Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-72-1573331.1
Update Date:2013-08-28
Keywords:
Solution Type  Problem Resolution Sure

Solution  1573331.1 :   Sun Storage 7000 Unified Storage System: Administration interface (BUI) lacks support for ordering of ACL  

Related Items 
    

  • Sun ZFS Storage 7320
    •  
  • Sun Storage 7210 Unified Storage System
    •  
  • Sun Storage 7410 Unified Storage System
    •  
  • Sun ZFS Storage 7420
    •  
  • Sun Storage 7310 Unified Storage System
    •  
  • Sun ZFS Storage 7120
    •  
  • Sun Storage 7110 Unified Storage System
    •  
Related Categories 
    

  • PLA-Support>Sun Systems>DISK>ZFS Storage>SN-DK: 7xxx NAS
    •  






In this Document


Symptoms


Changes


Cause


Solution



Created from <SR 3-6829493181>


Applies to:  

Sun ZFS Storage 7420 - Version All Versions to All Versions [Release All Releases]
Sun ZFS Storage 7320 - Version All Versions to All Versions [Release All Releases]
Sun ZFS Storage 7120 - Version All Versions to All Versions [Release All Releases]
Sun Storage 7410 Unified Storage System - Version All Versions to All Versions [Release All Releases]
Sun Storage 7310 Unified Storage System - Version All Versions to All Versions [Release All Releases]
7000 Appliance OS (Fishworks)



Symptoms


To discuss this information further with Oracle experts and industry peers, we encourage you to review, join or start a discussion in the My Oracle Support Community - Disk Storage ZFS Storage Appliance Community


While editing ACLs (access control lists) in the BUI, there is no capability to order the entries.


Under certain circumstances, this causes some entries, typically "DENY" entries, not to function.


Generally, this will result in greater than intended permissions in cases where deny entries are used.


Note that this operation cannot be performed in the command line interface, as this interface does not provide the capability to create or edit complex ACLs.


Changes





Cause


Normally, we recommend that "DENY" Access Control Entries not be used, as they can cause compatibility issues and unnecessarily complex ACLs.


However, in some cases, they can be warranted. For example, if you wish to restrict write access to a group which is a subset of a larger group.

In order to use both deny and allow access control entries, ordering becomes important. ACLs are processed from top to bottom.


In the above example and similar cases, the deny needs to come first. Otherwise the allow entry for the larger group will be applied.


Unfortunately, the administration interface currently has no provision for ordering ACEs. 


Solution


In many cases, the answer is simply not to use the "DENY" entries. The lack of an ALLOW access control entry is sufficient to prevent access for virtually all cases.


The "DENY" entry is only useful in cases where conflicting "ALLOW" access control entries are in use.


ACLs are processed from first entry to last entry. The current implementation of the BUI causes the newest entries to be added to the top of the list.


Therefore, as a workaround, create the access control entries in the reverse of the desired order, entering the "DENY" entries last to ensure that they are at the top of the list and processed first.



Attachments

This solution has no attachment


















       

Copyright © 2018 Oracle, Inc.  All rights reserved.

 Feedback