Manage access rights in file storage at the file system level
In file storage with NFSv4 protocol, you can manage access rights to files and folders at the file system level.
Principle of operation
Files and folders in file storage with NFSv4 protocol support standard access rights differentiation as in Unix systems. Read, write and execute access to files is implemented through Identity Mapping (IDM) — access rights are checked based on user ID and user group ID.
User groups are users with the same access rights. Groups are divided into two types:
- Primary Group — A group that the operating system assigns to a user;
- Secondary Group — One or more groups to which the user also belongs.
Each user can be added to a maximum of 16 groups: one primary and 15 secondary groups.
By default, only the user has read, write, and execute permissions on files root
. The other users have read-only permissions. On behalf of root
can configure access rights to folders and files for users and for user groups.
Format of access rights
Example of access rights:
drwxrwxrwx 3 root root 21 Jun 13 14:00 .
drwxr-xr-x 4 root root 4096 Jun 13 13:44 ..
drwxr-xr-x 2 root root 6 Jun 13 14:00 directory
-rw-rw-r-- 1 first first 0 Jun 13 09:45 file.txt
Here:
- the first character:
d
— directory flag;-
— file flag;
- triples of symbols of the form
rwx
:- first three characters of the form
rwx
— user rights; - second triplet of characters of the form
rwx
— group rights; - third triplet of symbols of the form
rwx
- the rights of everyone else who is not a user or a member of the group; r
— read privileges;w
— write privileges;x
— execution rights (execute);
- first three characters of the form
- the first column with names — names of users who are the owners of the folder or file;
- the second column with names — names of groups that are owners of the folder or file;
- last column — file or directory names.
Configure access rights for the user
User root
can create users and grant them rights to folders. If you create a user, a folder and assign the user as the owner of the folder, only that user will have full read, write and execute rights to the files in the folder.
- Mount the file storage.
- Create a user.
- Assign the user as the owner of the folder.
- Check user rights.
Mount the file storage to a dedicated or cloud server
The mount process depends on the operating system on the server and the file storage protocol: NFSv4 or CIFS SMBv3.
NFSv4
CIFS SMBv3
Linux
Windows
-
Open the CLI.
-
Install the NFS protocol package:
sudo apt install nfs-common
-
Create a folder to mount the repository:
sudo mkdir -p /mnt/nfs
-
Mount the file storage:
sudo mount -vt nfs "<filestorage_ip_address>:/shares/share-<mountpoint_uuid>" /mnt/nfs
Specify:
<filestorage_ip_address>
— The IP address of the file storage. You can look in control panels under Cloud platform → File storage → storage page → tab Settings → field IP;<mountpoint_uuid>
— The ID of the mount point. You can look in control panels under Cloud platform → File storage → storage page → block Connection → tab GNU/Linux.
The file storage works only with an NFS client of NFSv4 version. By default, Windows supports NFSv2 and NFSv3 NFS clients. Read more about NFS versions in the article NFS Review Microsoft documentation.
To work with file storage from Windows, we recommend using file storage with CIFS protocol. If you need to connect storage with NFS protocol, install and use a client that supports NFSv4 protocol.
Linux
Windows
-
Open the CLI.
-
Install the CIFS protocol package:
sudo apt install cifs-utils
-
Create a folder to mount the repository:
sudo mkdir -p /mnt/cifs
-
Mount the file storage:
sudo mount.cifs -o guest //<filestorage_ip_address>/share-<mountpoint_uuid> /mnt/cifs
Specify:
<filestorage_ip_address>
— The IP address of the file storage. You can look in control panels under Cloud platform → File storage → storage page → tab Settings → field IP;<mountpoint_uuid>
— The ID of the mount point. You can look in control panels under Cloud platform → File storage → storage page → block Connection → tab GNU/Linux.
-
Open the CLI.
-
Mount the file storage:
net use X: \\\\<filestorage_ip_address>\share-<mountpoint_uuid>
Specify:
<filestorage_ip_address>
— The IP address of the file storage. You can look in control panels under Cloud platform → File storage → storage page → tab Settings → field IP;<mountpoint_uuid>
— The ID of the mount point. You can look in control panels under Cloud platform → File storage → storage page → block Connection → tab Windows.
Create a user
-
Create a user:
sudo useradd <user_name> -u <user_id>
Specify:
<user_name>
— username;- optional:
<user_id>
— User ID, e.g.1000
.
The user will be automatically added to a Primary Group with the same name as the user.
-
Verify that the user has been created:
grep <user_name> /etc/passwd
Specify
<user_name>
— username.Example answer:
firstuser:x:1000:1000::/home/firstuser:/bin/sh
Here:
firstuser
— username;- first value
1000
— User ID; - second value
1000
— The ID of the user's primary group; /home/firstuser
— user's home folder.
assign the user as the owner of the folder
-
Create a folder for the user:
sudo mkdir -p /mnt/nfs/<directory_name>
Specify
<directory_name>
— folder name. -
Assign the user as the owner of the folder:
chown <user_name>:<group_name> <directory_name>
Specify:
<user_name>
— username;<group_name>
— the name of the primary user group, matches the user name;<directory_name>
— folder name.
Check user rights
-
Navigate to the folder you created:
cd /mnt/nfs/<directory_name>
Specify
<directory_name>
— folder name. -
Check that the user is the owner of the folder:
ls -al
Example answer:
drwxr-xr-x 2 firstuser firstuser 22 Jun 14 15:15 .
drwxrwxrwx 3 root root 37 Jun 14 15:14 ..Here, the user has
firstuser
and the primary groupfirstuser
has read, write and execute permissions on files in the folder. Read more about access rights format. -
Switch to the created user:
su <user_name>
Specify
<user_name>
— username. -
Create a file as a user:
touch file.txt
-
Check that the user has access rights to the file:
ls -al
Example answer:
drwxr-xr-x 2 firstuser firstuser 22 Jun 14 15:15 .
drwxrwxrwx 3 root root 37 Jun 14 15:14 ..
-rw-rw-r-- 1 firstuser firstuser 0 Jun 14 15:15 file.txtHere, the user has
firstuser
and the primary groupfirstuser
have read and write permissions on the filefile.txt
. Userfirstuser
is the owner of this file. All other users have read-only rights to this file. Read more about access rights format.
Configure access rights for the group
User root
can create Secondary Groups and give the groups permissions to folders. All users in the group will have the same access rights. Any user in the group will be able to create files as well as modify files that another user in the group has created.
If you created the file store before August 9, 2024, to enable the secondary group rights delimitation option file a ticket. After enabling the option, you will need to unmount and remount it.
- Mount the file storage.
- Create a secondary user group.
- Assign the secondary user group as the owner of the folder.
- Check the rights of the secondary user group.
Mount the file storage to a dedicated or cloud server
The mount process depends on the operating system on the server and the file storage protocol: NFSv4 or CIFS SMBv3.
NFSv4
CIFS SMBv3
Linux
Windows
-
Open the CLI.
-
Install the NFS protocol package:
sudo apt install nfs-common
-
Create a folder to mount the repository:
sudo mkdir -p /mnt/nfs
-
Mount the file storage:
sudo mount -vt nfs "<filestorage_ip_address>:/shares/share-<mountpoint_uuid>" /mnt/nfs
Specify:
<filestorage_ip_address>
— The IP address of the file storage. You can look in control panels under Cloud platform → File storage → storage page → tab Settings → field IP;<mountpoint_uuid>
— The ID of the mount point. You can look in control panels under Cloud platform → File storage → storage page → block Connection → tab GNU/Linux.
The file storage works only with an NFS client of NFSv4 version. By default, Windows supports NFSv2 and NFSv3 NFS clients. Read more about NFS versions in the article NFS Review Microsoft documentation.
To work with file storage from Windows, we recommend using file storage with CIFS protocol. If you need to connect storage with NFS protocol, install and use a client that supports NFSv4 protocol.
Linux
Windows
-
Open the CLI.
-
Install the CIFS protocol package:
sudo apt install cifs-utils
-
Create a folder to mount the repository:
sudo mkdir -p /mnt/cifs
-
Mount the file storage:
sudo mount.cifs -o guest //<filestorage_ip_address>/share-<mountpoint_uuid> /mnt/cifs
Specify:
<filestorage_ip_address>
— The IP address of the file storage. You can look in control panels under Cloud platform → File storage → storage page → tab Settings → field IP;<mountpoint_uuid>
— The ID of the mount point. You can look in control panels under Cloud platform → File storage → storage page → block Connection → tab GNU/Linux.
-
Open the CLI.
-
Mount the file storage:
net use X: \\\\<filestorage_ip_address>\share-<mountpoint_uuid>
Specify:
<filestorage_ip_address>
— The IP address of the file storage. You can look in control panels under Cloud platform → File storage → storage page → tab Settings → field IP;<mountpoint_uuid>
— The ID of the mount point. You can look in control panels under Cloud platform → File storage → storage page → block Connection → tab Windows.
Create a secondary user group
-
Create a Secondary Group:
sudo groupadd <group_name> -u <group_id>
Specify:
<group_name>
— name of the secondary user group;- optional:
<group_id>
— The ID of the secondary user group, e.g.2000
.
-
Add users to the secondary group:
sudo gpasswd -a <user_name_1> <group_name>
sudo gpasswd -a <user_name_2> <group_name>Specify:
<user_name_1>
and<user_name_2>
— usernames;<group_name>
— name of the secondary user group.
Example answer:
Adding user firstuser to group users
Adding user seconduser to group usersHere.
firstuser
andseconduser
— user names. In addition to their primary group, both users are now added to the secondary group created. -
Check that users are added to the group:
grep <group_name> /etc/group
Specify
<group_name>
— name of the secondary user group.Example answer:
users:x:2002:firstuser,seconduser
Here:
users
— name of the secondary user group;2002
— The ID of the secondary user group;firstuser
,seconduser
— usernames.
assign a secondary user group as the owner of the folder
-
Create a folder for the secondary user group:
sudo mkdir -p /mnt/nfs/<directory_name>
Specify
<directory_name>
— folder name. -
Assign the user group as the owner of the folder:
chown nobody:<group_name> <directory_name>
Specify:
<group_name>
— the name of the secondary user group;<directory_name>
— folder name.
-
Set read, write, and execute permissions for files in the folder on behalf of the user group that owns the folder (apply setgid):
chmod g+srwx <directory_name>
Specify
<directory_name>
— folder name. -
Deny write and execute access to files to other users who are not members of the secondary group:
chmod 474 <directory_name>
Specify
<directory_name>
— folder name.
Check the rights of the secondary user group
-
Check that the secondary user group is the owner of the folder:
ls -al
Example answer:
drwxr-xr-x 3 root root 4096 Jun 14 16:10 .
drwxr-xr-x 3 root root 4096 Jun 14 16:07 ..
dr--rwsr-- 2 nobody users 4096 Jun 14 16:10 directoryHere, the secondary user group has
users
have read, write, and execute permissions on the files in the folderdirectory
. All other users have read-only permissions to the files in this folder. Read more about access rights format. -
Switch to the user added to the secondary group:
su <user_name_1>
Specify
<user_name_1>
— the name of the first user. -
Navigate to the folder you created:
cd /mnt/nfs/<directory_name>
Specify
<directory_name>
— folder name. -
Create a file as a user:
touch file1.txt
-
Check that the user has access rights to the file:
ls -al
Example answer:
dr--rwsr-- 2 nobody users 4096 Jun 14 16:13 .
drwxr-xr-x 3 root root 4096 Jun 14 16:10 ..
-rw-rw-r-- 1 firstuser users 0 Jun 14 16:13 file1.txtHere, the user has
firstuser
and the secondary groupusers
have read and write permissions on the filefile1.txt
. Userfirstuser
is the owner of this file. All other users have read-only rights to this file. Read more about access rights format. -
Check that the second user in the secondary group can create files in the folder and modify files that the first user in the group created. To do this, switch to the second user added to the group:
su <user_name_2>
Specify
<user_name_2>
— the name of the second user. -
Make changes to the file that the first user created:
echo 'anytext' > file1.txt
-
Create the file on behalf of the second user:
touch file2.txt
-
Check that the user has access rights to the file:
ls -al
Example answer:
dr--rwsr-- 2 nobody users 4096 Jun 14 16:19 .
drwxr-xr-x 3 root root 4096 Jun 14 16:10 ..
-rw-rw-r-- 1 firstuser users 4 Jun 14 16:19 file1.txt
-rw-rw-r-- 1 seconduser users 0 Jun 14 16:19 file2.txtHere, the user has
seconduser
and the secondary users group have read and write permissions on the filesfile1.txt
andfile2.txt
. Userfirstuser
is the owner of the first file, andseconduser
— second. All other users have read-only permissions to this file. Read more about access rights format.