Nexfs POSIX ACL to S3 ACL Mappings 

Within Nexfs, an Object is stored as a regular File; there is no difference between Files and Objects.

Nexfs directly maps S3 style ACLs and S3 access control policies to POSIX ACLs.

Any ACLs changes are applied across all protocols; ACLs are stored as standard and extended POSIX ACLs, attached to the target file (object).

User accounts in Nexfs may be linked to specific POSIX user UIDs and GIDs; an account will inherit the configured default UID and/or GID if one is not attached.

In addition, the S3 ALLUSERS ACL Group is assigned a standard POSIX group, which defaults to the "staff" POSIX group unless updated. 

The S3 "AuthenicatedUsers" group is linked to the POSIX access user group set on the file or directory.

Nexfs enforces an extra layer of security when using the S3 API. For each S3 operation, a calling account must have corresponding IMS policy access. For example, to get an object, the caller must have both the policy access s3:GetObject AND POSIX "user", "group" or "other" read access.

To update an ACL using the S3 protocol, the calling user must have write-acp permission, while read-acp is required to read an object's ACL. Note: read-acp and write-acp have no effect when accessing the nexfs files using non-S3 methods, for example, when updating permissions over Fuse access.

For nexfs folders/directories/buckets, the following S3 to POSIX mappings are made:

For nexfs files (objects), the following S3 to POSIX mappings are made:

Canned ACLs

Impact of canned ACLs on buckets/folders/directories

Impact of canned ACLs on Files/Objects