POSIX ACLs

At Datadobi, we are constantly enhancing our software to meet any and all needs of our customers. Over the years we have regularly added features to accommodate a number of unique migration needs; this continues to this day as we add support for the tricky migrations involving NFS (Network File System) content secured via POSIX (Portable Operating System Interface) access control lists (ACLs). Currently, Datadobi is the only company offering software to execute NFSv3 to NFSv4 migrations. We do so by leveraging our automated solution that does not require scripting. Now, we can even help customers migrate NFSv3 environments where POSIX ACLs have been implemented and convert these to NFSv4.x environments. Yes! It is possible to take your old NFSv3 POSIX ACLs and convert them to newer NFSv4.x-compliant ACLs.

With DobiMigrate, running a migration to convert NFSv3 mode bits or even NFSv3 POSIX ACLs to NFSv4 is as simple as selecting an option from a dropdown menu while creating a migration policy.

The vast majority of the time, our customers have secured their file content using traditional NFSv3 mode bits. The problem with mode bits is that they are very coarse grained when compared to permissions associated with other filesystems such as NTFS (New Technology File System). The permissions in NTFS are much richer and provide fine-grained access to file content. Instead of simple mode bits, NTFS employs ACLs to provide storage of user- and group-level permissions for each filesystem object.

Some shops running NFSv3 were unwilling, or unable, to upgrade to NFSv4.x, yet needed more fine-grained permission management. Thus, the introduction of POSIX ACLs to the rescue. Many NFS servers were upgraded to support the extensions required for POSIX ACLs, allowing shops running traditional NFSv3 to continue leveraging basic mode bits for legacy applications, while also allowing them to employ richer permission management via POSIX ACLs. It’s important to note, however, that while POSIX ACLs provide improvement for permission management in an older NFSv3 environment, they still fall far short of the granularity available in NFSv4.x.

NFSv4 was the first version of NFS to implement ACLs. While they were not functionally equivalent to NTFS ACLs, they were an attempt to provide drastic improvement to the NFS permission management model. NFSv4.1 and NFSv4.2 have continued to add improvements, providing administrators of NFSv4.x filesystems far superior capabilities for securing file content. There were other changes in NFSv4.x, such as a change to a stateful environment versus the prior stateless connections used in NFSv3 – that is a whole separate topic.

The problem with NFSv4 is that, while the IETF (Internet Engineering Task Force) ratified NFSv4 as a standard way back in 2003, adoption of the protocol has been anemic at best. There are a variety of reasons for this lack of adoption; while NFSv3 was released back in 1995, it is still, to this day, the most commonly used version of NFS.

The organizations who adopted the use of POSIX ACLs are now facing the retirement of network-attached storage (NAS) assets; they need to consider how to make the conversion to NFSv4.x as they adopt new NAS systems. DobiMigrate’s NAS migration software solves this problem by allowing administrators to easily migrate NFSv3 to NFSv3, NFSv3 to NFSv4.x, and NFSv3 with POSIX ACLs to NFSv4.x.