Multi-protocol access permissions

Objects can be accessed using NFS and using the object service. Each access method has a way of storing permissions: Object Access Control List (ACL) permissions and File System permissions.

When an object is created or modified using the object protocol, the permissions associated with the object owner are mapped to NFS permissions and the corresponding permissions are stored. Similarly, when an object is created or modified using NFS, ECS maps the NFS permissions of the owner to object permissions and stores them.

The S3 object protocol does not have the concept of groups. Changes to group ownership or permissions from NFS do not need to be mapped to corresponding object permissions. When you create a bucket or an object within a bucket (the equivalent of a directory and a file), ECS can assign Unix group permissions, and they can be accessed by NFS users.

For NFS, the following ACL attributes are stored:

  • Owner
  • Group
  • Other

For object access, the following ACLs are stored:

  • Users
  • Custom Groups
  • Groups (Pre-defined)
  • Owner (a specific user from Users)
  • Primary Group (a specific group from Custom Groups)

For more information on ACLs, see Set ACLs.

The following table shows the mapping between NFS ACL attributes and object ACL attributes.

NFS ACL attribute Object ACL attribute
Owner User who is also Owner
Group Custom Group that is also Primary Group
Others Pre-Defined Group

Examples of this mapping are discussed later in this topic.

The following Access Control Entries (ACE) can be assigned to each ACL attribute.


  • Read (R)
  • Write (W)
  • Execute (X)

Object ACEs:

  • Read (R)
  • Write (W)
  • Execute (X)
  • ReadAcl (RA)
  • WriteAcl (WA)
  • Full Control (FC)

Creating and modifying an object using NFS and accessing using the object service

When an NFS user creates an object using the NFS protocol, the owner permissions are mirrored to the ACL of the object user who is designated as the owner of the bucket. If the NFS user has RWX permissions, Full Control is assigned to the object owner through the object ACL.

The permissions that are assigned to the group that the NFS file or directory belongs to are reflected onto a custom group of the same name, if it exists. ECS reflects the permissions associated with Others onto pre-defined groups permissions.

The following example illustrates the mapping of NFS permissions to object permissions.

NFS ACL  Setting               Object ACL      Setting

Owner    John : RWX            Users           John : Full Control
Group    ecsgroup : R-X --->   Custom Groups   ecsgroup : R-X
Other    RWX                   Groups          All_Users : R, RA
                               Owner           John
                               Primary Group   ecsgroup

When a user accesses ECS using NFS and changes the ownership of an object, the new owner inherits the owner ACL permissions and is given Read_ACL and Write_ACL. The previous owner permissions are kept in the object user's ACL.

When a chmod operation is performed, the ECS reflects the permissions in the same way as when creating an object. Write_ACL is preserved in Group and Other permissions if it already exists in the object user's ACL.

Creating and modifying objects using the object service and accessing using NFS

When an object user creates an object using the object service, the user is the object owner and is automatically granted Full Control of the object. The file owner is granted RWX permissions. If the owner permissions are set to other than Full Control, ECS reflects the object RWX permissions onto the file RWX permissions. An object owner with RX permissions results in an NFS file owner with RX permissions. The object primary group, which is set using the Default Group on the bucket, becomes the Custom Group that the object belongs to and the object permissions are set based on the default permissions that have been set. These permissions are reflected onto the permissions. If the object Custom Group has Full Control, these permissions become the RWX permissions for the NFS group. If pre-defined groups are specified on the bucket, these are applied to the object and are reflected as Others permissions for the NFS ACLs.

The following example illustrates the mapping of object permissions onto NFS permissions.

Object ACL     Setting                   NFS ACL Setting	                       

Users          John : Full Control       Owner   John : RWX
Custom Groups  ecsgroup : R-X      ----> Group   ecsgroup : R-X    
Groups         All_Users : R, RA         Other   RWX  
Owner          John
Primary Group  ecsgroup

If the object owner is changed, the permissions associated with the new owner applied to the object and reflected onto the file RWX permissions .