Configure access control lists on NFSv4.1 volumes for Azure NetApp Files

Azure NetApp Files supports access control lists (ACLs) on NFSv4.1 volumes. ACLs provide granular file security via NFSv4.1.

ACLs contain access control entities (ACEs), which specify the permissions (read, write, etc.) of individual users or groups. When assigning user roles, provide the user email address if you're using a Linux VM joined to an Active Directory Domain. Otherwise, provide user IDs to set permissions.

To learn more about ACLs in Azure NetApp Files, see Understand NFSv4.x ACLs.

Requirements

• ACLs can only be configured on NFS4.1 volumes. You can convert a volume from NFSv3 to NFSv4.1.

• You must have two packages installed:

  1. nfs-utils to mount NFS volumes
  2. nfs-acl-tools to view and modify NFSv4 ACLs. If you do not have either, install them:
     • On a Red Hat Enterprise Linux or SuSE Linux instance:

     sudo yum install -y nfs-utils
     sudo yum install -y nfs4-acl-tools
     

     • On Ubuntu or Debian instance:

     sudo apt-get install nfs-common
     sudo apt-get install nfs4-acl-tools
     

Configure ACLs

1. If you want to configure ACLs for a Linux VM joined to Active Directory, complete the steps in Join a Linux VM to a Microsoft Entra Domain.

2. Mount the volume.

3. Use the command nfs4_getfacl <path> to view the existing ACL on a directory or file.

   The default NFSv4.1 ACL is a close representation of the POSIX permissions of 770.

   • A::OWNER@:rwaDxtTnNcCy - owner has full (RWX) access
   • A:g:GROUP@:rwaDxtTnNcy - group has full (RWX) access
   • A::EVERYONE@:tcy - everyone else has no access

4. To modify an ACE for a user, use the nfs4_setfacl command: nfs4_setfacl -a|x A|D::<user|group>:<permissions_alias> <file>

   • Use -a to add permission. Use -x to remove permission.
   • A creates access; D denies access.
   • In an Active Directory-joined set up, enter an email address for the user. Otherwise, enter the numerical user ID.
   • Permission aliases include read, write, append, execute, etc. In the following Active Directory-joined example, user regan@contoso.com is given read, write, and execute access to /nfsldap/engineering:

   nfs4_setfacl -a A::regan@contoso.com:RWX /nfsldap/engineering
   

Next steps

• Configure NFS clients
• Understand NFSv4.x ACLs.