Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello! How to set File Level Security (ACL) on a qtree (or folder) with WFA ? Usually we use fsecurity or set it from Windows //FilerA/C$/vol/vol_name, right click the qtree, Select Properties and set it from Security tab. Wondering how can it be Automated by WFA.
Thanks !
13 REPLIES 13
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm wondering the same thing. This would be the greatest help that I can imagine with NAS storage provisioning.
I wish that there was an API call in the NMSDK, that would make it easy. I really don't want to have to learn PowerShell in order to do this, and for all I know it can't do it either.
Anyone automated this? Perl would be perfect.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you seen the WFA commands called "Set CIFS Share ACL" and "Set CIFS Share Multiple ACLs"? Do they provide what you need?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Those commands are to set Share Level Access. They do not provide setting File Level Permissions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah, I see.
Since WFA runs on a Windows host, you could use PowerShell in a WFA command to 1) mount the share as a drive on the WFA server, 2) navigate to the folder containing the files you want to update, 3) Use Get-ACL and Set-ACL cmdlets to manipulate file level permissions, like shown here: http://technet.microsoft.com/en-us/library/hh849810.aspx 4) Remove the mount as part of clean-up for the command.
Sorry, Scott, I don't have an example WFA command that does this at the moment. Without someone posting an example command or workflow, some PowerShell scripting would be involved.
Hope this helps,
Dave
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So +1 to Dave's suggestion. But I will give another option. Since you are already familiar with fsecurity, you could implement that option. The DataONTAP PoSH toolkit does not contain a fsecurity cmdlet (I checked the version included with WFA). The other option would be to use Invoke-NaSSH to send the fsecurity command directly to ONTAP. I took a quick look to see if the API was exposed for this in the NMSDK but I don't see anything that matches.
Jeremy Goodrum, NetApp
The Pirate
Twitter: @virtpirate
Blog: www.virtpirate.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Has anybody used Get-ACL or Set-ACL cmdlet on a NetApp File / Folder ? I tried couple of options but couldn't make it work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So the challenge with Get-ACL and Set-ACL is that these default cmdlets use a file path. This means that if you want to set NTFS file permissions, you will need to have a Cifs Share available to the WFA host where the command will be run. This becomes a slight challenge when dealing with secure tenancies. I did try to see if I could 'access' the file path using the Get-NaFile cmdlet but no go. It looks like you will need to map the share to the WFA host and then you can use the Get-ACL and Set-ACL cmdlet.
Jeremy Goodrum, NetApp
The Pirate
Twitter: @virtpirate
Blog: www.virtpirate.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm assuming that Get-ACL and Set-ACL are PowerShell commands. I'd really rather stick to Perl than learn a whole new language. Is this the only way to do this, and if so, where does one find documentation on the PowerShell commands? I'm a PowerShell virgin, and frankly I'd rather stay that way. There ought to be a way to do this via the NMSDK using Perl (or any of the other NMSDK supported languages). Since a Filer can do it, why can't NMSDK?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem that I found was that it doesn't look like this functionality was exposed in the api. I looked at the NMSDK to see if it was listed but like I said, I didn't see anything for this feature. It might be worth a cross post in the NMSDK community.
Yes those were cmdlets that I mentioned and there for would be PoSH. Maybe there is a Perl equivalent for setting Windows File permissions. I am not aware of one though.
Jeremy Goodrum, NetApp
The Pirate
Twitter: @virtpirate
Blog: www.virtpirate.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was just presented with this request today for a customer using vfilers and where WFA cannot access CIFS in them and found this post.
I can imagine a WFA command that does the following:
1) Build a properly formatted fsecurity.conf file with the things you want to set NTFS permissions on (see TR-3596 for more info)
2) Puts this file on the storage controller
3) Use invoke-nassh to run fsecurity apply with the fsecurity.conf file as input
And then a 2nd WFA command that does:
1) Watch status of previous fsecurity apply command repeatedly until it finishes
I guess I'll add it to my to-do list unless someone has already done it (please share!) or someone has a better/easier way to accomplish.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I was able to set the File Level permissions with fsecurity command as below
# connect to controller
Connect-WFAController -Array $Array -VFiler $vFilerName
# validate volume existence - throws error if the volume does not exist
Get-NaVol -Names $VolumeName -ErrorAction Stop
$fullPath = "/vol/" + $vFilerName + "_root/etc/fsecurity_" + $VolumeName + ".conf"
Write-NaFile $fullPath -Data "cb56f6f4`n" -NoOverwrite
#success?
Write-NaFile $fullPath -Data "1,0,`"/vol/$VolumeName`",2,`"D:(A;CIOI;0x1f01ff;;;BUILTIN\Administrators)`"" -Append
Write-NaFile $fullPath -Data "`n" -Append
$command = "vfiler run $vFilerName fsecurity apply " + $fullPath
$command_out = Invoke-NaSsh -Command $command
Has anyone tried to construct the fsecurity file?
With the given information below, is it possible to build fsecurity file
-Access Level- DACL INHERIT
Full Control 0x001f01ff CIOI
Modify 0x001301bf CIOI
Read 0x00120089 CIOI
Read and Execute 0x001200a9 CIOI
Write 0x00100116 CIOI
Security Group Access Level
Web_developer Modify
Web_operator Read
OSFOPS Read and Execute
1,0,"/vol/Vol_data/qtreedata",0,"D:(A;CIOI;0x001301bf;;;Web_developer)(A;CIOI;0x00120089;;;Web_operator)(A;CIOI;0x001200a9;;;OSFOPS)"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does this help? It has been my way to set Files/NTFS permissions rather than just the share permissions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One of my colleagues suggested to use a new cmdlet using 2.1 NTFSSecurity Module which works fine on command line
PS C:\Users\user> Get-Item \\ toaster1\c$\vol\vol0018a|Add-Ace -Account Domain\Global_Group -AccessRights FullControl
PS C:\Users\user> Get-Item \\ toaster1\c$\vol\vol0018a|Get-Ace
Path: \\ toaster1\c$\vol\vol0018a (Inheritance disabled)
Account Access Rights Applies to Type IsInherited
------- ------------- ---------- ---- -----------
BUILTIN\Administrators (S-1-5-32... FullControl ThisFolderSubfoldersAn... Allow False
Domain\Global_Group (S-1-5-21-5883715... FullControl ThisFolderSubfoldersAn... Allow False
Question, How do I Import 2.1 NTFSSecurity Module so that WFA recognizes the Add-Ace cmdlet.
I downloaded the command let and added Import-Module command in profile.ps1 file @ C:\Program Files\netapp\WFA\PoSH
Import-Module $ModulesDir\Modules\WFA
Import-Module $ModulesDir\Modules\WFAWrapper
Import-Module $ModulesDir\Modules\DataONTAP
Import-Module $ModulesDir\Modules\NTFSSecurity
But I get “The term 'Add-Ace' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.”
Any suggestion on how to import a new module to WFA ?
