv4 protocol support standard access rights differentiation as in Unix systems. Read, write and execute access to files is implemented through Identity Mapping (IDM) — access rights are checked based on user ID and user group ID.

User groups are users with the same access rights. Groups are divided into two types:

  • Primary Group — A group that the operating system assigns to a user;
  • Secondary Group — One or more groups to which the user also belongs.

Each user can be added to a maximum of 16 groups: one primary and 15 secondary groups.

By default, only the user has read, write, and execute permissions on files root. The other users have read-only permissions. On behalf of root can configure access rights to folders and files for users and for user groups.

Format of access rights

Example of access rights:

drwxrwxrwx 3 root root   21 Jun 13 14:00 .
drwxr-xr-x 4 root root 4096 Jun 13 13:44 ..
drwxr-xr-x 2 root root 6 Jun 13 14:00 directory
-rw-rw-r-- 1 first first 0 Jun 13 09:45 file.txt

Here:

  • the first character:
    • d — directory flag;
    • - — file flag;
  • triples of symbols of the form rwx:
    • first three characters of the form rwx — user rights;
    • second triplet of characters of the form rwx — group rights;
    • third triplet of symbols of the form rwx- the rights of everyone else who is not a user or a member of the group;
    • r — read privileges;
    • w — write privileges;
    • x — execution rights (execute);
  • the first column with names — names of users who are the owners of the folder or file;
  • the second column with names — names of groups that are owners of the folder or file;
  • last column — file or directory names.

Configure access rights for the user

User root can create users and grant them rights to folders. If you create a user, a folder and assign the user as the owner of the folder, only that user will have full read, write and execute rights to the files in the folder.

  1. Mount the file storage.
  2. Create a user.
  3. Assign the user as the owner of the folder.
  4. Check user rights.

Mount the file storage to a dedicated or cloud server

The mount process depends on the operating system on the server and the file storage protocol: NFSv4 or CIFS SMBv3.

  1. Connect to the cloud server.

  2. Open the CLI.

  3. Install the NFS protocol package:

    sudo apt install nfs-common
  4. Create a folder to mount the repository:

    sudo mkdir -p /mnt/nfs
  5. Mount the file storage:

    sudo mount -vt nfs "<filestorage_ip_address>:/shares/share-<mountpoint_uuid>" /mnt/nfs

    Specify:

    • <filestorage_ip_address> — The IP address of the file storage. You can look in control panels under Cloud platformFile storage → storage page → tab Settings → field IP;
    • <mountpoint_uuid> — The ID of the mount point. You can look in control panels under Cloud platformFile storage → storage page → block Connection → tab GNU/Linux.

Create a user

  1. Create a user:

    sudo useradd <user_name> -u <user_id>

    Specify:

    • <user_name> — username;
    • optional: <user_id> — User ID, e.g. 1000.

    The user will be automatically added to a Primary Group with the same name as the user.

  2. Verify that the user has been created:

    grep <user_name> /etc/passwd

    Specify <user_name> — username.

    Example answer:

    firstuser:x:1000:1000::/home/firstuser:/bin/sh

    Here:

    • firstuser — username;
    • first value 1000 — User ID;
    • second value 1000 — The ID of the user's primary group;
    • /home/firstuser — user's home folder.

assign the user as the owner of the folder

  1. Create a folder for the user:

    sudo mkdir -p /mnt/nfs/<directory_name>

    Specify <directory_name> — folder name.

  2. Assign the user as the owner of the folder:

    chown <user_name>:<group_name> <directory_name>

    Specify:

    • <user_name> — username;
    • <group_name> — the name of the primary user group, matches the user name;
    • <directory_name> — folder name.

Check user rights

  1. Navigate to the folder you created:

    cd /mnt/nfs/<directory_name>

    Specify <directory_name> — folder name.

  2. Check that the user is the owner of the folder:

    ls -al

    Example answer:

    drwxr-xr-x 2 firstuser firstuser 22 Jun 14 15:15 .
    drwxrwxrwx 3 root root 37 Jun 14 15:14 ..

    Here, the user has firstuser and the primary group firstuser has read, write and execute permissions on files in the folder. Read more about access rights format.

  3. Switch to the created user:

    su <user_name>

    Specify <user_name> — username.

  4. Create a file as a user:

    touch file.txt
  5. Check that the user has access rights to the file:

    ls -al

    Example answer:

    drwxr-xr-x 2 firstuser firstuser 22 Jun 14 15:15 .
    drwxrwxrwx 3 root root 37 Jun 14 15:14 ..
    -rw-rw-r-- 1 firstuser firstuser 0 Jun 14 15:15 file.txt

    Here, the user has firstuser and the primary group firstuser have read and write permissions on the file file.txt. User firstuser is the owner of this file. All other users have read-only rights to this file. Read more about access rights format.

Configure access rights for the group

User root can create Secondary Groups and give the groups permissions to folders. All users in the group will have the same access rights. Any user in the group will be able to create files as well as modify files that another user in the group has created.

For your information

If you created the file store before August 9, 2024, to enable the secondary group rights delimitation option file a ticket. After enabling the option, you will need to unmount and remount it.

  1. Mount the file storage.
  2. Create a secondary user group.
  3. Assign the secondary user group as the owner of the folder.
  4. Check the rights of the secondary user group.

Mount the file storage to a dedicated or cloud server

The mount process depends on the operating system on the server and the file storage protocol: NFSv4 or CIFS SMBv3.

  1. Connect to the cloud server.

  2. Open the CLI.

  3. Install the NFS protocol package:

    sudo apt install nfs-common
  4. Create a folder to mount the repository:

    sudo mkdir -p /mnt/nfs
  5. Mount the file storage:

    sudo mount -vt nfs "<filestorage_ip_address>:/shares/share-<mountpoint_uuid>" /mnt/nfs

    Specify:

    • <filestorage_ip_address> — The IP address of the file storage. You can look in control panels under Cloud platformFile storage → storage page → tab Settings → field IP;
    • <mountpoint_uuid> — The ID of the mount point. You can look in control panels under Cloud platformFile storage → storage page → block Connection → tab GNU/Linux.

Create a secondary user group

  1. Create a Secondary Group:

    sudo groupadd <group_name> -u <group_id>

    Specify:

    • <group_name> — name of the secondary user group;
    • optional: <group_id> — The ID of the secondary user group, e.g. 2000.
  2. Add users to the secondary group:

    sudo gpasswd -a <user_name_1> <group_name>
    sudo gpasswd -a <user_name_2> <group_name>

    Specify:

    • <user_name_1> and <user_name_2> — usernames;
    • <group_name> — name of the secondary user group.

    Example answer:

    Adding user firstuser to group users
    Adding user seconduser to group users

    Here. firstuser and seconduser — user names. In addition to their primary group, both users are now added to the secondary group created.

  3. Check that users are added to the group:

    grep <group_name> /etc/group

    Specify <group_name> — name of the secondary user group.

    Example answer:

    users:x:2002:firstuser,seconduser

    Here:

    • users — name of the secondary user group;
    • 2002 — The ID of the secondary user group;
    • firstuser, seconduser — usernames.

assign a secondary user group as the owner of the folder

  1. Create a folder for the secondary user group:

    sudo mkdir -p /mnt/nfs/<directory_name>

    Specify <directory_name> — folder name.

  2. Assign the user group as the owner of the folder:

    chown nobody:<group_name> <directory_name>

    Specify:

    • <group_name> — the name of the secondary user group;
    • <directory_name> — folder name.
  3. Set read, write, and execute permissions for files in the folder on behalf of the user group that owns the folder (apply setgid):

    chmod g+srwx <directory_name>

    Specify <directory_name> — folder name.

  4. Deny write and execute access to files to other users who are not members of the secondary group:

    chmod 474 <directory_name>

    Specify <directory_name> — folder name.

Check the rights of the secondary user group

  1. Check that the secondary user group is the owner of the folder:

    ls -al

    Example answer:

    drwxr-xr-x 3 root   root  4096 Jun 14 16:10 .
    drwxr-xr-x 3 root root 4096 Jun 14 16:07 ..
    dr--rwsr-- 2 nobody users 4096 Jun 14 16:10 directory

    Here, the secondary user group has users have read, write, and execute permissions on the files in the folder directory. All other users have read-only permissions to the files in this folder. Read more about access rights format.

  2. Switch to the user added to the secondary group:

    su <user_name_1>

    Specify <user_name_1> — the name of the first user.

  3. Navigate to the folder you created:

    cd /mnt/nfs/<directory_name>

    Specify <directory_name> — folder name.

  4. Create a file as a user:

    touch file1.txt
  5. Check that the user has access rights to the file:

    ls -al

    Example answer:

    dr--rwsr-- 2 nobody    users 4096 Jun 14 16:13 .
    drwxr-xr-x 3 root root 4096 Jun 14 16:10 ..
    -rw-rw-r-- 1 firstuser users 0 Jun 14 16:13 file1.txt

    Here, the user has firstuser and the secondary group users have read and write permissions on the file file1.txt. User firstuser is the owner of this file. All other users have read-only rights to this file. Read more about access rights format.

  6. Check that the second user in the secondary group can create files in the folder and modify files that the first user in the group created. To do this, switch to the second user added to the group:

    su <user_name_2>

    Specify <user_name_2> — the name of the second user.

  7. Make changes to the file that the first user created:

    echo 'anytext' > file1.txt
  8. Create the file on behalf of the second user:

    touch file2.txt
  9. Check that the user has access rights to the file:

    ls -al

    Example answer:

    dr--rwsr-- 2 nobody     users 4096 Jun 14 16:19 .
    drwxr-xr-x 3 root root 4096 Jun 14 16:10 ..
    -rw-rw-r-- 1 firstuser users 4 Jun 14 16:19 file1.txt
    -rw-rw-r-- 1 seconduser users 0 Jun 14 16:19 file2.txt

    Here, the user has seconduser and the secondary users group have read and write permissions on the files file1.txt and file2.txt. User firstuser is the owner of the first file, and seconduser — second. All other users have read-only permissions to this file. Read more about access rights format.