Active IQ Unified Manager Discussions

How to set File Level Security

narendrathawani
11,891 Views

Hello! How to set File Level Security (ACL) on a qtree (or folder) with WFA ? Usually we use fsecurity or set it from Windows //FilerA/C$/vol/vol_name, right click the qtree, Select Properties and set it from Security tab. Wondering how can it be Automated by WFA.

Thanks !

13 REPLIES 13

SCOTT_LINDLEY
11,835 Views

I'm wondering the same thing. This would be the greatest help that I can imagine with NAS storage provisioning.

I wish that there was an API call in the NMSDK, that would make it easy. I really don't want to have to learn PowerShell in order to do this, and for all I know it can't do it either.

Anyone automated this? Perl would be perfect.

bdave
11,835 Views

Have you seen the WFA commands called "Set CIFS Share ACL" and "Set CIFS Share Multiple ACLs"?  Do they provide what you need?

narendrathawani
11,835 Views

Those commands are to set Share Level Access. They do not provide setting File Level Permissions.

bdave
11,835 Views

Ah, I see. 

Since WFA runs on a Windows host, you could use PowerShell in a WFA command to 1) mount the share as a drive on the WFA server, 2) navigate to the folder containing the files you want to update, 3) Use Get-ACL and Set-ACL cmdlets to manipulate file level permissions, like shown here: http://technet.microsoft.com/en-us/library/hh849810.aspx 4) Remove the mount as part of clean-up for the command.

Sorry, Scott, I don't have an example WFA command that does this at the moment.  Without someone posting an example command or workflow, some PowerShell scripting would be involved.

Hope this helps,

Dave

goodrum
11,835 Views

So +1 to Dave's suggestion.  But I will give another option.  Since you are already familiar with fsecurity, you could implement that option.  The DataONTAP PoSH toolkit does not contain a fsecurity cmdlet (I checked the version included with WFA).  The other option would be to use Invoke-NaSSH to send the fsecurity command directly to ONTAP.  I took a quick look to see if the API was exposed for this in the NMSDK but I don't see anything that matches.

Jeremy Goodrum, NetApp

The Pirate

Twitter: @virtpirate

Blog: www.virtpirate.com

narendrathawani
11,835 Views

Has anybody used Get-ACL or Set-ACL cmdlet on a NetApp File / Folder ? I tried couple of options but couldn't make it work.

goodrum
11,835 Views

So the challenge with Get-ACL and Set-ACL is that these default cmdlets use a file path.  This means that if you want to set NTFS file permissions, you will need to have a Cifs Share available to the WFA host where the command will be run.  This becomes a slight challenge when dealing with secure tenancies.  I did try to see if I could 'access' the file path using the Get-NaFile cmdlet but no go.  It looks like you will need to map the share to the WFA host and then you can use the Get-ACL and Set-ACL cmdlet.

Jeremy Goodrum, NetApp

The Pirate

Twitter: @virtpirate

Blog: www.virtpirate.com

SCOTT_LINDLEY
11,835 Views

I'm assuming that Get-ACL and Set-ACL are PowerShell commands. I'd really rather stick to Perl than learn a whole new language. Is this the only way to do this, and if so, where does one find documentation on the PowerShell commands? I'm a PowerShell virgin, and frankly I'd rather stay that way. There ought to be a way to do this via the NMSDK using Perl (or any of the other NMSDK supported languages). Since a Filer can do it, why can't NMSDK?

goodrum
11,835 Views

The problem that I found was that it doesn't look like this functionality was exposed in the api. I looked at the NMSDK to see if it was listed but like I said, I didn't see anything for this feature. It might be worth a cross post in the NMSDK community.

Yes those were cmdlets that I mentioned and there for would be PoSH. Maybe there is a Perl equivalent for setting Windows File permissions. I am not aware of one though.

Jeremy Goodrum, NetApp

The Pirate

Twitter: @virtpirate

Blog: www.virtpirate.com

madden
11,418 Views

I was just presented with this request today for a customer using vfilers and where WFA cannot access CIFS in them and found this post.

I can imagine a WFA command that does the following:

1) Build a properly formatted fsecurity.conf file with the things you want to set NTFS permissions on (see TR-3596 for more info)

2) Puts this file on the storage controller

3) Use invoke-nassh to run fsecurity apply with the fsecurity.conf file as input

And then a 2nd WFA command that does:

1) Watch status of previous fsecurity apply command repeatedly until it finishes

I guess I'll add it to my to-do list unless someone has already done it (please share!) or someone has a better/easier way to accomplish.

narendrathawani
11,418 Views

Hi,

I was able to set the File Level permissions with fsecurity command as below

# connect to controller

Connect-WFAController -Array $Array -VFiler $vFilerName

  

# validate volume existence - throws error if the volume does not exist

Get-NaVol -Names $VolumeName -ErrorAction Stop

$fullPath = "/vol/" + $vFilerName + "_root/etc/fsecurity_" +  $VolumeName + ".conf"

Write-NaFile $fullPath -Data "cb56f6f4`n" -NoOverwrite

#success?

Write-NaFile $fullPath -Data "1,0,`"/vol/$VolumeName`",2,`"D:(A;CIOI;0x1f01ff;;;BUILTIN\Administrators)`"" -Append

Write-NaFile $fullPath -Data "`n"  -Append

$command = "vfiler run $vFilerName fsecurity apply " + $fullPath

$command_out = Invoke-NaSsh -Command $command

Has anyone tried to construct the fsecurity file?

With the given information below, is it possible to build fsecurity file

-Access Level-              DACL                       INHERIT
  
Full Control             0x001f01ff            CIOI
Modify                   0x001301bf            CIOI
Read                        0x00120089       CIOI
Read and Execute   0x001200a9       CIOI
Write                        0x00100116            CIOI

Security Group                 Access Level

Web_developer                  Modify 
Web_operator                  Read 
OSFOPS                        Read and Execute 

1,0,"/vol/Vol_data/qtreedata",0,"D:(A;CIOI;0x001301bf;;;Web_developer)(A;CIOI;0x00120089;;;Web_operator)(A;CIOI;0x001200a9;;;OSFOPS)"

TABER_BRANDEN
11,418 Views

Does this help? It has been my way to set Files/NTFS permissions rather than just the share permissions.

https://communities.netapp.com/docs/DOC-25480

narendrathawani
11,418 Views

One of my colleagues suggested to use a new cmdlet using 2.1 NTFSSecurity Module which works fine on command line

PS C:\Users\user> Get-Item \\ toaster1\c$\vol\vol0018a|Add-Ace -Account Domain\Global_Group -AccessRights FullControl

PS C:\Users\user> Get-Item \\ toaster1\c$\vol\vol0018a|Get-Ace

    Path: \\ toaster1\c$\vol\vol0018a (Inheritance disabled)

Account                             Access Rights       Applies to                Type               IsInherited

-------                             -------------       ----------                ----               -----------

BUILTIN\Administrators (S-1-5-32... FullControl         ThisFolderSubfoldersAn... Allow              False

Domain\Global_Group (S-1-5-21-5883715... FullControl         ThisFolderSubfoldersAn... Allow              False

Question, How do I Import 2.1 NTFSSecurity Module so that WFA recognizes the Add-Ace cmdlet.

I downloaded the command let and added Import-Module command in profile.ps1 file @ C:\Program Files\netapp\WFA\PoSH

Import-Module $ModulesDir\Modules\WFA

Import-Module $ModulesDir\Modules\WFAWrapper

Import-Module $ModulesDir\Modules\DataONTAP

Import-Module $ModulesDir\Modules\NTFSSecurity

But I get “The term 'Add-Ace' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.”

Any suggestion on how to import a new module to WFA ?

Public