Using filesystem access controls

From FileSys.Org Wiki
Revision as of 11:10, 24 September 2019 by Tommygonk (talk | contribs)

The JFileServer has an access control mechanism that allows the virtual filesystem access to be controlled depending on a set of rules. A set of access control rules can be applied on a per filesystem basis and/or via a global set of access control rules.

The access control mechanism has a built in set of rules but can also be extended with new rules. The access control mechanism can also be customised if required by writing your own access control manager class that implements the org.filesys.server.auth.acl.AccessControlManager interface.

The allowed access for an access control can be specified as Read for read-only access, Write for read/write access or None to disallow access. A virtual filesystem access control that evaluates to the None access level will not be visible to the client.

The following built-in access control rules are available :-

Access Control Rule Description
<user name="..." access="..."/> Set access depending on the connecting user name
<protocol type="..." access="..."/> Set access depending on the connecting protocol. The type parameter should contain a comma delimited list of protocol names - SMB, FTP, NFS
<address subnet="..." mask="..." access="..."/> Set access depending on the client TCP/IP address, for a range of addresses.

The subnet parameter specifies the network subnet in n.n.n.n format. The mask parameter specifies the network mask in n.n.n.n format.

<address ip="..." access="..."/> Set access depending on the client TCP/IP address, for a specific address.

The ip parameter specifies the client address in n.n.n.n format.

<domain name="..." access="..."/> Set access depending on the client domain name. This rule only applies to SMB sessions.
<gid id="..." access="..."/> Set access depending on the client group id. This rule only applies to NFS sessions.
<uid id="..." access="..."/> Set access depending on the client user id. This rule only applies to NFS sessions.

How Access Controls Are Applied

Setting Access Controls On A Virtual Filesystem

To add access control rules to a virtual filesystem an <accessControl default="..."> block of access control rules is added to the <diskshare> virtual filesystem configuration section. The following syntax is used :-

<shares>
    <diskshare name="..." comment="...">
        ...

        <accessControl default="...">
            ...
        </accessControl>
    </diskshare>
</shares>

The default="..." parameter of the <accessControl> block is an optional default access control level to be applied if none of the access control rules match the current client session values. The possible values for the default="..." setting are the same as for access control rules, ie. Read or Write or None.

It is valid to have an access control block with a default access of Read or Write without any rules within the access control block, eg.

<accessControl default="Read"/>

In this case all clients will only be allowed read access to the virtual filesystem.

Setting Global Access Controls

A set of global access controls can be specified that apply to all virtual filesystems that do not have their own set of access controls.

The global access control block is specified via the <security> configuration section using the following syntax :-

<security>
    ...

    <globalAccessControl default="...">
        ...
    </globalAccessControl>
</security>

As with the per virtual filesystem access control block the default="..." parameter is optional.