From: Sebastien Buisson Date: Tue, 1 Aug 2023 13:02:34 +0000 (+0200) Subject: LUDOC-515 sec: doc update for 'rbac' nodemap property X-Git-Url: https://git.whamcloud.com/?a=commitdiff_plain;h=fcc7e8ba26b7090c209067d7bbb4dd7526447886;p=doc%2Fmanual.git LUDOC-515 sec: doc update for 'rbac' nodemap property This patch updates the "Managing the Properties" section of the Lustre Operations Manual to introduce the 'rbac' nodemap property as implemented by LU-16524. Signed-off-by: Sebastien Buisson Change-Id: I27beea5b36748e13b11ca3872b77af650ce3704a Reviewed-on: https://review.whamcloud.com/c/doc/manual/+/51838 Tested-by: jenkins Reviewed-by: Andreas Dilger --- diff --git a/LustreNodemap.xml b/LustreNodemap.xml index 5113b39..2d270b5 100644 --- a/LustreNodemap.xml +++ b/LustreNodemap.xml @@ -350,6 +350,45 @@ drwxr-xr-x 3 root root 4096 Jul 23 09:02 .. forbid_encryption prevents clients from using encryption. + + + The property rbac defines + different Role-Based Admin Control mechanisms: + + + byfid_ops, to allow operations by FID + (e.g. 'lfs rmfid'). + + + chlg_ops, to allow access to Lustre + Changelogs. + + + dne_ops, to allow operations related to + DNE (e.g. 'lfs mkdir'). + + + file_perms, to allow modifications of + file permissions and owners. + + + fscrypt_admin, to allow fscrypt related + admin tasks (create or modify protectors/policies). Note that even + without this role, it is still possible to lock or unlock + encrypted directories, as these operations only need read access + to fscrypt metadata. + + + quota_ops, to allow quota modifications. + + + + The default value for this property is all, + which means all roles are allowed. Multiple values among those listed + above can be specified, comma separated. Apart from all, any role not + explicitly specified is forbidden. And to forbid all roles, use + none value. + Alter values to either true (1) or false (0) on the MGS: