Permissions mapping
Windows® ACL is a complex structure which defines owner, group and access attributes to any Windows® system's resource (eg. file):
https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx
It’s a list of ACEs (Access Control Entries). ACE entry defines a trustee to which ACE applies an access mask that specifies rights. MooseFS Windows® Client supports only allow types of ACE.
POSIX to Windows® ACL
When converting POSIX to ACL, MooseFS Client checks the permissions and returns three elements:
- Owner (Windows® SID if UID mapping is set in LDAP or special
SDDL_CREATOR_OWNERobject) - Group (Group SID or
SDDL_CREATOR_GROUP) - Everyone (
SDDL_EVERYONE)
These ACE access masks can be retrieved for each element:
FA–FILE_ALL_ACCESSFR–FILE_GENERIC_READFW–FILE_GENERIC_WRITEFX–FILE_GENERIC_EXECUTE
Windows® ACL to POSIX
Mapping Windows® ACL to POSIX is not straightforward. It is impossible to translate a sophisticated Windows® ACL mechanism into simple POSIX permissions system. Because of that it may happen that object's ACL stored to the MooseFS cluster may be different than ACL retrieved from the cluster.
For example, when you change the permissions for a file from Windows®, all permissions other than write, read and execute are ignored.
Read is set when FILE_READ_DATA or FILE_READ_ATTRIBUTES or FILE_READ_EA or GENERIC_ALL or GENERIC_READ is set.
Write is set when FILE_WRITE_DATA or FILE_WRITE_ATTRIBUTES or FILE_WRITE_EA or FILE_APPEND_DATA or GENERIC_ALL or GENERIC_WRITE is set.
Execute is set when FILE_EXECUTE or GENERIC_ALL or GENERIC_EXECUTE is set.
However, if someone tries to set permissions of a different type than ALLOW or adds an additional user or group (other than the file owner) then an error is returned (permissions can only be set for owner, group and ALL).
Additionally, the owner's permissions are combined with permissions of all. Similarly, the group permissions are combined with those from the EVERYONE object.