On my 100TB cluster, I need to find dirs and files that have a "deny" ACE within their ACL, then remove that ACE on each instance. I'm using the following:

# find .  -print0 | xargs -0 ls -led | grep deny -B4

and get this output (partial, for example only)

-r--rw----  1 chris     GroupOne           4096 Mar  6 18:12 ./directoryA/fileX.txt
 OWNER: user:chris
 GROUP: group:GroupOne
 0: user:chris allow file_gen_read,std_write_dac,file_write_attr 
 1: user:chris deny file_write,append,file_write_ext_attr,execute 
--
-r--rwxrwx  1 chris     GroupOne       14728221 Mar  6 18:12 ./directoryA/subdirA/fileZ.txt
 OWNER: user:chris
 GROUP: group:GroupOne
 0: user:chris allow file_gen_read,std_write_dac,file_write_attr 
 1: user:chris deny file_write,append,file_write_ext_attr,execute 
--
 OWNER: user:bob
 GROUP: group:GroupTwo
 0: user:bob allow dir_gen_read,dir_gen_write,dir_gen_execute,std_write_dac,delete_child,object_inherit,container_inherit 
 1: group:GroupTwo allow std_read_dac,std_write_dac,std_synchronize,dir_read_attr,dir_write_attr,object_inherit,container_inherit 
 2: group:GroupTwo deny list,add_file,add_subdir,dir_read_ext_attr,dir_write_ext_attr,traverse,delete_child,object_inherit,container_inherit 
--

As you can see, depending on where the "deny" ACE is, I can see/not-see the path. I could increase the -B value (I've seen up to 8 ACEs on a file) but then I would get more output to distill from...

What I need to do next is extract $ACENUMBER and $PATHTOFILE so that I can execute this command:

chmod -a# $ACENUMBER $PATHTOFILE

Additional issue is that the find command (above) gives a relative path, whereas I need the full path. I guess that would need to be edited somehow.

Any guidance on how to accomplish this?