Access Control Lists

 

Every file and directory in JNFS has an Access Control List (ACL) associated with it. Each ACL is composed of one or more owners and their positive and negative permissions, as well as any number of groups which also have some form of access to the file. The PermissionGranter provides both getAccessControl() and setAccessControl() methods to obtain and modify ACLs. Only an owner of a file or the JNFS administrator may change a file's ACL.

The PermissionGranter recognizes a small set of Permissions that could be granted to a user or group for any file or directory. These include:

• Attributes. Specifies permission to check attributes such as whether a file exists, is a file or directory, length, modification time, etc.
• Delete. Specifies permission to delete a file.
• Execute. Specifies permission to execute a file.
• List. Specifies permission to list a contents of a directory.
• Read. Specifies permission to read from a file.
• Rename. Specifies permission to rename a file.
• Write. Specifies permission to write to a file.

In order to check if a user should be granted a particular Permission to a file, the PermissionGranter provides the checkPermission() method. Unlike the getAccessControl() method which only returns the ACL for an individual file, checkPermission() implements whatever security policy the file system chooses to use. For example, in UNIX, a user may read a file only if that user is granted both the Read permission for that file as well as the Execute permission for every parent directory of that file.