Manage access rights in file storage at the file system level

For your information

This instruction describes how to configure access rights to file storage for a cloud server with a Linux-based OS.

In file storage with the NFSv4 protocol, you can manage access rights to files and folders at the file system level.

Principle of operation

Files and folders in file storage with the NFSv4 protocol support standard access control as in Unix systems. Read, write, and execute access is implemented via Identity Mapping (IDM) — access rights are checked based on the user ID and group ID.

A user group is a set of users with the same access rights. Groups are divided into two types:

primary group (Primary Group) — the group that the operating system assigns to a user;
secondary group (Secondary Group) — one or more groups to which a user also belongs.

Each user can be added to a maximum of 16 groups: in one primary group and 15 secondary groups.

By default, only the root user has read, write, and execute permissions. Other users only have read permissions. As root, you can configure folder and file access rights for users and for user groups.

Access rights format

Example of access rights:

drwxrwxrwx 3 root root   21 Jun 13 14:00 .
drwxr-xr-x 4 root root 4096 Jun 13 13:44 ..
drwxr-xr-x 2 root root    6 Jun 13 14:00 directory
-rw-rw-r-- 1 first first  0 Jun 13 09:45 file.txt

Where:

first character:
- d — directory flag;
- - — file flag;
triplets of characters like rwx:
- the first triplet of characters like rwx — user permissions;
- the second triplet of characters like rwx — group permissions;
- the third triplet of characters like rwx — permissions for everyone else who is not a user or not part of the group;
- r — read permission (read);
- w — write permission (write);
- x — execute permission (execute);
the first column with names — names of users who are the owners of the folder or file;
the second column with names — names of groups that are the owners of the folder or file;
the last column — names of files or directories.

Configure access rights for a user

For your information

This instruction describes configuring user access rights for file storage with the NFSv4 protocol.

The root user can create users and grant them folder permissions. If you create a user, create a folder, and assign the user as the folder owner, then only that user will have full read, write, and execute permissions on files in that folder.

Mount the file storage.
Create a user.
Set the user as the folder owner.
Check user permissions.

1. Mount the file storage to a server

Connect to a cloud server or dedicated server.
Install the package for working with the NFS protocol:
```
sudo apt install nfs-common
```
Create a folder to mount the storage:
```
sudo mkdir -p /mnt/nfs
```
Mount the file storage:
```
sudo mount -vt nfs "<filestorage_ip_address>:/shares/share-<mountpoint_uuid>" /mnt/nfs
```
Specify:
- <filestorage_ip_address> — IP address of the file storage. You can view it in the control panel: from the top menu, click Products → File Storage → storage page → Settings tab → IP;
- <mountpoint_uuid> — ID of the mount point. You can view it in the control panel: from the top menu, click File Storage → storage page → Connection block → GNU/Linux.

2. Create a user

Create a user:
```
sudo useradd <user_name> -u <user_id>
```
Specify:
- <user_name> — username;
- optional: <user_id> — user ID, for example, 1000.
The user will be automatically added to the primary group (Primary Group) with the same name as the user.
Verify that the user has been created:
```
grep <user_name> /etc/passwd
```
Specify <user_name> — username.

Example response:
```
firstuser:x:1000:1000::/home/firstuser:/bin/sh
```
Where:
- firstuser — username;
- the first value 1000 — user ID;
- the second value 1000 — user primary group ID;
- /home/firstuser — user home folder.

3. Set the user as the folder owner

Create a folder for the user:
```
sudo mkdir -p /mnt/nfs/<directory_name>
```
Specify <directory_name> — folder name.
Set the user as the folder owner:
```
chown <user_name>:<group_name> <directory_name>
```
Specify:
- <user_name> — username;
- <group_name> — name of the user primary group (matches the username);
- <directory_name> — folder name.

4. Check user permissions

Navigate to the created folder:
```
cd /mnt/nfs/<directory_name>
```
Specify <directory_name> — folder name.
Verify that the user is the folder owner:
```
ls -al
```
Example response:
```
drwxr-xr-x 2 firstuser firstuser 22 Jun 14 15:15 .
drwxrwxrwx 3 root     root       37 Jun 14 15:14 ..
```
Here, user firstuser and primary group firstuser have read, write, and execute permissions for files in the folder. More about the access rights format.
Switch to the created user:
```
su <user_name>
```
Specify <user_name> — username.
Create a file as the user:
```
touch file.txt
```
Verify that the user has access rights to the file:
```
ls -al
```
Example response:
```
drwxr-xr-x 2 firstuser firstuser 22 Jun 14 15:15 .
drwxrwxrwx 3 root     root       37 Jun 14 15:14 ..
-rw-rw-r-- 1 firstuser firstuser  0 Jun 14 15:15 file.txt
```
Here, user firstuser and primary group firstuser have read and write permissions for the file.txt file. User firstuser is the owner of this file. All other users only have read permissions for this file. More about the access rights format.

Configure access rights for a group

For your information

If you created file storage before August 9, 2024, to enable the option for differentiating access rights for secondary groups, create a ticket. After enabling the option, you will need to unmount and mount it again. This instruction describes how to configure group access rights to file storage with the NFSv4 protocol.

The root user can create secondary user groups (Secondary Groups) and grant groups permissions for folders. All users in the group will have the same access rights. Any user from the group will be able to create files, as well as modify files that another user in the group created.

Mount the file storage.
Create a secondary user group.
Set the secondary user group as the folder owner.
Check the secondary user group permissions.

1. Mount the file storage to a server

Connect to a cloud server or dedicated server.
Install the package for working with the NFS protocol:
```
sudo apt install nfs-common
```
Create a folder to mount the storage:
```
sudo mkdir -p /mnt/nfs
```
Mount the file storage:
```
sudo mount -vt nfs "<filestorage_ip_address>:/shares/share-<mountpoint_uuid>" /mnt/nfs
```
Specify:
- <filestorage_ip_address> — IP address of the file storage. You can view it in the control panel: from the top menu, click Products → File Storage → storage page → Settings tab → IP;
- <mountpoint_uuid> — ID of the mount point. You can view it in the control panel: from the top menu, click File Storage → storage page → Connection block → GNU/Linux.

2. Create a secondary user group

Create a secondary group (Secondary Group):
```
sudo groupadd <group_name> -u <group_id>
```
Specify:
- <group_name> — name of the secondary user group;
- optional: <group_id> — ID of the secondary user group, for example, 2000.
Add users to the secondary group:
```
sudo gpasswd -a <user_name_1> <group_name>
sudo gpasswd -a <user_name_2> <group_name>
```
Specify:
- <user_name_1> and <user_name_2> — usernames;
- <group_name> — name of the secondary user group.
Example response:
```
Adding user firstuser to group users
Adding user seconduser to group users
```
Here firstuser and seconduser — usernames. Now, in addition to their primary group, both users are added to the created secondary group.
Verify that the users have been added to the group:
```
grep <group_name> /etc/group
```
Specify <group_name> — the name of the secondary user group.

Example response:
```
users:x:2002:firstuser,seconduser
```
Where:
- users — name of the secondary user group;
- 2002 — ID of the secondary user group;
- firstuser, seconduser — usernames.

3. Set the secondary user group as the folder owner

Create a folder for the secondary user group:
```
sudo mkdir -p /mnt/nfs/<directory_name>
```
Specify <directory_name> — folder name.
Set the user group as the folder owner:
```
chown nobody:<group_name> <directory_name>
```
Specify:
- <group_name> — name of the secondary user group;
- <directory_name> — folder name.
Set the read, write, and execute permissions on files in the folder as the user group that owns the folder (apply setgid):
```
chmod g+srwx <directory_name>
```
Specify <directory_name> — folder name.
Deny write and execute access to files for other users not in the secondary group:
```
chmod 474 <directory_name>
```
Specify <directory_name> — folder name.

4. Check the secondary user group permissions

Verify that the secondary user group is the folder owner:
```
ls -al
```
Example response:
```
drwxr-xr-x 3 root   root  4096 Jun 14 16:10 .
drwxr-xr-x 3 root   root  4096 Jun 14 16:07 ..
dr--rwsr-- 2 nobody users 4096 Jun 14 16:10 directory
```
Here, the secondary user group users has read, write, and execute permissions for files in the directory folder. All other users have read-only permissions for files in this folder. More about the access rights format.
Switch to a user added to the secondary group:
```
su <user_name_1>
```
Specify <user_name_1> — first username.
Navigate to the created folder:
```
cd /mnt/nfs/<directory_name>
```
Specify <directory_name> — folder name.
Create a file as the user:
```
touch file1.txt
```
Verify that the user has access rights to the file:
```
ls -al
```
Example response:
```
dr--rwsr-- 2 nobody    users 4096 Jun 14 16:13 .
drwxr-xr-x 3 root      root  4096 Jun 14 16:10 ..
-rw-rw-r-- 1 firstuser users    0 Jun 14 16:13 file1.txt
```
Here, user firstuser and secondary group users have read and write permissions for the file1.txt file. User firstuser is the owner of this file. All other users only have read permissions for this file. More about the access rights format.
Verify that a second user from the secondary group can create files in the folder and modify files created by the first user. To do this, switch to the second user added to the group:
```
su <user_name_2>
```
Specify <user_name_2> — second username.
Modify the file created by the first user:
```
echo 'anytext' > file1.txt
```
Create a file as the second user:
```
touch file2.txt
```
Verify that the user has access rights to the file:
```
ls -al
```
Example response:
```
dr--rwsr-- 2 nobody     users 4096 Jun 14 16:19 .
drwxr-xr-x 3 root       root  4096 Jun 14 16:10 ..
-rw-rw-r-- 1 firstuser  users    4 Jun 14 16:19 file1.txt
-rw-rw-r-- 1 seconduser users    0 Jun 14 16:19 file2.txt
```
Here, user seconduser and the secondary group users have read and write permissions for files file1.txt and file2.txt. User firstuser is the owner of the first file, and seconduser — of the second one. All other users only have read permissions for this file. More about the access rights format.