Manage access rights in file storage at the file system level

For your information

This tutorial describes how to configure file storage permissions for a Linux-based cloud server.

In file storage with NFSv4 protocol, you can manage access rights to files and folders at the file system level.

Principle of operation⁠

Files and folders in file storage with NFSv4 protocol support standard access rights differentiation as in Unix systems. Read, write and execute access to files is implemented through Identity Mapping (IDM) — access rights are checked based on user ID and user group ID.

User groups are users with the same access rights. Groups are divided into two types:

Primary Group — A group that the operating system assigns to a user;
Secondary Group — One or more groups to which the user also belongs.

Each user can be added to a maximum of 16 groups: one primary and 15 secondary groups.

By default, only the root user has read, write, and execute permissions on files. All other users have read-only permissions. You can configure folder and file permissions for users and user groups on behalf of root.

Format of access rights⁠

Example of access rights:

drwxrwxrwx 3 root root   21 Jun 13 14:00 .
drwxr-xr-x 4 root root 4096 Jun 13 13:44 ..
drwxr-xr-x 2 root root    6 Jun 13 14:00 directory
-rw-rw-r-- 1 first first  0 Jun 13 09:45 file.txt

Here:

the first character:
- d — directory flag;
- - — file flag;
triples of characters like rwx:
- the first three characters of the form rwx — user rights;
- the second three characters of the form rwx — group rights;
- the third three characters of the form rwx- the rights of all others who are not users or members of the group;
- r — read permissions;
- w — write rights (write);
- x — execution rights (execute);
the first column with names — names of users who are the owners of the folder or file;
the second column with names — names of groups that own the folder or file;
last column — file or directory names.

Configure access rights for the user⁠

For your information

This instruction describes how to configure user access rights to file storage with NFSv4 protocol.

The root user can create users and grant them rights to folders. If you create a user, a folder, and assign the user as the owner of the folder, only that user will have full read, write, and execute rights to the files in the folder.

Mount the file storage.
Create a user.
Assign the user as the owner of the folder.
Check the user's permissions.

1. Mount the file storage to the server⁠

Connect to a cloud server or a dedicated server.
Install the NFS protocol package:
```
sudo apt install nfs-common
```
Create a folder to mount the repository:
```
sudo mkdir -p /mnt/nfs
```
Mount the file storage:
```
sudo mount -vt nfs "<filestorage_ip_address>:/shares/share-<mountpoint_uuid>" /mnt/nfs
```
Specify:
- <filestorage_ip_address> — IP address of the file storage. You can view it in control panel: in the top menu, click Products → File Storage → Storage page → tab Settings → field IP;
- <mountpoint_uuuid> — The ID of the mountpoint. You can look in control panel: in the top menu, click File storage → storage page → block Connection → tab GNU/Linux.

2. Create a user⁠

Create a user:
```
sudo useradd <user_name> -u <user_id>
```
Specify:
- <user_name> — user name;
- optional: <user_id> — user ID, for example 1000.
The user will be automatically added to a Primary Group with the same name as the user.
Verify that the user has been created:
```
grep <user_name> /etc/passwd
```
Specify <user_name> — user name.

Example answer:
```
firstuser:x:1000:1000::/home/firstuser:/bin/sh
```
Here:
- firstuser — username;
- the first value 1000 is the user ID;
- the second value 1000 is the primary user group ID;
- /home/firstuser — the user's home folder.

3. Assign the user as the owner of the folder⁠

Create a folder for the user:
```
sudo mkdir -p /mnt/nfs/<directory_name>
```
Specify <directory_name> is the name of the folder.
Assign the user as the owner of the folder:
```
chown <user_name>:<group_name> <directory_name>
```
Specify:
- <user_name> — user name;
- <group_name> — name of the primary user group, matches the user name;
- <directory_name> — folder name.

4. Check user rights⁠

Navigate to the folder you created:
```
cd /mnt/nfs/<directory_name>
```
Specify <directory_name> is the name of the folder.
Check that the user is the owner of the folder:
```
ls -al
```
Example answer:
```
drwxr-xr-x 2 firstuser firstuser 22 Jun 14 15:15 .
drwxrwxrwx 3 root     root       37 Jun 14 15:14 ..
```
Here the user firstuser and the primary group firstuser have read, write and execute permissions on the files in the folder. Learn more about the format of permissions.
Switch to the created user:
```
su <user_name>
```
Specify <user_name> — user name.
Create a file as a user:
```
touch file.txt
```
Check that the user has access rights to the file:
```
ls -al
```
Example answer:
```
drwxr-xr-x 2 firstuser firstuser 22 Jun 14 15:15 .
drwxrwxrwx 3 root     root       37 Jun 14 15:14 ..
-rw-rw-r-- 1 firstuser firstuser  0 Jun 14 15:15 file.txt
```
Here, the user firstuser and the primary group firstuser have read and write permissions on the file.txt file. The user firstuser is the owner of this file. All other users have permissions only to read this file. Read more about the format of access rights.

Configure access rights for the group⁠

For your information

If you created the file storage before August 9, 2024, create a ticket to enable the option to delimit permissions to secondary groups. After enabling the option, you will need to unmount and remount it. This instruction describes how to configure group access rights for a file storage with NFSv4 protocol.

The root user can create Secondary Groups and grant folder permissions to the groups. All users in the group will have the same access rights. Any user in the group will be able to create files, as well as modify files that another user in the group has created.

Mount the file storage.
Create a secondary user group.
Assign the secondary user group as the owner of the folder.
Check the permissions of the secondary user group.

1. Mount the file storage to the server⁠

Connect to a cloud server or a dedicated server.
Install the NFS protocol package:
```
sudo apt install nfs-common
```
Create a folder to mount the repository:
```
sudo mkdir -p /mnt/nfs
```
Mount the file storage:
```
sudo mount -vt nfs "<filestorage_ip_address>:/shares/share-<mountpoint_uuid>" /mnt/nfs
```
Specify:
- <filestorage_ip_address> — IP address of the file storage. You can view it in control panel: in the top menu, click Products → File Storage → Storage page → tab Settings → field IP;
- <mountpoint_uuuid> — The ID of the mountpoint. You can look in control panel: in the top menu, click File storage → storage page → block Connection → tab GNU/Linux.

2. Create a secondary user group⁠

Create a Secondary Group:
```
sudo groupadd <group_name> -u <group_id>
```
Specify:
- <group_name> — name of the secondary user group;
- optional: <group_id> — secondary user group ID, e.g. 2000.
Add users to the secondary group:
```
sudo gpasswd -a <user_name_1> <group_name>
sudo gpasswd -a <user_name_2> <group_name>
```
Specify:
- <user_name_1> и <user_name_2> — user names;
- <group_name> — name of the secondary user group.
Example answer:
```
Adding user firstuser to group users
Adding user seconduser to group users
```
Here firstuser and seconduser are the user names. Now in addition to their primary group, both users are added to the created secondary group.
Check that users are added to the group:
```
grep <group_name> /etc/group
```
Specify <group_name> — the name of the secondary user group.

Example answer:
```
users:x:2002:firstuser,seconduser
```
Here:
- users — name of the secondary user group;
- 2002 — The ID of the secondary user group;
- firstuser, seconduser — user names.

3. Assign a secondary user group as the owner of the folder⁠

Create a folder for the secondary user group:
```
sudo mkdir -p /mnt/nfs/<directory_name>
```
Specify <directory_name> is the name of the folder.
Assign the user group as the owner of the folder:
```
chown nobody:<group_name> <directory_name>
```
Specify:
- <group_name> — name of the secondary user group;
- <directory_name> — folder name.
Set read, write, and execute permissions for files in the folder on behalf of the user group that owns the folder (apply setgid):
```
chmod g+srwx <directory_name>
```
Specify <directory_name> is the name of the folder.
Deny write and execute access to files to other users who are not members of the secondary group:
```
chmod 474 <directory_name>
```
Specify <directory_name> is the name of the folder.

4. Check the rights of the secondary user group⁠

Check that the secondary user group is the owner of the folder:
```
ls -al
```
Example answer:
```
drwxr-xr-x 3 root   root  4096 Jun 14 16:10 .
drwxr-xr-x 3 root   root  4096 Jun 14 16:07 ..
dr--rwsr-- 2 nobody users 4096 Jun 14 16:10 directory
```
Here, the secondary user group users has read, write, and execute permissions on files in the directory folder . All other users have permissions only to read files in this folder. Read more about the format of permissions.
Switch to the user added to the secondary group:
```
su <user_name_1>
```
Specify <user_name_1> is the name of the first user.
Navigate to the folder you created:
```
cd /mnt/nfs/<directory_name>
```
Specify <directory_name> is the name of the folder.
Create a file as a user:
```
touch file1.txt
```
Check that the user has access rights to the file:
```
ls -al
```
Example answer:
```
dr--rwsr-- 2 nobody    users 4096 Jun 14 16:13 .
drwxr-xr-x 3 root      root  4096 Jun 14 16:10 ..
-rw-rw-r-- 1 firstuser users    0 Jun 14 16:13 file1.txt
```
Here, the user firstuser and the secondary group users have read and write permissions to the file file1.txt. The user firstuser is the owner of this file. All other users have permissions only to read this file. Read more about the format of access rights.
Check that the second user in the secondary group can create files in the folder and modify files that the first user in the group created. To do this, switch to the second user added to the group:
```
su <user_name_2>
```
Specify <user_name_2> is the name of the second user.
Make changes to the file that the first user created:
```
echo 'anytext' > file1.txt
```
Create the file on behalf of the second user:
```
touch file2.txt
```
Check that the user has access rights to the file:
```
ls -al
```
Example answer:
```
dr--rwsr-- 2 nobody     users 4096 Jun 14 16:19 .
drwxr-xr-x 3 root       root  4096 Jun 14 16:10 ..
-rw-rw-r-- 1 firstuser  users    4 Jun 14 16:19 file1.txt
-rw-rw-r-- 1 seconduser users    0 Jun 14 16:19 file2.txt
```
Here, the user seconduser and the secondary group users have read and write permissions to the files file1.txt and file2.txt. The user firstuser is the owner of the first file, and seconduser is the owner of the second file . All other users have permissions only to read this file. Read more about the format of access rights.

Principle of operation⁠​

Format of access rights⁠​

Configure access rights for the user⁠​

1. Mount the file storage to the server⁠​

2. Create a user⁠​

3. Assign the user as the owner of the folder⁠​

4. Check user rights⁠​

Configure access rights for the group⁠​

1. Mount the file storage to the server⁠​

2. Create a secondary user group⁠​

3. Assign a secondary user group as the owner of the folder⁠​

4. Check the rights of the secondary user group⁠​

Principle of operation⁠

Format of access rights⁠

Configure access rights for the user⁠

1. Mount the file storage to the server⁠

2. Create a user⁠

3. Assign the user as the owner of the folder⁠

4. Check user rights⁠

Configure access rights for the group⁠

1. Mount the file storage to the server⁠

2. Create a secondary user group⁠

3. Assign a secondary user group as the owner of the folder⁠

4. Check the rights of the secondary user group⁠